Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1546915
MD5:	938163b1c71b86d749cc0b79c28d09da
SHA1:	f961699dcf2e03ef54000cc708150bddb1cc238e
SHA256:	c6f46bf3136bd0715c46d4f754133535ec7b34eeeccab5c51649670f7982d7ef
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 938163B1C71B86D749CC0B79C28D09DA)

taskkill.exe (PID: 7344 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7484 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7540 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7604 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7668 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7732 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7768 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7784 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7988 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2104 -prefMapHandle 2072 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {060f3b44-7a9e-4fd0-86fa-81f240170137} 7784 "\\.\pipe\gecko-crash-server-pipe.7784" 1ec1406eb10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7476 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4180 -parentBuildID 20230927232528 -prefsHandle 4184 -prefMapHandle 4072 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aed0bda-8726-46e7-8fa9-e811e3e6a8dd} 7784 "\\.\pipe\gecko-crash-server-pipe.7784" 1ec238b9910 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7432 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4988 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd8a9153-fef6-4864-8611-95578e74777b} 7784 "\\.\pipe\gecko-crash-server-pipe.7784" 1ec2ce31110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7328	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T17:50:42.881807+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.5	49736	TCP
2024-11-01T17:50:57.019712+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.5	61977	TCP
2024-11-01T17:50:58.529473+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.5	61987	TCP

Code function: 0_2_00D2EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00D2EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D2ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00D2ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00D2EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00D1AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D49576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00D49576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_270215cb-3
Source: file.exe, 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2c105dd5-f
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_88ad187d-c
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_33091265-1

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000024443FE72F7 NtQuerySystemInformation,		17_2_0000024443FE72F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000244445A2AF2 NtQuerySystemInformation,		17_2_00000244445A2AF2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00D1D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D11201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00D11201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00D1E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D22046	0_2_00D22046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB8060	0_2_00CB8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D18298	0_2_00D18298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CEE4FF	0_2_00CEE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE676B	0_2_00CE676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D44873	0_2_00D44873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBCAF0	0_2_00CBCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDCAA0	0_2_00CDCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCCC39	0_2_00CCCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE6DD9	0_2_00CE6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB91C0	0_2_00CB91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCB119	0_2_00CCB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD1394	0_2_00CD1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD1706	0_2_00CD1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD781B	0_2_00CD781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD19B0	0_2_00CD19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC997D	0_2_00CC997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB7920	0_2_00CB7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD7A4A	0_2_00CD7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD7CA7	0_2_00CD7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD1C77	0_2_00CD1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE9EEE	0_2_00CE9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D3BE44	0_2_00D3BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD1F32	0_2_00CD1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000024443FE72F7	17_2_0000024443FE72F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000244445A2AF2	17_2_00000244445A2AF2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000244445A321C	17_2_00000244445A321C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000244445A2B32	17_2_00000244445A2B32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00CCF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00CD0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00CB9CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/41@71/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D237B5 GetLastError,FormatMessageW,

0_2_00D237B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D110BF AdjustTokenPrivileges,CloseHandle,		0_2_00D110BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00D116C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00D251CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00D1D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D2648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00D2648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00CB42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2203654436.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225345296.000001EC2FFA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2147789874.000001EC2CF8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144666717.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180888823.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176941731.000001EC2CF8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2203654436.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225345296.000001EC2FFA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144666717.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180888823.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2203654436.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225345296.000001EC2FFA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144666717.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180888823.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2203654436.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225345296.000001EC2FFA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144666717.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180888823.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2181257025.000001EC2E4BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234447961.000001EC21261000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2203654436.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225345296.000001EC2FFA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144666717.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180888823.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2203654436.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225345296.000001EC2FFA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144666717.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180888823.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2203654436.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225345296.000001EC2FFA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144666717.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180888823.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2203654436.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225345296.000001EC2FFA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144666717.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180888823.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2203654436.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225345296.000001EC2FFA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144666717.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180888823.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2104 -prefMapHandle 2072 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {060f3b44-7a9e-4fd0-86fa-81f240170137} 7784 "\\.\pipe\gecko-crash-server-pipe.7784" 1ec1406eb10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4180 -parentBuildID 20230927232528 -prefsHandle 4184 -prefMapHandle 4072 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aed0bda-8726-46e7-8fa9-e811e3e6a8dd} 7784 "\\.\pipe\gecko-crash-server-pipe.7784" 1ec238b9910 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4988 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd8a9153-fef6-4864-8611-95578e74777b} 7784 "\\.\pipe\gecko-crash-server-pipe.7784" 1ec2ce31110 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2104 -prefMapHandle 2072 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {060f3b44-7a9e-4fd0-86fa-81f240170137} 7784 "\\.\pipe\gecko-crash-server-pipe.7784" 1ec1406eb10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4180 -parentBuildID 20230927232528 -prefsHandle 4184 -prefMapHandle 4072 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aed0bda-8726-46e7-8fa9-e811e3e6a8dd} 7784 "\\.\pipe\gecko-crash-server-pipe.7784" 1ec238b9910 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4988 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd8a9153-fef6-4864-8611-95578e74777b} 7784 "\\.\pipe\gecko-crash-server-pipe.7784" 1ec2ce31110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2138240034.000001EC23DDB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2137850277.000001EC30209000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdbUGP source: firefox.exe, 0000000E.00000003.2139765065.000001EC30209000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2137850277.000001EC30209000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2138651214.000001EC30209000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2138240034.000001EC23DDB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdb source: firefox.exe, 0000000E.00000003.2139765065.000001EC30209000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2138651214.000001EC30209000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CB42DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD0A76 push ecx; ret		0_2_00CD0A89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB5C92 push 00000043h; iretd		0_2_00CB5C94

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00CCF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D41C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00D41C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97374

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000024443FE72F7 rdtsc

17_2_0000024443FE72F7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Users\user\Desktop\file.exe TID: 7332	Thread sleep count: 104 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7332	Thread sleep count: 149 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D1DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CEC2A2 FindFirstFileExW,	0_2_00CEC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D268EE FindFirstFileW,FindClose,	0_2_00D268EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00D2698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D1D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D1D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D29642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D29642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D2979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D29B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00D29B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D25C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00D25C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CB42DE

Source: firefox.exe, 00000010.00000002.3882157084.000001A14D100000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxDp
Source: firefox.exe, 00000011.00000002.3876964220.0000024443CCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: firefox.exe, 00000010.00000002.3882157084.000001A14D100000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3881249923.0000024444490000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3876844801.000001C07F86A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3881350727.000001A14D012000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000012.00000002.3880784125.000001C07FD00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW~
Source: firefox.exe, 00000010.00000002.3877923365.000001A14CAEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 00000010.00000002.3882157084.000001A14D100000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3881249923.0000024444490000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000024443FE72F7 rdtsc

17_2_0000024443FE72F7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D2EAA2 BlockInput,

0_2_00D2EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CE2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CB42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CD4CE8 mov eax, dword ptr fs:[00000030h]

0_2_00CD4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D10B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00D10B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CE2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CD083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD09D5 SetUnhandledExceptionFilter,	0_2_00CD09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CD0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00D11201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CF2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00CF2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1B226 SendInput,keybd_event,

0_2_00D1B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00D322DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00D10B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D11663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00D11663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2133017242.000001EC23DCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CD0698 cpuid

0_2_00CD0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D28195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00D28195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D0D27A GetUserNameW,

0_2_00D0D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CEB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00CEB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CB42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D31204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00D31204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D31806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00D31806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://screenshots.firefox.com	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://profiler.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://fpn.firefox.com	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.252.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.129	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.1.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.186.78	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	172.217.18.110	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.1.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3878572976.000001C07FCC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2198927937.000001EC25FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2218564141.000001EC2E349000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2189924980.000001EC2E348000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3878976329.000001A14CFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3878661801.00000244440E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3880972010.000001C07FE03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.3878572976.000001C07FC8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2201589753.000001EC25B12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2228567810.000001EC25B1A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2072819051.000001EC25467000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212924044.000001EC259D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2080519593.000001EC2BCBD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2147345319.000001EC2D307000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2084836059.000001EC2C09A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181842432.000001EC2C09A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2079487571.000001EC2C09A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2235082676.000001EC201B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2146413757.000001EC2D366000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2226293408.000001EC27468000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2048201344.000001EC2428A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2047479227.000001EC24238000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2047342713.000001EC2421D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2047939979.000001EC24253000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2048073130.000001EC2426F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2047183531.000001EC24000000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2200187517.000001EC25CD3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2203654436.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144666717.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249573740.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180888823.000001EC2FF8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2183564494.000001EC2BC17000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnoredA	firefox.exe, 0000000E.00000003.2144944202.000001EC2E79B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2183791113.000001EC2BBF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2047183531.000001EC24000000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com/	firefox.exe, 0000000E.00000003.2233978802.000001EC21293000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2252903988.000001EC2741D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2047479227.000001EC24238000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2047342713.000001EC2421D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2047939979.000001EC24253000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2048073130.000001EC2426F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2047183531.000001EC24000000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2209105248.000001EC265F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2201432938.000001EC25B25000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2201589753.000001EC25B12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2228567810.000001EC25B1A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2225492559.000001EC2E3E5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2084836059.000001EC2C0EC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://fpn.firefox.com	firefox.exe, 0000000E.00000003.2232642479.000001EC212DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2236899130.000001EC201B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2235082676.000001EC201B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000E.00000003.2146909149.000001EC2D325000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2144944202.000001EC2E79B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2177237283.000001EC1FE7D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3878661801.0000024444003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3878572976.000001C07FC0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2121067135.000001EC25772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2214250519.000001EC259AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2212924044.000001EC259D3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2249926233.000001EC2E385000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251502686.000001EC2E387000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2218346290.000001EC2E373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2189924980.000001EC2E36D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3878572976.000001C07FCC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2230433930.000001EC23F54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2121067135.000001EC25772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2091393904.000001EC25E38000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2189924980.000001EC2E36D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2200187517.000001EC25CD3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2146413757.000001EC2D37A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2201235116.000001EC25B9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3878976329.000001A14CFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3878661801.00000244440E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3880972010.000001C07FE03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/__MSG_searchUrlGetParams__requestStorageAccessUnderSiteupdateSessionStoreFo	firefox.exe, 0000000E.00000003.2072819051.000001EC25467000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3878976329.000001A14CFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3878661801.00000244440E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3880972010.000001C07FE03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2144944202.000001EC2E79B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2080519593.000001EC2BCBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3878661801.0000024444012000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3878572976.000001C07FC13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2212924044.000001EC259D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000011.00000002.3878007344.0000024443FA0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.14.dr	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2146413757.000001EC2D37A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2183564494.000001EC2BC17000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2251844858.000001EC2C0C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181842432.000001EC2C0BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2079487571.000001EC2C0BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2084836059.000001EC2C0BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220059481.000001EC2C0BE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000E.00000003.2233036256.000001EC212C0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListenerUseOfReleaseEventsWarningUse	firefox.exe, 0000000E.00000003.2144944202.000001EC2E79B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2080519593.000001EC2BCC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183564494.000001EC2BC17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2156175383.000001EC2BA4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198505763.000001EC2BC1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2185030998.000001EC2739C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2184721938.000001EC273F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252680344.000001EC2BC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193079243.000001EC27310000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089771719.000001EC25E28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080245081.000001EC2BD4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080655753.000001EC2BBF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2197096672.000001EC246A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2148286628.000001EC2BC57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2152686871.000001EC25EA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2209236942.000001EC265E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2081516601.000001EC2BAB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2188516924.000001EC2600B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183791113.000001EC2BBF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2086010585.000001EC25FCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2053966737.000001EC24913000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162715982.000001EC25E2B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2252903988.000001EC2741D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2252903988.000001EC2741D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2148286628.000001EC2BC57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2148286628.000001EC2BC57000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2148286628.000001EC2BC57000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2251844858.000001EC2C0C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181842432.000001EC2C0BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2079487571.000001EC2C0BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2084836059.000001EC2C0BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220059481.000001EC2C0BE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2084836059.000001EC2C050000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2072819051.000001EC25467000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183324500.000001EC2C04C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2232642479.000001EC212D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2157446621.000001EC21473000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2219491595.000001EC2CFC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2147681581.000001EC2CFA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3878237505.000001A14CB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3877753028.0000024443F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3878331124.000001C07FB70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.78	youtube.com	United States	15169	GOOGLEUS	false
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546915
Start date and time:	2024-11-01 17:49:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/41@71/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 54.185.230.140, 52.11.191.138, 35.160.212.113, 142.250.185.202, 216.58.206.74, 2.22.61.59, 2.22.61.56, 142.250.184.206
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 7784 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	ae713827-e32c-f66b-fbdb-5405db450711.eml	Get hash	malicious	Unknown	Browse	157.240.0.35
twitter.com	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://myabd.co.uk/main/arull.php?7080797967704b53693230746450544d6f737a6b6a4e533076544b7972566438774a38394d4841413d3d#EMAILBASE64#	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	https://u47872954.ct.sendgrid.net/ls/click?upn=u001.fn1BsYIkFXRWxBLF12AvXhKUqktmOI7EPkchHYpa8lb2yJr9vm47Biq1iwhYH4x0W6E6_1tlZTUgFpToOJRvXeJjZ1lQQtiPaV281MW3UjMlmRxOXQrHf3E28Ct8cWw3pFJv8ww35QVlHVAsV9LrE8WJ-2FqWVvVFyUxLS7XbjE4ioBaNzI7Y9AQvglzmjEqljOvLuB-2FqyLAOnwfIZ8a2UOhb0kq4DsltFbCSVl8L5tTVcXPovhejZuw7J5gFYEuhvfLU6jp9IiI6bOp4vutoVple794Svog7VmNTHCQykEIajsBwvsIA9xBhrTaUhPe3riTZOj5RQVgP8LolzHF5ds6ImaI4Q1KNsmEF06CineSoPu7BKGd-2B4IINKzojAY3yUTkdWQLuCwDcmh7vK-2Fm4MQ0xAiPJ-2BNim16FZPVrX44e4DFM1rc1r1ZYN2APdeEIThalu0Ag-2BNzl5TCF9-2F-2B4cIgV-2B8ceF573hvcKOOmdD1jbxRbFryn-2FGT77SPyR6cNo7joqYajHU5-2F1gyPof24NnmOIwvhn7qKr0Ihz3SIWFLubPXV0GdcG6guT-2FBjwN6h83YPSF-2F5Pk0uzrf9DG4ZRnISsjJaazqmdBRAAsyoWwP5iXWDQEfiJXubX9fD-2BREtQifDIoI36c8qvCy5hrOP9aAfzd2djtg-2B8gR7MvgWYCa5sA7wAgdCKrrNRjX7eeAtG5StCtmRi-2BsSO4PCFgsA4QlR8AVRyhdPdKhSYzgA-2F1BCyYmRsFeWn4YzRn0mexGeZM3PwhHAdqlfom16LJGSiVeG98p5ZK5N-2BZQuMTlINorxwlmSmaGarY5x7TUyztB-2Bv8L8gRhXdcDKSzxiMknwYCjp3XaQdwr-2Fp8kePQSl33tJvX1ITAiP7FBhlwoPgNxbRoTwVzl0I2Q2bE71pQB2jeSQldBukVcgJT-2BrmpKQA1GW5-2B59frk-3D	Get hash	malicious	Unknown	Browse	151.101.65.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=sf_rand_string_mixed(5)FgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fir.nbaikp3.sa.com%2Fdelaw%2Flawn%2Fkoo%2Fsf_rand_string_mixed(24)/mario.caligiuri@edmontonpolice.ca	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://www.google.im/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s/naimestyles.com%2Frtwo%2Fn%2FNUaX8EOAfixpQMTfRAnHcKww/eGlzaEBub3ZvenltZXMuY29t	Get hash	malicious	HTMLPhisher	Browse	151.101.193.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://woobox.com/sf4hxr	Get hash	malicious	HTMLPhisher	Browse	151.101.65.229
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://u7990385.ct.sendgrid.net/ls/click?upn=u001.oZ6GXC16Ztdw1ob-2F3C5yow-2FsK2YC4S8s269h9OLgp-2FGcQesCtXDXKgCEAF90Sa3OUL2ncGoAKstQjRhddelr-2Bx3frrehyL8aaBbhAx-2Fm3uQTToUZwzw9vU-2BHl4N8-2FbXNOWh47xHSpNswH5B20hFc1rkwm1HkocouB6puE-2FnM91Ea9xIyldie1eyHQvDQGF6-2F1OUGSCOg8K-2Fk8REDXGncryLNWAkNll9tI4svh29XngoJuJcvPHIwWw07juA1Lr687mlf_LZJN6rqeZVHTY7vi7TysfnSOWUsKUPL2t2FWuf1mHJZyRrnfnXk5in-2FtsLaVkEL4z-2F5H1v5rdZCMtKV4-2B7XswPaXSOX44YEil-2BgQ6f1-2BLxpcwnoVslshbeFD8-2FSkDYUL5gsTS7cnhi8iHs4T9b6wzPIbVlUAEwQAwoGeUFJH5x3RAGtspzpDyRWDwHNrMMOluLHeocJQAj7iS1dnS-2B-2Fhpf21Fjpr9lUosnkGJYIkfG0KNsjglBmf2yQvwZsg0Wp706kciqJgB5pqtemV1qFgZLIL2K-2BsyRLGqv3bbeqv6LWX-2Fbn97e4q8h4LdJzfXKTxRJD2tMgj2k7Ls1BdPjLturPdeJvpG2db-2FhwENpXetZR7k21gPz6in5zk7zhcmgIkZssf1WUkdDcjfwIeY2HuQe6EHwacpAnjlFSG7cGBDYbRKnbjWz72QvhesvDQrxGZA-2F-2FwuD5CryGFeRAazVMLU-2FTUgYuXTJzCzL6qav9lYxCC-2Bwx97sSjci4FffUtDhPcIZfKCP-2Ff9rufbc-2FOdTD6VLIHU5lNW4k8Nb-2FWedSu8kS9RXhRxjWAbV4qYK-2F68HLgFHbzOrm6M-2FG6a-2BnVs9TkK9ei8xVDo6cAhkQYCxDYOCBJJC-2BfLWulZgQ85hdg59312Kv6zX2g11nE5GRn-2B6U-2B2tuv67vEmY8CUatMt7UrQHEhVlrPnXi1EamUHW4AGpMQfKBj0GXRdJxG0fD3Zx-2FiIXcDEoi3GhoWLQTKZU-2FWlBKJiyqDLjDXS6qRg1X-2Fsd3R5k7fswdpYLTizSHt12T6-2Bo0IoKg0cyJsPKBfoK9Uleu7f9wgtdH4RtvaMbk9-2Buqhl6zW9NHZET-2BbGJHqyqlBeTSBtTZM6ltHEDZrojb0Lhszq-2BKoSCsuyjzgKAFmmWSRMGxwsXoHHuV8LoFEZjuiOSkTWEP-2FvQ0ZaWfqnp81VXTEktfVY9Xmx-2FaHq5NRH3vqpZc6LNkkSHnpJBPIYA83Mw-3D-3D	Get hash	malicious	Unknown	Browse	34.160.78.217
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://u7990385.ct.sendgrid.net/ls/click?upn=u001.oZ6GXC16Ztdw1ob-2F3C5yow-2FsK2YC4S8s269h9OLgp-2FGcQesCtXDXKgCEAF90Sa3OUL2ncGoAKstQjRhddelr-2Bx3frrehyL8aaBbhAx-2Fm3uQTToUZwzw9vU-2BHl4N8-2FbXNrXNM8F2aafYGXvb9twEoQeHC7ZwjccAi1SjLazzmL714x6k-2BjB-2FYwt496nNWzarkpA5xghtVvgqYssmknAftbQJOVkiDX5sql0puMOlG6Ca2eid008YPu-2FJJAayp-2BNXls84A_lhEpvcamcm95WhC017PRgRonrgi5omZ3brQwNa5yLk0xxDl3uLY9zV0ZhBwsp9AfIBgWj8srFe156S5Zns8ZjIc0B22GBm-2FhZ3msRvLKzUyGIuCFlA1E-2FK-2F4jc3IgU8qM5k5KxMmIwIRDSCQDvTZvmwB5zeTeqWWEJR7CvWSpeaqIj3hj5IgcRcoPBdptLYrUK3YLUsGuU0Nn50M3ArOROvseGYqZul0QkeqtDR41-2FsPFt-2Bw0YWW2P5gsCDH4XINxncIhICPIqlacC1ih-2B-2BRAhsouCrf5nolEyzWx0VnR2OrLuGwvR4-2BmBTgXGq5SQJ3CbNvM-2FaB5BLerpFqmqjPC-2FBlK6th1iVrhfmtBEFKLash-2FnkPpQ9qFxGwWTexJMh100AS4PilK2-2BJDfvjssuxk2jP-2BTagNOazV2F1Jk9Mugr3y7E9SivEGWyUbzdMThmnpVydb1qOFwMiocztErv1WWaB8B20Oa2SLt-2BLBsMdusfLwd3NNzPre6el-2F-2BIwBxDAqBb9JLV6vOLzfaD2L4-2BEuPbgzcrscVtaCNyARGoPUKi03imhTbJEcig8L4weEiABND5vwKtA-2FhKo5AjxecXMO22Vq7Og2y7v-2BJNgFB9rr-2Bm4W45XZxFP39Dqi18SUPOKX4pHFrdACciPinuj2QtBtIGNjV46-2Bve9hu0g1-2FpG1tOVv9Ebn32k-2Bl6CF6b6jzS3aTQvZkWKNIwLx5CoGs9uomn9yZPi6QaiSTeQkZ1uHupSYpVxbBCb-2FUyo6kMlbB0P27ShEzUFVY-2FpfPcfFofTKD4p7rklaM-2FIuG8-2F3ytR7SJ7I8GmSP8NTWs4vu3NTpV5MkgHfjeFoK-2BDQh6M7S2ys2qIf8m3qiLtFMHY6p7m4ep8JZqbC0axloFSX-2Fzbz51ZW-2BsyQEEbRqwx0S1i4lo9NhRXrfXOvn0A83bBDk31g9QfoWTGhHCjSEfuca9KJwe0GCABYAuqYeYHMc5qXhPv86r0l0ldRpwe39V9LJ5m6Go-3D	Get hash	malicious	Unknown	Browse	34.160.78.217
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
ATGS-MMD-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://u7990385.ct.sendgrid.net/ls/click?upn=u001.oZ6GXC16Ztdw1ob-2F3C5yow-2FsK2YC4S8s269h9OLgp-2FGcQesCtXDXKgCEAF90Sa3OUL2ncGoAKstQjRhddelr-2Bx3frrehyL8aaBbhAx-2Fm3uQTToUZwzw9vU-2BHl4N8-2FbXNOWh47xHSpNswH5B20hFc1rkwm1HkocouB6puE-2FnM91Ea9xIyldie1eyHQvDQGF6-2F1OUGSCOg8K-2Fk8REDXGncryLNWAkNll9tI4svh29XngoJuJcvPHIwWw07juA1Lr687mlf_LZJN6rqeZVHTY7vi7TysfnSOWUsKUPL2t2FWuf1mHJZyRrnfnXk5in-2FtsLaVkEL4z-2F5H1v5rdZCMtKV4-2B7XswPaXSOX44YEil-2BgQ6f1-2BLxpcwnoVslshbeFD8-2FSkDYUL5gsTS7cnhi8iHs4T9b6wzPIbVlUAEwQAwoGeUFJH5x3RAGtspzpDyRWDwHNrMMOluLHeocJQAj7iS1dnS-2B-2Fhpf21Fjpr9lUosnkGJYIkfG0KNsjglBmf2yQvwZsg0Wp706kciqJgB5pqtemV1qFgZLIL2K-2BsyRLGqv3bbeqv6LWX-2Fbn97e4q8h4LdJzfXKTxRJD2tMgj2k7Ls1BdPjLturPdeJvpG2db-2FhwENpXetZR7k21gPz6in5zk7zhcmgIkZssf1WUkdDcjfwIeY2HuQe6EHwacpAnjlFSG7cGBDYbRKnbjWz72QvhesvDQrxGZA-2F-2FwuD5CryGFeRAazVMLU-2FTUgYuXTJzCzL6qav9lYxCC-2Bwx97sSjci4FffUtDhPcIZfKCP-2Ff9rufbc-2FOdTD6VLIHU5lNW4k8Nb-2FWedSu8kS9RXhRxjWAbV4qYK-2F68HLgFHbzOrm6M-2FG6a-2BnVs9TkK9ei8xVDo6cAhkQYCxDYOCBJJC-2BfLWulZgQ85hdg59312Kv6zX2g11nE5GRn-2B6U-2B2tuv67vEmY8CUatMt7UrQHEhVlrPnXi1EamUHW4AGpMQfKBj0GXRdJxG0fD3Zx-2FiIXcDEoi3GhoWLQTKZU-2FWlBKJiyqDLjDXS6qRg1X-2Fsd3R5k7fswdpYLTizSHt12T6-2Bo0IoKg0cyJsPKBfoK9Uleu7f9wgtdH4RtvaMbk9-2Buqhl6zW9NHZET-2BbGJHqyqlBeTSBtTZM6ltHEDZrojb0Lhszq-2BKoSCsuyjzgKAFmmWSRMGxwsXoHHuV8LoFEZjuiOSkTWEP-2FvQ0ZaWfqnp81VXTEktfVY9Xmx-2FaHq5NRH3vqpZc6LNkkSHnpJBPIYA83Mw-3D-3D	Get hash	malicious	Unknown	Browse	34.160.78.217
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://u7990385.ct.sendgrid.net/ls/click?upn=u001.oZ6GXC16Ztdw1ob-2F3C5yow-2FsK2YC4S8s269h9OLgp-2FGcQesCtXDXKgCEAF90Sa3OUL2ncGoAKstQjRhddelr-2Bx3frrehyL8aaBbhAx-2Fm3uQTToUZwzw9vU-2BHl4N8-2FbXNrXNM8F2aafYGXvb9twEoQeHC7ZwjccAi1SjLazzmL714x6k-2BjB-2FYwt496nNWzarkpA5xghtVvgqYssmknAftbQJOVkiDX5sql0puMOlG6Ca2eid008YPu-2FJJAayp-2BNXls84A_lhEpvcamcm95WhC017PRgRonrgi5omZ3brQwNa5yLk0xxDl3uLY9zV0ZhBwsp9AfIBgWj8srFe156S5Zns8ZjIc0B22GBm-2FhZ3msRvLKzUyGIuCFlA1E-2FK-2F4jc3IgU8qM5k5KxMmIwIRDSCQDvTZvmwB5zeTeqWWEJR7CvWSpeaqIj3hj5IgcRcoPBdptLYrUK3YLUsGuU0Nn50M3ArOROvseGYqZul0QkeqtDR41-2FsPFt-2Bw0YWW2P5gsCDH4XINxncIhICPIqlacC1ih-2B-2BRAhsouCrf5nolEyzWx0VnR2OrLuGwvR4-2BmBTgXGq5SQJ3CbNvM-2FaB5BLerpFqmqjPC-2FBlK6th1iVrhfmtBEFKLash-2FnkPpQ9qFxGwWTexJMh100AS4PilK2-2BJDfvjssuxk2jP-2BTagNOazV2F1Jk9Mugr3y7E9SivEGWyUbzdMThmnpVydb1qOFwMiocztErv1WWaB8B20Oa2SLt-2BLBsMdusfLwd3NNzPre6el-2F-2BIwBxDAqBb9JLV6vOLzfaD2L4-2BEuPbgzcrscVtaCNyARGoPUKi03imhTbJEcig8L4weEiABND5vwKtA-2FhKo5AjxecXMO22Vq7Og2y7v-2BJNgFB9rr-2Bm4W45XZxFP39Dqi18SUPOKX4pHFrdACciPinuj2QtBtIGNjV46-2Bve9hu0g1-2FpG1tOVv9Ebn32k-2Bl6CF6b6jzS3aTQvZkWKNIwLx5CoGs9uomn9yZPi6QaiSTeQkZ1uHupSYpVxbBCb-2FUyo6kMlbB0P27ShEzUFVY-2FpfPcfFofTKD4p7rklaM-2FIuG8-2F3ytR7SJ7I8GmSP8NTWs4vu3NTpV5MkgHfjeFoK-2BDQh6M7S2ys2qIf8m3qiLtFMHY6p7m4ep8JZqbC0axloFSX-2Fzbz51ZW-2BsyQEEbRqwx0S1i4lo9NhRXrfXOvn0A83bBDk31g9QfoWTGhHCjSEfuca9KJwe0GCABYAuqYeYHMc5qXhPv86r0l0ldRpwe39V9LJ5m6Go-3D	Get hash	malicious	Unknown	Browse	34.160.78.217
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ffa8f561-18f3-44bd-a9af-c40ba0c5e726.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.176481788010785
Encrypted:	false
SSDEEP:	192:nBKMXN5acbhbVbTbfbRbObtbyEl7n4r1JA6wnSrDtTkd/SU:BPmcNhnzFSJYrwjnSrDhkd/J
MD5:	491572337AEAD6F3C46E227E8B57674E
SHA1:	24FF275AEB07F19CE10C30ABFD4BB120F310A9AE
SHA-256:	FDBC4DE717404803C607DB9D757207A4A4208B06C9A01D10EDED7294B6585B3B
SHA-512:	BA91A1E0294FDB7A6F2DEAA0AC632C746712E89540C93A3F20458B825068DE03398C0CCB32D37140F928BBF9434E31AB94B1BE58A8437A30291FA90CD99A97E0
Malicious:	false
Preview:	{"type":"uninstall","id":"ffa8f561-18f3-44bd-a9af-c40ba0c5e726","creationDate":"2024-11-01T17:57:58.765Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ffa8f561-18f3-44bd-a9af-c40ba0c5e726.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.176481788010785
Encrypted:	false
SSDEEP:	192:nBKMXN5acbhbVbTbfbRbObtbyEl7n4r1JA6wnSrDtTkd/SU:BPmcNhnzFSJYrwjnSrDhkd/J
MD5:	491572337AEAD6F3C46E227E8B57674E
SHA1:	24FF275AEB07F19CE10C30ABFD4BB120F310A9AE
SHA-256:	FDBC4DE717404803C607DB9D757207A4A4208B06C9A01D10EDED7294B6585B3B
SHA-512:	BA91A1E0294FDB7A6F2DEAA0AC632C746712E89540C93A3F20458B825068DE03398C0CCB32D37140F928BBF9434E31AB94B1BE58A8437A30291FA90CD99A97E0
Malicious:	false
Preview:	{"type":"uninstall","id":"ffa8f561-18f3-44bd-a9af-c40ba0c5e726","creationDate":"2024-11-01T17:57:58.765Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	dropped
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3045992371935156
Encrypted:	false
SSDEEP:	24:bwvdf8b2A18+TIUx2dWoM15CLN8zmNw0df8b2A18+swM+bpoqdWoM15CLFX1RgmR:kdkxIUgdwnzqdkx86BdwBwdkx8adwD1
MD5:	118A0AE2BD624416A85FD96164D96E22
SHA1:	16E78BC5A9DCD2E059385565EE7FDA49338E0FC6
SHA-256:	F16607F1487AC093038411E70BED2C59B0BD0DA2A1C8BB7C6B2DA32CB1B72C1B
SHA-512:	C370B4B385E6B5D606A66F226E9945E59C1148AEE002FD4E9AF7B06D6864D3AFE8D4DF93E233EC014608A3F17E91533FD1ED54EB0E592D8CB7B17C8549658254
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......:..+~,..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IaYM.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WaYM.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WaYM...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............&.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3045992371935156
Encrypted:	false
SSDEEP:	24:bwvdf8b2A18+TIUx2dWoM15CLN8zmNw0df8b2A18+swM+bpoqdWoM15CLFX1RgmR:kdkxIUgdwnzqdkx86BdwBwdkx8adwD1
MD5:	118A0AE2BD624416A85FD96164D96E22
SHA1:	16E78BC5A9DCD2E059385565EE7FDA49338E0FC6
SHA-256:	F16607F1487AC093038411E70BED2C59B0BD0DA2A1C8BB7C6B2DA32CB1B72C1B
SHA-512:	C370B4B385E6B5D606A66F226E9945E59C1148AEE002FD4E9AF7B06D6864D3AFE8D4DF93E233EC014608A3F17E91533FD1ED54EB0E592D8CB7B17C8549658254
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......:..+~,..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IaYM.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WaYM.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WaYM...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............&.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IOBQC65LJTGZRLJO4IY1.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3045992371935156
Encrypted:	false
SSDEEP:	24:bwvdf8b2A18+TIUx2dWoM15CLN8zmNw0df8b2A18+swM+bpoqdWoM15CLFX1RgmR:kdkxIUgdwnzqdkx86BdwBwdkx8adwD1
MD5:	118A0AE2BD624416A85FD96164D96E22
SHA1:	16E78BC5A9DCD2E059385565EE7FDA49338E0FC6
SHA-256:	F16607F1487AC093038411E70BED2C59B0BD0DA2A1C8BB7C6B2DA32CB1B72C1B
SHA-512:	C370B4B385E6B5D606A66F226E9945E59C1148AEE002FD4E9AF7B06D6864D3AFE8D4DF93E233EC014608A3F17E91533FD1ED54EB0E592D8CB7B17C8549658254
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......:..+~,..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IaYM.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WaYM.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WaYM...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............&.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KLZ5OF36MC0P5JN95I8D.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3045992371935156
Encrypted:	false
SSDEEP:	24:bwvdf8b2A18+TIUx2dWoM15CLN8zmNw0df8b2A18+swM+bpoqdWoM15CLFX1RgmR:kdkxIUgdwnzqdkx86BdwBwdkx8adwD1
MD5:	118A0AE2BD624416A85FD96164D96E22
SHA1:	16E78BC5A9DCD2E059385565EE7FDA49338E0FC6
SHA-256:	F16607F1487AC093038411E70BED2C59B0BD0DA2A1C8BB7C6B2DA32CB1B72C1B
SHA-512:	C370B4B385E6B5D606A66F226E9945E59C1148AEE002FD4E9AF7B06D6864D3AFE8D4DF93E233EC014608A3F17E91533FD1ED54EB0E592D8CB7B17C8549658254
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......:..+~,..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IaYM.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WaYM.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WaYM...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............&.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.923618382138451
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakN29dFxeh:8S+OVPUFRbOdwNIOdYpjvY1Q6LlLF8P
MD5:	9E5B024ED644DC4E054B3A94F8D0614C
SHA1:	1CCF59866FB0F353D27C8D0954137C45A5903874
SHA-256:	37B30D0065E2815254A14DC32BE8FCFA264DC57A6C9A4E32866548EE3F0EAB90
SHA-512:	576ECDFD1FDAD159B52E6AE72094EFB5C6364B73D0969D67BFB849FB8D791C3D214447A3DA973D4D857593CFB28770C18E979F45F7B6D415B34544E4F429A0A9
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.923618382138451
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakN29dFxeh:8S+OVPUFRbOdwNIOdYpjvY1Q6LlLF8P
MD5:	9E5B024ED644DC4E054B3A94F8D0614C
SHA1:	1CCF59866FB0F353D27C8D0954137C45A5903874
SHA-256:	37B30D0065E2815254A14DC32BE8FCFA264DC57A6C9A4E32866548EE3F0EAB90
SHA-512:	576ECDFD1FDAD159B52E6AE72094EFB5C6364B73D0969D67BFB849FB8D791C3D214447A3DA973D4D857593CFB28770C18E979F45F7B6D415B34544E4F429A0A9
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07333858257979299
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkidX:DLhesh7Owd4+ji
MD5:	9DA19C7D7B9A8B321C4BDC75E9696F41
SHA1:	600D941BCA630E12FBEFBBDA93E30EDD1396EF98
SHA-256:	1DA8F7AFB9B08B8F884899FA2493390069CE4D29D4AD5F8AA51B114CF94324C9
SHA-512:	1A241EB0DC4E15CD161F2BE83665C488117DB450D42E5052BBEE265ECB82F25FBD4B4071FA4B406B2D27D9EFE1A8A1AA2211D96F902BBC2077F8402282F067D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039629310946426154
Encrypted:	false
SSDEEP:	6:G7V4V2rlQCEml7V4V2rlQCEsL9XIwlio:cY2xQCTRY2xQC7Pi
MD5:	D237692F538693225C4D392721918AA5
SHA1:	2EFA5A861989FD2BE2ACF980F06A3C7ECD1BF9C3
SHA-256:	A52CD10BA39B71CCE737606E9AB4E7405FEE80D388C9DB71863F925339488922
SHA-512:	3EA6179BCB3514FF32D00C73572689A213D398487D1DB5127250DBFE4232CE1DEE3B5D2D674F4148BCB03060D2F5563CF4278A5F619CD2431C3817975C9541D0
Malicious:	false
Preview:	..-......................B...<M..b.@....C.C....-......................B...<M..b.@....C.C..........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.13393487741939905
Encrypted:	false
SSDEEP:	24:KPKifkEVsLxsZ+Er2zxsMlCXsMzqCFZ7pCF6C5WUCuSCCQE/HaaKCc7RCGOxsaDW:+RMEeQPr2VJCXs4qLWeJa1VyrktZk
MD5:	9E0287B27A5596DCD8F4E02BCD9EE0CC
SHA1:	9A842823ACFACA07B6441BC14E34E3DA84F830F3
SHA-256:	F7F4442F67F85F973D63B15CDD9D1652FAA909B7536B69EB9399C393CAA9177D
SHA-512:	1AA881F53CAB1D4A500087870BB02EDFA60E34B47D7F999903F6D89209911B29F2527D044F8B77D8F9CA0D50E27ACF4F6C07A5177D5C7D745E6DA1E46E974A4E
Malicious:	false
Preview:	7....-..........M..b.@..7.`.#..........M..b.@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477671819227836
Encrypted:	false
SSDEEP:	192:onPOeRnLYbBp6hJ0aX+w6SEXKjGYeNVjg5RHWNBw8dcSl:SDe8JUzkKqHEwX0
MD5:	CB6F79E55182C5675D9519F68D32D05C
SHA1:	23CF13590C9DBC205BD9806A512E6D9187ABAE6C
SHA-256:	14B6FEB7B838204E9444A13A43F86413178E1583CE12B22639138EF613AC2101
SHA-512:	A6AD26066664BC5903F8D020DE60D000E8BBDD4225EC7B5578F2C86E2640B8EAFD08880F2C7264D5F079D109819A5797013EB5EDE751CC4C6045B2A6544F3B36
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730483849);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730483849);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730483849);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173048

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477671819227836
Encrypted:	false
SSDEEP:	192:onPOeRnLYbBp6hJ0aX+w6SEXKjGYeNVjg5RHWNBw8dcSl:SDe8JUzkKqHEwX0
MD5:	CB6F79E55182C5675D9519F68D32D05C
SHA1:	23CF13590C9DBC205BD9806A512E6D9187ABAE6C
SHA-256:	14B6FEB7B838204E9444A13A43F86413178E1583CE12B22639138EF613AC2101
SHA-512:	A6AD26066664BC5903F8D020DE60D000E8BBDD4225EC7B5578F2C86E2640B8EAFD08880F2C7264D5F079D109819A5797013EB5EDE751CC4C6045B2A6544F3B36
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730483849);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730483849);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730483849);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173048

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\aa663bec-09b7-4547-ac0a-d84822d4c1f1 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.957351589162335
Encrypted:	false
SSDEEP:	12:YZFgjXrJUJEcIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YKWhSlCOlZGV1AQIWZcy6ZXvx
MD5:	C6F7C91285752816287462E92BE78DE1
SHA1:	4A90CF424399FA6087A57BF4CACFD2DE36704285
SHA-256:	E174244152660723765C9D83899F7D60A468C9B792E3E62C07BD7FF5F0FDF2CB
SHA-512:	22B24C337859D3AD64DA0293B72BE7E509DEAE481C0DE1E380743B05306AFC8EC9739DB9CCE749D1443BEC5E681622085F289D7F3DFF26D622B67EC6875BD01C
Malicious:	false
Preview:	{"type":"health","id":"aa663bec-09b7-4547-ac0a-d84822d4c1f1","creationDate":"2024-11-01T17:57:59.390Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\aa663bec-09b7-4547-ac0a-d84822d4c1f1.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.957351589162335
Encrypted:	false
SSDEEP:	12:YZFgjXrJUJEcIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YKWhSlCOlZGV1AQIWZcy6ZXvx
MD5:	C6F7C91285752816287462E92BE78DE1
SHA1:	4A90CF424399FA6087A57BF4CACFD2DE36704285
SHA-256:	E174244152660723765C9D83899F7D60A468C9B792E3E62C07BD7FF5F0FDF2CB
SHA-512:	22B24C337859D3AD64DA0293B72BE7E509DEAE481C0DE1E380743B05306AFC8EC9739DB9CCE749D1443BEC5E681622085F289D7F3DFF26D622B67EC6875BD01C
Malicious:	false
Preview:	{"type":"health","id":"aa663bec-09b7-4547-ac0a-d84822d4c1f1","creationDate":"2024-11-01T17:57:59.390Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	6.348225978948706
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSXbLXnIruC/pnxQwRcWT5sKmgb0E3eHVpjO+vamhujJwO2c0TiVm0D:GUpOxebfanRcoegb3erjxv4Jwc3zBtT
MD5:	1F453ADB799627279EE1A85E60A24249
SHA1:	66EB12DB32D68A70A8B2929299EE5A087F412FF0
SHA-256:	FC077012F4DA4B0CEC7C9AB944FF8AB2FF0F118C0C533BB0C83E9EAA3E1BBFE9
SHA-512:	EABEDF4E45D9650A8AB0A223715D2040524F0EAD7B7D0B8856D6500A28BB209E40487B3DF1754A6D6210B2617F7E24441AB6748DBC954C544139CB87C522EDFE
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{3555f1f9-41ba-487f-976a-10a0751f5e2e}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730483855073,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..A1868...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...26087,"originA...."fir

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	6.348225978948706
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSXbLXnIruC/pnxQwRcWT5sKmgb0E3eHVpjO+vamhujJwO2c0TiVm0D:GUpOxebfanRcoegb3erjxv4Jwc3zBtT
MD5:	1F453ADB799627279EE1A85E60A24249
SHA1:	66EB12DB32D68A70A8B2929299EE5A087F412FF0
SHA-256:	FC077012F4DA4B0CEC7C9AB944FF8AB2FF0F118C0C533BB0C83E9EAA3E1BBFE9
SHA-512:	EABEDF4E45D9650A8AB0A223715D2040524F0EAD7B7D0B8856D6500A28BB209E40487B3DF1754A6D6210B2617F7E24441AB6748DBC954C544139CB87C522EDFE
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{3555f1f9-41ba-487f-976a-10a0751f5e2e}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730483855073,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..A1868...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...26087,"originA...."fir

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	6.348225978948706
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSXbLXnIruC/pnxQwRcWT5sKmgb0E3eHVpjO+vamhujJwO2c0TiVm0D:GUpOxebfanRcoegb3erjxv4Jwc3zBtT
MD5:	1F453ADB799627279EE1A85E60A24249
SHA1:	66EB12DB32D68A70A8B2929299EE5A087F412FF0
SHA-256:	FC077012F4DA4B0CEC7C9AB944FF8AB2FF0F118C0C533BB0C83E9EAA3E1BBFE9
SHA-512:	EABEDF4E45D9650A8AB0A223715D2040524F0EAD7B7D0B8856D6500A28BB209E40487B3DF1754A6D6210B2617F7E24441AB6748DBC954C544139CB87C522EDFE
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{3555f1f9-41ba-487f-976a-10a0751f5e2e}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730483855073,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..A1868...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...26087,"originA...."fir

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.0300583800324965
Encrypted:	false
SSDEEP:	96:ycKXyMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:0XDTEr5NX0z3DhRe
MD5:	7E4093AB09CBEF018B3BCDFE7C93CCE2
SHA1:	8BF91072F922FF00CE22F8A08EE1371344A869FD
SHA-256:	09D436E7CA48E7A82D3351FFDC4995A6C8B9F2E1EF427DC6145BD12A12728AFC
SHA-512:	8029AF4225E59C4217A5DDC0B158CB504358F6DFE4271ED1635F038D47EAD4B4DACFFBF3C26D6C6267BC0A3580F057F604A31D58311E40DC38560EA11B280000
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-01T17:57:12.091Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.0300583800324965
Encrypted:	false
SSDEEP:	96:ycKXyMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:0XDTEr5NX0z3DhRe
MD5:	7E4093AB09CBEF018B3BCDFE7C93CCE2
SHA1:	8BF91072F922FF00CE22F8A08EE1371344A869FD
SHA-256:	09D436E7CA48E7A82D3351FFDC4995A6C8B9F2E1EF427DC6145BD12A12728AFC
SHA-512:	8029AF4225E59C4217A5DDC0B158CB504358F6DFE4271ED1635F038D47EAD4B4DACFFBF3C26D6C6267BC0A3580F057F604A31D58311E40DC38560EA11B280000
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-01T17:57:12.091Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5846764827107025
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	938163b1c71b86d749cc0b79c28d09da
SHA1:	f961699dcf2e03ef54000cc708150bddb1cc238e
SHA256:	c6f46bf3136bd0715c46d4f754133535ec7b34eeeccab5c51649670f7982d7ef
SHA512:	1c53f0791729bbcf49c67080faaae50033b3f24353bcdde7a0996e41ba7316df4accce5543981065e08f6d9cad57d02f6a92471322d974ca04dfb683f2620531
SSDEEP:	12288:9qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T7:9qDEvCTbMWu7rQYlBQcBiT6rprG8ab7
TLSH:	61159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67250236 [Fri Nov 1 16:30:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F1DB50D91A3h
jmp 00007F1DB50D8AAFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F1DB50D8C8Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F1DB50D8C5Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F1DB50DB84Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F1DB50DB898h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F1DB50DB881h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	fea79fb61c5e5235562739de17db7a97	False	0.31561511075949367	data	5.373814147312387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T17:50:42.881807+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.5	49736	TCP
2024-11-01T17:50:57.019712+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.5	61977	TCP
2024-11-01T17:50:58.529473+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.5	61987	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 17:50:28.836884975 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 17:50:28.836925030 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 17:50:28.837347031 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 17:50:28.842618942 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 17:50:28.842639923 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 17:50:29.467927933 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 17:50:29.468005896 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 17:50:29.476457119 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 17:50:29.476481915 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 17:50:29.476573944 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 17:50:29.476634979 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 17:50:29.476746082 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 17:50:30.017730951 CET	49711	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:30.020198107 CET	49712	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:30.020229101 CET	443	49712	142.250.186.78	192.168.2.5
Nov 1, 2024 17:50:30.020355940 CET	49713	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:30.020380020 CET	443	49713	142.250.186.78	192.168.2.5
Nov 1, 2024 17:50:30.020483971 CET	49712	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:30.020487070 CET	49713	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:30.021881104 CET	49712	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:30.021894932 CET	443	49712	142.250.186.78	192.168.2.5
Nov 1, 2024 17:50:30.022672892 CET	80	49711	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:30.023247004 CET	49713	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:30.023262978 CET	443	49713	142.250.186.78	192.168.2.5
Nov 1, 2024 17:50:30.023351908 CET	49711	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:30.023518085 CET	49711	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:30.028516054 CET	80	49711	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:30.151644945 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:30.151675940 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:30.156105042 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:30.157453060 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:30.157468081 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:30.157735109 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:30.157762051 CET	443	49716	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:30.157902956 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:30.158025026 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:30.158035040 CET	443	49716	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:30.553930998 CET	49717	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:30.553988934 CET	443	49717	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:30.559108973 CET	49717	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:30.560764074 CET	49717	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:30.560781002 CET	443	49717	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:30.648773909 CET	80	49711	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:30.706326008 CET	49711	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:30.765830994 CET	443	49716	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:30.766870975 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:30.779331923 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:30.787054062 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:30.811086893 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:30.811106920 CET	443	49716	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:30.811376095 CET	443	49716	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:30.815074921 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:30.815155029 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:30.815247059 CET	443	49716	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:30.817868948 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:30.817887068 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:30.817965031 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:30.818003893 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:30.818311930 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:30.818392038 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:30.823328018 CET	443	49716	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:30.827275991 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:30.827292919 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:30.827301979 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:30.827343941 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:30.828206062 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:30.833314896 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:30.833368063 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:30.850264072 CET	49711	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:30.855662107 CET	80	49711	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:30.857415915 CET	49711	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:30.896145105 CET	443	49712	142.250.186.78	192.168.2.5
Nov 1, 2024 17:50:30.896207094 CET	49712	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:30.896872997 CET	443	49712	142.250.186.78	192.168.2.5
Nov 1, 2024 17:50:30.897030115 CET	49712	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:30.898802042 CET	443	49713	142.250.186.78	192.168.2.5
Nov 1, 2024 17:50:30.898874998 CET	49713	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:30.899496078 CET	443	49713	142.250.186.78	192.168.2.5
Nov 1, 2024 17:50:30.900078058 CET	49713	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:30.902806997 CET	49712	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:30.902812958 CET	443	49712	142.250.186.78	192.168.2.5
Nov 1, 2024 17:50:30.902894974 CET	49712	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:30.903012991 CET	443	49712	142.250.186.78	192.168.2.5
Nov 1, 2024 17:50:30.903075933 CET	49712	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:30.904237032 CET	49713	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:30.904237032 CET	49713	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:30.904244900 CET	443	49713	142.250.186.78	192.168.2.5
Nov 1, 2024 17:50:30.904397011 CET	443	49713	142.250.186.78	192.168.2.5
Nov 1, 2024 17:50:30.904483080 CET	49713	443	192.168.2.5	142.250.186.78
Nov 1, 2024 17:50:31.176451921 CET	443	49717	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:31.176517963 CET	49717	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.210140944 CET	49717	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.210161924 CET	443	49717	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:31.210222006 CET	49717	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.210362911 CET	443	49717	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:31.210453987 CET	49717	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.355591059 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:31.355655909 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:31.356796980 CET	49721	443	192.168.2.5	34.160.144.191
Nov 1, 2024 17:50:31.356829882 CET	443	49721	34.160.144.191	192.168.2.5
Nov 1, 2024 17:50:31.357321978 CET	49721	443	192.168.2.5	34.160.144.191
Nov 1, 2024 17:50:31.357440948 CET	49721	443	192.168.2.5	34.160.144.191
Nov 1, 2024 17:50:31.357451916 CET	443	49721	34.160.144.191	192.168.2.5
Nov 1, 2024 17:50:31.363022089 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:31.363035917 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:31.363131046 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:31.363238096 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:31.363275051 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:31.363333941 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:31.365763903 CET	49722	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.365783930 CET	443	49722	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:31.366080046 CET	49722	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.367496014 CET	49722	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.367510080 CET	443	49722	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:31.368519068 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:31.368536949 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:31.452975035 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:31.452990055 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:31.457237005 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.460803986 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.460819006 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:31.460875988 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.461277008 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:31.461760044 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.961580992 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:31.961673021 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:31.970997095 CET	443	49722	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:31.974359989 CET	49722	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.979621887 CET	49722	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.979634047 CET	443	49722	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:31.979729891 CET	49722	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.979795933 CET	443	49722	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:31.980134964 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.980180025 CET	443	49723	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:31.980242968 CET	49722	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.980302095 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.980338097 CET	443	49721	34.160.144.191	192.168.2.5
Nov 1, 2024 17:50:31.980406046 CET	49721	443	192.168.2.5	34.160.144.191
Nov 1, 2024 17:50:31.981621027 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:31.981633902 CET	443	49723	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:31.984584093 CET	49721	443	192.168.2.5	34.160.144.191
Nov 1, 2024 17:50:31.984597921 CET	443	49721	34.160.144.191	192.168.2.5
Nov 1, 2024 17:50:31.984842062 CET	443	49721	34.160.144.191	192.168.2.5
Nov 1, 2024 17:50:31.987495899 CET	49721	443	192.168.2.5	34.160.144.191
Nov 1, 2024 17:50:31.987642050 CET	49721	443	192.168.2.5	34.160.144.191
Nov 1, 2024 17:50:31.987658978 CET	443	49721	34.160.144.191	192.168.2.5
Nov 1, 2024 17:50:31.987708092 CET	49721	443	192.168.2.5	34.160.144.191
Nov 1, 2024 17:50:31.987953901 CET	49724	443	192.168.2.5	34.160.144.191
Nov 1, 2024 17:50:31.987998009 CET	443	49724	34.160.144.191	192.168.2.5
Nov 1, 2024 17:50:31.988215923 CET	49724	443	192.168.2.5	34.160.144.191
Nov 1, 2024 17:50:31.988302946 CET	49724	443	192.168.2.5	34.160.144.191
Nov 1, 2024 17:50:31.988317013 CET	443	49724	34.160.144.191	192.168.2.5
Nov 1, 2024 17:50:32.009601116 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:32.009608984 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:32.443475962 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:32.448429108 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:32.568036079 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:32.606925011 CET	443	49723	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:32.607814074 CET	443	49724	34.160.144.191	192.168.2.5
Nov 1, 2024 17:50:32.611324072 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:32.611335993 CET	443	49723	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:32.611407042 CET	49724	443	192.168.2.5	34.160.144.191
Nov 1, 2024 17:50:32.611409903 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:32.615993977 CET	49724	443	192.168.2.5	34.160.144.191
Nov 1, 2024 17:50:32.616005898 CET	443	49724	34.160.144.191	192.168.2.5
Nov 1, 2024 17:50:32.616297007 CET	443	49724	34.160.144.191	192.168.2.5
Nov 1, 2024 17:50:32.619946957 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:32.619960070 CET	443	49723	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:32.620105982 CET	443	49723	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:32.620425940 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:32.620708942 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:32.620708942 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:32.620820045 CET	49724	443	192.168.2.5	34.160.144.191
Nov 1, 2024 17:50:32.620876074 CET	49724	443	192.168.2.5	34.160.144.191
Nov 1, 2024 17:50:32.927826881 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 17:50:32.927860975 CET	443	49723	34.117.188.166	192.168.2.5
Nov 1, 2024 17:50:34.972887993 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:34.978270054 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:35.099021912 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:35.153640032 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:35.277240992 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:35.282236099 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:35.310400963 CET	49728	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:35.310435057 CET	443	49728	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:35.312820911 CET	49728	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:35.313026905 CET	49728	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:35.313043118 CET	443	49728	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:35.314111948 CET	49729	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:35.314158916 CET	443	49729	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:35.316471100 CET	49729	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:35.318213940 CET	49729	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:35.318236113 CET	443	49729	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:35.356650114 CET	49730	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:35.356707096 CET	443	49730	34.149.100.209	192.168.2.5
Nov 1, 2024 17:50:35.356846094 CET	49730	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:35.358274937 CET	49730	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:35.358292103 CET	443	49730	34.149.100.209	192.168.2.5
Nov 1, 2024 17:50:35.401779890 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:35.473696947 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:35.870692015 CET	49731	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:35.870745897 CET	443	49731	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:35.881244898 CET	49731	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:35.882642984 CET	49731	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:35.882661104 CET	443	49731	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:35.919559002 CET	443	49728	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:35.921670914 CET	49728	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:35.924089909 CET	49728	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:35.924098015 CET	443	49728	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:35.924334049 CET	443	49728	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:35.925929070 CET	49728	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:35.925929070 CET	49728	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:35.926058054 CET	443	49728	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:35.928301096 CET	443	49729	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:35.929174900 CET	49728	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:35.929203033 CET	49728	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:35.929267883 CET	49729	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:35.932456970 CET	49729	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:35.932473898 CET	443	49729	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:35.932527065 CET	49729	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:35.932625055 CET	443	49729	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:35.932693005 CET	49729	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.009232998 CET	443	49730	34.149.100.209	192.168.2.5
Nov 1, 2024 17:50:36.009715080 CET	49730	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:36.013119936 CET	49730	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:36.013132095 CET	443	49730	34.149.100.209	192.168.2.5
Nov 1, 2024 17:50:36.013178110 CET	49730	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:36.013310909 CET	443	49730	34.149.100.209	192.168.2.5
Nov 1, 2024 17:50:36.015147924 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:36.016870975 CET	49730	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:36.019916058 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:36.027782917 CET	49732	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.027803898 CET	443	49732	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.028667927 CET	49732	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.031997919 CET	49732	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.032012939 CET	443	49732	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.034982920 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.035011053 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.035684109 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.035693884 CET	443	49734	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.038427114 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.038427114 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.038551092 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.038567066 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.038712978 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.038723946 CET	443	49734	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.140002012 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:36.155586004 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:36.161381960 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:36.194658041 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:36.288376093 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:36.341785908 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:36.494066000 CET	443	49731	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:36.494081020 CET	443	49731	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:36.494154930 CET	49731	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:36.498179913 CET	49731	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:36.498198032 CET	443	49731	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:36.498261929 CET	49731	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:36.498332977 CET	443	49731	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:36.499059916 CET	49731	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:36.501012087 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:36.505841017 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:36.625278950 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:36.627711058 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:36.632464886 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:36.639523983 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.639590979 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.643179893 CET	443	49732	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.643285036 CET	49732	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.646764040 CET	443	49734	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.646888018 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.655999899 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.656021118 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.656251907 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.658288002 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.658343077 CET	443	49734	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.658581018 CET	443	49734	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.661731005 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.661887884 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.662026882 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.662034988 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.662549019 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.662615061 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.662700891 CET	443	49734	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.663310051 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.665122032 CET	49732	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.665148020 CET	443	49732	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.665193081 CET	49732	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.665381908 CET	443	49732	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.666637897 CET	49732	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.667376995 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:36.669727087 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.669754982 CET	443	49735	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.669953108 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.671237946 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.671248913 CET	443	49735	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.672172070 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:36.752250910 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:36.791511059 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:36.794665098 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:36.799555063 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:36.843193054 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:36.867337942 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:36.867384911 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:36.919107914 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:36.965646029 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:37.194695950 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:37.194771051 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:37.291282892 CET	443	49735	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:37.292624950 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:37.295761108 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:37.295775890 CET	443	49735	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:37.295859098 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:37.295922995 CET	443	49735	34.120.208.123	192.168.2.5
Nov 1, 2024 17:50:37.297599077 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:50:37.300801039 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:37.305706024 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:37.425148964 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:37.428512096 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:37.433387041 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:37.467082977 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:37.552953005 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:37.598632097 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:41.935785055 CET	49739	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:41.935821056 CET	443	49739	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:41.936077118 CET	49739	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:41.937458038 CET	49739	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:41.937472105 CET	443	49739	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:42.594613075 CET	443	49739	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:42.603332043 CET	443	49739	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:42.606908083 CET	49739	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:42.791183949 CET	49739	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:42.791194916 CET	443	49739	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:42.791258097 CET	49739	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:42.791412115 CET	443	49739	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:42.791479111 CET	49739	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:42.871027946 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:42.876137018 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:42.995496035 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:43.041944981 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:43.289845943 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:43.444709063 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:43.564609051 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:43.612421989 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:49.402631998 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:49.407566071 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:49.534421921 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:49.536930084 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:49.542675972 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:49.576252937 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:49.661843061 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:49.714354992 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:52.874998093 CET	61959	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:52.875044107 CET	443	61959	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:52.875348091 CET	61959	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:52.876595020 CET	61959	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:52.876607895 CET	443	61959	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:53.494046926 CET	443	61959	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:53.494147062 CET	61959	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:53.498091936 CET	61959	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:53.498100042 CET	443	61959	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:53.498193026 CET	61959	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:53.498248100 CET	443	61959	34.107.243.93	192.168.2.5
Nov 1, 2024 17:50:53.499373913 CET	61959	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:50:53.501034975 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:53.505867004 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:53.625541925 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:53.628591061 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:53.633470058 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:53.672435045 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:53.753062010 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:53.803993940 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:57.645850897 CET	61989	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:57.645903111 CET	443	61989	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:57.646971941 CET	61989	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:57.647098064 CET	61989	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:57.647115946 CET	443	61989	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:57.668637037 CET	61990	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:57.668680906 CET	443	61990	34.149.100.209	192.168.2.5
Nov 1, 2024 17:50:57.669245958 CET	61990	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:57.669378996 CET	61990	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:57.669393063 CET	443	61990	34.149.100.209	192.168.2.5
Nov 1, 2024 17:50:57.675003052 CET	61991	443	192.168.2.5	151.101.1.91
Nov 1, 2024 17:50:57.675019026 CET	443	61991	151.101.1.91	192.168.2.5
Nov 1, 2024 17:50:57.675302029 CET	61991	443	192.168.2.5	151.101.1.91
Nov 1, 2024 17:50:57.675411940 CET	61991	443	192.168.2.5	151.101.1.91
Nov 1, 2024 17:50:57.675424099 CET	443	61991	151.101.1.91	192.168.2.5
Nov 1, 2024 17:50:57.941281080 CET	61995	443	192.168.2.5	35.190.72.216
Nov 1, 2024 17:50:57.941313028 CET	443	61995	35.190.72.216	192.168.2.5
Nov 1, 2024 17:50:57.946032047 CET	61995	443	192.168.2.5	35.190.72.216
Nov 1, 2024 17:50:57.947474957 CET	61995	443	192.168.2.5	35.190.72.216
Nov 1, 2024 17:50:57.947489023 CET	443	61995	35.190.72.216	192.168.2.5
Nov 1, 2024 17:50:57.958266020 CET	61996	443	192.168.2.5	35.201.103.21
Nov 1, 2024 17:50:57.958300114 CET	443	61996	35.201.103.21	192.168.2.5
Nov 1, 2024 17:50:57.959326982 CET	61996	443	192.168.2.5	35.201.103.21
Nov 1, 2024 17:50:57.960695028 CET	61996	443	192.168.2.5	35.201.103.21
Nov 1, 2024 17:50:57.960705996 CET	443	61996	35.201.103.21	192.168.2.5
Nov 1, 2024 17:50:58.257559061 CET	443	61989	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.257642031 CET	61989	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.261027098 CET	61989	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.261042118 CET	443	61989	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.261272907 CET	443	61989	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.263712883 CET	61989	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.263807058 CET	61989	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.263870001 CET	443	61989	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.263969898 CET	61989	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.267652988 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:58.272562027 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:58.304251909 CET	443	61991	151.101.1.91	192.168.2.5
Nov 1, 2024 17:50:58.304331064 CET	61991	443	192.168.2.5	151.101.1.91
Nov 1, 2024 17:50:58.307359934 CET	61991	443	192.168.2.5	151.101.1.91
Nov 1, 2024 17:50:58.307367086 CET	443	61991	151.101.1.91	192.168.2.5
Nov 1, 2024 17:50:58.307602882 CET	443	61991	151.101.1.91	192.168.2.5
Nov 1, 2024 17:50:58.309916019 CET	443	61990	34.149.100.209	192.168.2.5
Nov 1, 2024 17:50:58.310026884 CET	61991	443	192.168.2.5	151.101.1.91
Nov 1, 2024 17:50:58.310026884 CET	61990	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:58.310102940 CET	61991	443	192.168.2.5	151.101.1.91
Nov 1, 2024 17:50:58.310168982 CET	443	61991	151.101.1.91	192.168.2.5
Nov 1, 2024 17:50:58.312932968 CET	61990	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:58.312942982 CET	443	61990	34.149.100.209	192.168.2.5
Nov 1, 2024 17:50:58.313276052 CET	443	61990	34.149.100.209	192.168.2.5
Nov 1, 2024 17:50:58.315051079 CET	61990	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:58.315107107 CET	61990	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:58.315228939 CET	443	61990	34.149.100.209	192.168.2.5
Nov 1, 2024 17:50:58.316750050 CET	61991	443	192.168.2.5	151.101.1.91
Nov 1, 2024 17:50:58.316780090 CET	61990	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:58.316793919 CET	61990	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:58.318403959 CET	61998	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.318434000 CET	443	61998	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.320184946 CET	61999	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.320205927 CET	443	61999	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.320478916 CET	61998	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.320574999 CET	61999	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.320580959 CET	61998	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.320595980 CET	443	61998	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.320739985 CET	61999	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.320750952 CET	443	61999	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.322540998 CET	62000	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.322570086 CET	443	62000	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.328864098 CET	62000	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.328943968 CET	62000	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.328954935 CET	443	62000	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.392294884 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:58.396361113 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:58.401278973 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:58.439330101 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:58.520812035 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:58.564064980 CET	443	61995	35.190.72.216	192.168.2.5
Nov 1, 2024 17:50:58.564157963 CET	61995	443	192.168.2.5	35.190.72.216
Nov 1, 2024 17:50:58.568829060 CET	61995	443	192.168.2.5	35.190.72.216
Nov 1, 2024 17:50:58.568834066 CET	443	61995	35.190.72.216	192.168.2.5
Nov 1, 2024 17:50:58.568916082 CET	61995	443	192.168.2.5	35.190.72.216
Nov 1, 2024 17:50:58.569026947 CET	443	61995	35.190.72.216	192.168.2.5
Nov 1, 2024 17:50:58.569123983 CET	61995	443	192.168.2.5	35.190.72.216
Nov 1, 2024 17:50:58.570908070 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:58.572103024 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:58.577016115 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:58.602246046 CET	443	61996	35.201.103.21	192.168.2.5
Nov 1, 2024 17:50:58.603396893 CET	61996	443	192.168.2.5	35.201.103.21
Nov 1, 2024 17:50:58.606925964 CET	61996	443	192.168.2.5	35.201.103.21
Nov 1, 2024 17:50:58.606930971 CET	443	61996	35.201.103.21	192.168.2.5
Nov 1, 2024 17:50:58.607003927 CET	61996	443	192.168.2.5	35.201.103.21
Nov 1, 2024 17:50:58.607068062 CET	443	61996	35.201.103.21	192.168.2.5
Nov 1, 2024 17:50:58.617773056 CET	61996	443	192.168.2.5	35.201.103.21
Nov 1, 2024 17:50:58.617938995 CET	62003	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:58.617959023 CET	443	62003	34.149.100.209	192.168.2.5
Nov 1, 2024 17:50:58.618311882 CET	62003	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:58.618464947 CET	62003	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:50:58.618475914 CET	443	62003	34.149.100.209	192.168.2.5
Nov 1, 2024 17:50:58.696578979 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:58.705264091 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:58.710113049 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:58.755842924 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:58.830573082 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:50:58.871778965 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:58.939676046 CET	443	61998	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.939742088 CET	61998	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.941310883 CET	443	62000	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.941392899 CET	62000	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.942394972 CET	61998	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.942400932 CET	443	61998	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.942631006 CET	443	61998	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.944247007 CET	443	61999	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.944331884 CET	61999	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.944618940 CET	62000	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.944628954 CET	443	62000	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.944838047 CET	443	62000	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.947097063 CET	61999	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.947105885 CET	443	61999	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.947431087 CET	443	61999	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.950453043 CET	61998	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.950534105 CET	61998	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.950690985 CET	443	61998	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.951288939 CET	62000	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.951334000 CET	62000	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.951432943 CET	443	62000	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.952110052 CET	61999	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.952189922 CET	61999	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.952294111 CET	443	61999	35.244.181.201	192.168.2.5
Nov 1, 2024 17:50:58.956118107 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:50:58.956444979 CET	61998	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.956465960 CET	61999	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.956482887 CET	62000	443	192.168.2.5	35.244.181.201
Nov 1, 2024 17:50:58.961077929 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:00.163990974 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:00.166184902 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:00.166860104 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:00.167161942 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:00.167407036 CET	443	62003	34.149.100.209	192.168.2.5
Nov 1, 2024 17:51:00.167505980 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:00.167541027 CET	62003	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:51:00.167547941 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:00.170594931 CET	62003	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:51:00.170608044 CET	443	62003	34.149.100.209	192.168.2.5
Nov 1, 2024 17:51:00.170836926 CET	443	62003	34.149.100.209	192.168.2.5
Nov 1, 2024 17:51:00.172385931 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:00.172646046 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:00.173577070 CET	62003	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:51:00.173655033 CET	62003	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:51:00.173726082 CET	443	62003	34.149.100.209	192.168.2.5
Nov 1, 2024 17:51:00.173830986 CET	62003	443	192.168.2.5	34.149.100.209
Nov 1, 2024 17:51:00.176513910 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:00.176781893 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:00.182353020 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:00.304703951 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:00.305455923 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:00.308715105 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:00.314785957 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:00.344804049 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:00.435206890 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:00.476353884 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:10.314929962 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:10.320209026 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:10.446423054 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:10.451328993 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:13.947310925 CET	62079	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:51:13.947381020 CET	443	62079	34.107.243.93	192.168.2.5
Nov 1, 2024 17:51:13.947729111 CET	62079	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:51:13.949054956 CET	62079	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:51:13.949094057 CET	443	62079	34.107.243.93	192.168.2.5
Nov 1, 2024 17:51:14.567769051 CET	443	62079	34.107.243.93	192.168.2.5
Nov 1, 2024 17:51:14.567910910 CET	62079	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:51:14.572727919 CET	62079	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:51:14.572746038 CET	443	62079	34.107.243.93	192.168.2.5
Nov 1, 2024 17:51:14.572849989 CET	62079	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:51:14.572900057 CET	443	62079	34.107.243.93	192.168.2.5
Nov 1, 2024 17:51:14.573605061 CET	62079	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:51:14.575922966 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:14.580868006 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:14.700556040 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:14.703996897 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:14.709920883 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:14.743472099 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:14.829422951 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:14.874943018 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:24.703526020 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:24.841519117 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:25.232028008 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:25.232048035 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:27.686351061 CET	62149	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:27.686391115 CET	443	62149	34.120.208.123	192.168.2.5
Nov 1, 2024 17:51:27.688199043 CET	62149	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:27.688395977 CET	62149	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:27.688410997 CET	443	62149	34.120.208.123	192.168.2.5
Nov 1, 2024 17:51:27.690870047 CET	62150	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:27.690905094 CET	443	62150	34.120.208.123	192.168.2.5
Nov 1, 2024 17:51:27.691338062 CET	62150	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:27.691474915 CET	62150	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:27.691488028 CET	443	62150	34.120.208.123	192.168.2.5
Nov 1, 2024 17:51:28.310132027 CET	443	62149	34.120.208.123	192.168.2.5
Nov 1, 2024 17:51:28.310218096 CET	62149	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:28.313719034 CET	62149	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:28.313729048 CET	443	62149	34.120.208.123	192.168.2.5
Nov 1, 2024 17:51:28.313958883 CET	443	62149	34.120.208.123	192.168.2.5
Nov 1, 2024 17:51:28.316765070 CET	62149	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:28.316865921 CET	62149	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:28.316926003 CET	443	62149	34.120.208.123	192.168.2.5
Nov 1, 2024 17:51:28.316983938 CET	62149	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:28.329303026 CET	443	62150	34.120.208.123	192.168.2.5
Nov 1, 2024 17:51:28.329380035 CET	62150	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:28.332273006 CET	62150	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:28.332285881 CET	443	62150	34.120.208.123	192.168.2.5
Nov 1, 2024 17:51:28.332547903 CET	443	62150	34.120.208.123	192.168.2.5
Nov 1, 2024 17:51:28.334750891 CET	62150	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:28.334835052 CET	62150	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:28.334956884 CET	443	62150	34.120.208.123	192.168.2.5
Nov 1, 2024 17:51:28.336143017 CET	62150	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:28.336163998 CET	62150	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:51:28.357563972 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:28.362431049 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:28.481714964 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:28.536803961 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:28.794329882 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:28.799179077 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:29.110409975 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:29.154094934 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:29.394265890 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:29.394328117 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:38.481522083 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:38.487642050 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:39.114064932 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:39.118961096 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:48.511028051 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:48.516060114 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:49.128388882 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:49.133456945 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:54.724504948 CET	62200	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:51:54.724574089 CET	443	62200	34.107.243.93	192.168.2.5
Nov 1, 2024 17:51:54.724663973 CET	62200	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:51:54.726255894 CET	62200	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:51:54.726289988 CET	443	62200	34.107.243.93	192.168.2.5
Nov 1, 2024 17:51:55.331263065 CET	443	62200	34.107.243.93	192.168.2.5
Nov 1, 2024 17:51:55.331501961 CET	62200	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:51:55.335993052 CET	62200	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:51:55.336025000 CET	443	62200	34.107.243.93	192.168.2.5
Nov 1, 2024 17:51:55.336077929 CET	62200	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:51:55.336213112 CET	443	62200	34.107.243.93	192.168.2.5
Nov 1, 2024 17:51:55.338851929 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:55.339073896 CET	62200	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:51:55.343691111 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:55.507025957 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:55.510931969 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:55.515908957 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:55.562230110 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:51:55.635582924 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:51:55.678189993 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:52:05.521810055 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:52:05.526784897 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:52:05.644232035 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:52:05.649085045 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:52:15.534117937 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:52:15.539033890 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:52:15.651155949 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:52:15.889616966 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:52:25.547323942 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:52:25.552347898 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:52:25.901647091 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:52:25.906742096 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:52:35.560259104 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:52:35.565191031 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:52:35.907963037 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:52:35.913007021 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:52:45.568556070 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:52:45.582071066 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:52:45.922585011 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:52:45.933847904 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:52:55.596896887 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:52:55.603856087 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:52:55.938311100 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:52:55.943613052 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:53:05.624488115 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:53:05.629333973 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:53:05.958095074 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:53:05.963089943 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:53:15.360768080 CET	62201	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:53:15.360788107 CET	443	62201	34.107.243.93	192.168.2.5
Nov 1, 2024 17:53:15.361485004 CET	62201	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:53:15.363231897 CET	62201	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:53:15.363243103 CET	443	62201	34.107.243.93	192.168.2.5
Nov 1, 2024 17:53:15.639779091 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:53:15.647624969 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:53:15.961489916 CET	443	62201	34.107.243.93	192.168.2.5
Nov 1, 2024 17:53:15.961647034 CET	62201	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:53:15.968399048 CET	62201	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:53:15.968410015 CET	443	62201	34.107.243.93	192.168.2.5
Nov 1, 2024 17:53:15.968540907 CET	62201	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:53:15.968594074 CET	443	62201	34.107.243.93	192.168.2.5
Nov 1, 2024 17:53:15.968888044 CET	62201	443	192.168.2.5	34.107.243.93
Nov 1, 2024 17:53:15.971798897 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:53:15.971820116 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:53:15.976659060 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:53:15.976705074 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:53:16.098494053 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:53:16.102714062 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:53:16.108043909 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:53:16.141194105 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:53:16.228171110 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:53:16.272706032 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:53:26.101105928 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:53:26.106168032 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:53:26.232711077 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:53:26.237587929 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:53:28.423042059 CET	62202	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:28.423080921 CET	443	62202	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:28.423331022 CET	62203	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:28.423355103 CET	443	62203	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:28.423485041 CET	62204	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:28.423515081 CET	443	62204	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:28.423604012 CET	62202	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:28.423650026 CET	62204	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:28.423650980 CET	62203	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:28.423834085 CET	62202	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:28.423846006 CET	443	62202	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:28.424062014 CET	62204	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:28.424073935 CET	443	62204	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:28.424161911 CET	62203	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:28.424170971 CET	443	62203	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:29.022496939 CET	443	62202	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:29.022713900 CET	62202	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:29.030464888 CET	62202	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:29.030481100 CET	443	62202	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:29.030669928 CET	443	62202	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:29.032831907 CET	62202	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:29.032952070 CET	62202	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:29.032967091 CET	443	62202	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:29.036040068 CET	62202	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:29.036081076 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:53:29.043731928 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:53:29.045471907 CET	443	62203	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:29.045620918 CET	62203	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:29.048621893 CET	62203	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:29.048634052 CET	443	62203	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:29.048897028 CET	443	62203	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:29.051131964 CET	62203	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:29.051253080 CET	62203	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:29.051291943 CET	443	62203	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:29.051655054 CET	62203	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:29.071815968 CET	443	62204	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:29.071932077 CET	62204	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:29.074726105 CET	62204	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:29.074736118 CET	443	62204	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:29.075093031 CET	443	62204	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:29.076529026 CET	62204	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:29.076636076 CET	62204	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:29.076728106 CET	443	62204	34.120.208.123	192.168.2.5
Nov 1, 2024 17:53:29.076803923 CET	62204	443	192.168.2.5	34.120.208.123
Nov 1, 2024 17:53:29.160571098 CET	80	49720	34.107.221.82	192.168.2.5
Nov 1, 2024 17:53:29.164210081 CET	49719	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:53:29.169121027 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:53:29.205406904 CET	49720	80	192.168.2.5	34.107.221.82
Nov 1, 2024 17:53:29.288503885 CET	80	49719	34.107.221.82	192.168.2.5
Nov 1, 2024 17:53:29.336913109 CET	49719	80	192.168.2.5	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 17:50:28.838165045 CET	50172	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:28.845319033 CET	53	50172	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:28.846003056 CET	51452	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:28.853466988 CET	53	51452	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:29.807131052 CET	53975	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:29.807444096 CET	59092	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:30.016942024 CET	53	59092	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:30.018608093 CET	53430	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:30.020369053 CET	53042	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:30.025356054 CET	53	53430	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:30.025852919 CET	58365	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:30.028039932 CET	53	53042	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:30.028476954 CET	62023	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:30.032653093 CET	53	58365	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:30.035563946 CET	53	62023	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:30.143764973 CET	58364	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:30.150952101 CET	53	58364	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:30.152098894 CET	63351	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:30.156900883 CET	50123	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:30.159470081 CET	53	63351	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:30.160059929 CET	62976	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:30.169835091 CET	53	62976	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:30.179418087 CET	53	50123	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:30.179905891 CET	58608	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:30.187418938 CET	53	58608	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:30.339435101 CET	50359	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:30.532196045 CET	53	50359	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:30.554533005 CET	62991	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:30.561819077 CET	53	62991	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:30.562376976 CET	49254	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:30.569775105 CET	53	49254	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:30.849324942 CET	65230	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:30.849792004 CET	59414	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:30.856436968 CET	53	65230	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:30.856542110 CET	53	59414	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:31.344029903 CET	65183	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:31.344748020 CET	58015	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:31.351265907 CET	53	65183	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:31.357510090 CET	56810	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:31.365534067 CET	53	56810	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:31.370954990 CET	59140	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:31.379677057 CET	53	59140	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:34.974145889 CET	62730	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:34.981872082 CET	53	62730	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:34.988269091 CET	63911	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:34.997385979 CET	53	63911	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:34.997984886 CET	54862	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:35.006783009 CET	53	54862	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:35.031131983 CET	52596	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:35.068661928 CET	53	63669	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:35.277522087 CET	49284	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:35.285970926 CET	53	49284	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:35.304743052 CET	56616	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:35.311527967 CET	53	56616	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:35.313647985 CET	55349	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:35.320682049 CET	53	55349	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:35.337615013 CET	61969	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:35.344588041 CET	53	61969	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:35.347342014 CET	52479	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:35.352714062 CET	61601	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:35.354537010 CET	53	52479	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:35.355753899 CET	54860	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:35.357045889 CET	62562	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:35.360290051 CET	53	61601	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:35.362823009 CET	53	54860	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:35.363955021 CET	53	62562	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:35.369297981 CET	54463	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:35.376323938 CET	53	54463	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:40.733237982 CET	51313	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:40.733503103 CET	59351	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:40.734607935 CET	63934	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:40.741489887 CET	53	59351	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:40.741882086 CET	53	51313	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:40.742382050 CET	53	63934	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:40.880705118 CET	59236	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:40.880847931 CET	53794	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:40.880951881 CET	57153	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:40.887603998 CET	53	59236	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:40.888159990 CET	56168	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:40.888195992 CET	53	53794	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:40.888943911 CET	49615	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:40.888986111 CET	53	57153	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:40.889478922 CET	63521	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:40.895658970 CET	53	56168	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:40.896661043 CET	49592	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:40.897197962 CET	53	63521	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:40.897212029 CET	53	49615	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:40.897783041 CET	63168	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:40.907680035 CET	53	49592	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:40.907763958 CET	53	63168	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:40.909487963 CET	59067	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:40.909846067 CET	62224	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:40.924907923 CET	53	59067	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:40.924928904 CET	53	62224	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:40.925369024 CET	62208	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:40.925599098 CET	59285	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:40.937088966 CET	53	62208	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:40.937102079 CET	53	59285	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:41.935357094 CET	55238	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:41.942872047 CET	53	55238	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:45.309140921 CET	53	57204	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:47.932611942 CET	53	55725	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:52.875273943 CET	55059	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:52.882303953 CET	53	55059	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:53.500895023 CET	55051	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:57.646852970 CET	54459	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:57.653780937 CET	53	54459	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:57.663784981 CET	57680	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:57.672277927 CET	53	57680	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:57.675251007 CET	50584	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:57.682847023 CET	53	50584	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:57.684489965 CET	50667	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:57.691704035 CET	53	50667	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:57.948959112 CET	52268	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:57.957163095 CET	53	52268	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:57.958868980 CET	52057	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:57.965981007 CET	53	52057	1.1.1.1	192.168.2.5
Nov 1, 2024 17:50:57.966578007 CET	62899	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:50:57.973866940 CET	53	62899	1.1.1.1	192.168.2.5
Nov 1, 2024 17:51:13.946748018 CET	49264	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:51:13.954417944 CET	53	49264	1.1.1.1	192.168.2.5
Nov 1, 2024 17:51:13.955862999 CET	63027	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:51:13.969966888 CET	53	63027	1.1.1.1	192.168.2.5
Nov 1, 2024 17:51:27.685098886 CET	51822	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:51:27.693454981 CET	53	51822	1.1.1.1	192.168.2.5
Nov 1, 2024 17:51:54.716445923 CET	59676	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:51:54.723428965 CET	53	59676	1.1.1.1	192.168.2.5
Nov 1, 2024 17:51:54.724397898 CET	54471	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:51:54.731319904 CET	53	54471	1.1.1.1	192.168.2.5
Nov 1, 2024 17:51:55.338932991 CET	49345	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:53:15.343441010 CET	59145	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:53:15.350652933 CET	53	59145	1.1.1.1	192.168.2.5
Nov 1, 2024 17:53:15.352231026 CET	51397	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:53:15.359141111 CET	53	51397	1.1.1.1	192.168.2.5
Nov 1, 2024 17:53:15.359848022 CET	50648	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:53:15.366637945 CET	53	50648	1.1.1.1	192.168.2.5
Nov 1, 2024 17:53:15.972410917 CET	65508	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:53:28.423547983 CET	55901	53	192.168.2.5	1.1.1.1
Nov 1, 2024 17:53:28.430466890 CET	53	55901	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 17:50:28.838165045 CET	192.168.2.5	1.1.1.1	0x8705	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:28.846003056 CET	192.168.2.5	1.1.1.1	0xcec7	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 17:50:29.807131052 CET	192.168.2.5	1.1.1.1	0x70fd	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:29.807444096 CET	192.168.2.5	1.1.1.1	0x6316	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.018608093 CET	192.168.2.5	1.1.1.1	0x55b9	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.020369053 CET	192.168.2.5	1.1.1.1	0xf500	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.025852919 CET	192.168.2.5	1.1.1.1	0xe8c1	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 17:50:30.028476954 CET	192.168.2.5	1.1.1.1	0x37f0	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 1, 2024 17:50:30.143764973 CET	192.168.2.5	1.1.1.1	0x4ba5	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.152098894 CET	192.168.2.5	1.1.1.1	0x3798	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.156900883 CET	192.168.2.5	1.1.1.1	0xfc6e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.160059929 CET	192.168.2.5	1.1.1.1	0x2375	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 17:50:30.179905891 CET	192.168.2.5	1.1.1.1	0x3ad2	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 17:50:30.339435101 CET	192.168.2.5	1.1.1.1	0x97bb	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.554533005 CET	192.168.2.5	1.1.1.1	0x63c2	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.562376976 CET	192.168.2.5	1.1.1.1	0x3275	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 17:50:30.849324942 CET	192.168.2.5	1.1.1.1	0x6321	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.849792004 CET	192.168.2.5	1.1.1.1	0xbb42	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:31.344029903 CET	192.168.2.5	1.1.1.1	0x69f3	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:31.344748020 CET	192.168.2.5	1.1.1.1	0xefa6	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:31.357510090 CET	192.168.2.5	1.1.1.1	0x66c	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:31.370954990 CET	192.168.2.5	1.1.1.1	0xc1db	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 17:50:34.974145889 CET	192.168.2.5	1.1.1.1	0x8037	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:34.988269091 CET	192.168.2.5	1.1.1.1	0x2b4f	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:34.997984886 CET	192.168.2.5	1.1.1.1	0x9e81	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 17:50:35.031131983 CET	192.168.2.5	1.1.1.1	0x8c29	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:35.277522087 CET	192.168.2.5	1.1.1.1	0x1aa2	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:35.304743052 CET	192.168.2.5	1.1.1.1	0x5b09	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 17:50:35.313647985 CET	192.168.2.5	1.1.1.1	0x427f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:35.337615013 CET	192.168.2.5	1.1.1.1	0x7978	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:35.347342014 CET	192.168.2.5	1.1.1.1	0x49cd	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:35.352714062 CET	192.168.2.5	1.1.1.1	0x8cf7	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 17:50:35.355753899 CET	192.168.2.5	1.1.1.1	0x315e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 17:50:35.357045889 CET	192.168.2.5	1.1.1.1	0x25ab	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:35.369297981 CET	192.168.2.5	1.1.1.1	0x83f	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 17:50:40.733237982 CET	192.168.2.5	1.1.1.1	0xf40f	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.733503103 CET	192.168.2.5	1.1.1.1	0xa983	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.734607935 CET	192.168.2.5	1.1.1.1	0x365b	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.880705118 CET	192.168.2.5	1.1.1.1	0xb972	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.880847931 CET	192.168.2.5	1.1.1.1	0x2c19	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.880951881 CET	192.168.2.5	1.1.1.1	0x76a5	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888159990 CET	192.168.2.5	1.1.1.1	0x634a	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 1, 2024 17:50:40.888943911 CET	192.168.2.5	1.1.1.1	0x8a6c	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 1, 2024 17:50:40.889478922 CET	192.168.2.5	1.1.1.1	0x3ea2	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 1, 2024 17:50:40.896661043 CET	192.168.2.5	1.1.1.1	0xf15c	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.897783041 CET	192.168.2.5	1.1.1.1	0x78ac	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.909487963 CET	192.168.2.5	1.1.1.1	0x4236	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.909846067 CET	192.168.2.5	1.1.1.1	0xbfd3	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.925369024 CET	192.168.2.5	1.1.1.1	0x8ccc	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 1, 2024 17:50:40.925599098 CET	192.168.2.5	1.1.1.1	0xb8d7	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 1, 2024 17:50:41.935357094 CET	192.168.2.5	1.1.1.1	0x456a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 17:50:52.875273943 CET	192.168.2.5	1.1.1.1	0x6c3a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 17:50:53.500895023 CET	192.168.2.5	1.1.1.1	0x3540	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:57.646852970 CET	192.168.2.5	1.1.1.1	0x5b64	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 17:50:57.663784981 CET	192.168.2.5	1.1.1.1	0x7dd2	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:57.675251007 CET	192.168.2.5	1.1.1.1	0x8cd1	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:57.684489965 CET	192.168.2.5	1.1.1.1	0x61fc	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 1, 2024 17:50:57.948959112 CET	192.168.2.5	1.1.1.1	0xb53	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:57.958868980 CET	192.168.2.5	1.1.1.1	0x4b68	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:57.966578007 CET	192.168.2.5	1.1.1.1	0xb8e2	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 17:51:13.946748018 CET	192.168.2.5	1.1.1.1	0xdd63	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:51:13.955862999 CET	192.168.2.5	1.1.1.1	0xe6d6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 17:51:27.685098886 CET	192.168.2.5	1.1.1.1	0x2b39	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 17:51:54.716445923 CET	192.168.2.5	1.1.1.1	0x9525	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:51:54.724397898 CET	192.168.2.5	1.1.1.1	0xa9b8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 17:51:55.338932991 CET	192.168.2.5	1.1.1.1	0xe305	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:53:15.343441010 CET	192.168.2.5	1.1.1.1	0x5c6b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:53:15.352231026 CET	192.168.2.5	1.1.1.1	0x690c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:53:15.359848022 CET	192.168.2.5	1.1.1.1	0x1544	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 17:53:15.972410917 CET	192.168.2.5	1.1.1.1	0x230b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:53:28.423547983 CET	192.168.2.5	1.1.1.1	0xe698	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 17:50:28.833420038 CET	1.1.1.1	192.168.2.5	0x471a	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:28.845319033 CET	1.1.1.1	192.168.2.5	0x8705	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.016659021 CET	1.1.1.1	192.168.2.5	0x70fd	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:30.016659021 CET	1.1.1.1	192.168.2.5	0x70fd	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.016942024 CET	1.1.1.1	192.168.2.5	0x6316	No error (0)	youtube.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.025356054 CET	1.1.1.1	192.168.2.5	0x55b9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.028039932 CET	1.1.1.1	192.168.2.5	0xf500	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.032653093 CET	1.1.1.1	192.168.2.5	0xe8c1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 1, 2024 17:50:30.035563946 CET	1.1.1.1	192.168.2.5	0x37f0	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 1, 2024 17:50:30.150952101 CET	1.1.1.1	192.168.2.5	0x4ba5	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.152717113 CET	1.1.1.1	192.168.2.5	0x94cf	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:30.152717113 CET	1.1.1.1	192.168.2.5	0x94cf	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.159470081 CET	1.1.1.1	192.168.2.5	0x3798	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.179418087 CET	1.1.1.1	192.168.2.5	0xfc6e	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.532196045 CET	1.1.1.1	192.168.2.5	0x97bb	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:30.532196045 CET	1.1.1.1	192.168.2.5	0x97bb	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.561819077 CET	1.1.1.1	192.168.2.5	0x63c2	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.856436968 CET	1.1.1.1	192.168.2.5	0x6321	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.856542110 CET	1.1.1.1	192.168.2.5	0xbb42	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:30.856542110 CET	1.1.1.1	192.168.2.5	0xbb42	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:31.351265907 CET	1.1.1.1	192.168.2.5	0x69f3	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:31.351265907 CET	1.1.1.1	192.168.2.5	0x69f3	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:31.351265907 CET	1.1.1.1	192.168.2.5	0x69f3	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:31.353426933 CET	1.1.1.1	192.168.2.5	0xefa6	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:31.353426933 CET	1.1.1.1	192.168.2.5	0xefa6	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:31.365534067 CET	1.1.1.1	192.168.2.5	0x66c	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:31.379677057 CET	1.1.1.1	192.168.2.5	0xc1db	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 1, 2024 17:50:34.981872082 CET	1.1.1.1	192.168.2.5	0x8037	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:34.981872082 CET	1.1.1.1	192.168.2.5	0x8037	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:34.981872082 CET	1.1.1.1	192.168.2.5	0x8037	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:34.997385979 CET	1.1.1.1	192.168.2.5	0x2b4f	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:35.041486025 CET	1.1.1.1	192.168.2.5	0x8c29	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:35.285970926 CET	1.1.1.1	192.168.2.5	0x1aa2	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:35.285983086 CET	1.1.1.1	192.168.2.5	0x7318	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:35.308336020 CET	1.1.1.1	192.168.2.5	0x9659	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:35.308336020 CET	1.1.1.1	192.168.2.5	0x9659	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:35.320682049 CET	1.1.1.1	192.168.2.5	0x427f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:35.344588041 CET	1.1.1.1	192.168.2.5	0x7978	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:35.354537010 CET	1.1.1.1	192.168.2.5	0x49cd	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:35.354537010 CET	1.1.1.1	192.168.2.5	0x49cd	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:35.363955021 CET	1.1.1.1	192.168.2.5	0x25ab	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:36.026814938 CET	1.1.1.1	192.168.2.5	0x3436	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.741489887 CET	1.1.1.1	192.168.2.5	0xa983	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:40.741489887 CET	1.1.1.1	192.168.2.5	0xa983	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.741882086 CET	1.1.1.1	192.168.2.5	0xf40f	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:40.741882086 CET	1.1.1.1	192.168.2.5	0xf40f	No error (0)	star-mini.c10r.facebook.com		157.240.252.35	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.742382050 CET	1.1.1.1	192.168.2.5	0x365b	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.887603998 CET	1.1.1.1	192.168.2.5	0xb972	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888195992 CET	1.1.1.1	192.168.2.5	0x2c19	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.888986111 CET	1.1.1.1	192.168.2.5	0x76a5	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.895658970 CET	1.1.1.1	192.168.2.5	0x634a	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 1, 2024 17:50:40.897197962 CET	1.1.1.1	192.168.2.5	0x3ea2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 17:50:40.897197962 CET	1.1.1.1	192.168.2.5	0x3ea2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 17:50:40.897197962 CET	1.1.1.1	192.168.2.5	0x3ea2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 17:50:40.897197962 CET	1.1.1.1	192.168.2.5	0x3ea2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 17:50:40.897212029 CET	1.1.1.1	192.168.2.5	0x8a6c	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 1, 2024 17:50:40.907680035 CET	1.1.1.1	192.168.2.5	0xf15c	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:40.907680035 CET	1.1.1.1	192.168.2.5	0xf15c	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.907680035 CET	1.1.1.1	192.168.2.5	0xf15c	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.907680035 CET	1.1.1.1	192.168.2.5	0xf15c	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.907680035 CET	1.1.1.1	192.168.2.5	0xf15c	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.907763958 CET	1.1.1.1	192.168.2.5	0x78ac	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.924907923 CET	1.1.1.1	192.168.2.5	0x4236	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.924907923 CET	1.1.1.1	192.168.2.5	0x4236	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.924907923 CET	1.1.1.1	192.168.2.5	0x4236	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.924907923 CET	1.1.1.1	192.168.2.5	0x4236	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:40.924928904 CET	1.1.1.1	192.168.2.5	0xbfd3	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:53.507899046 CET	1.1.1.1	192.168.2.5	0x3540	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:53.507899046 CET	1.1.1.1	192.168.2.5	0x3540	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:57.672277927 CET	1.1.1.1	192.168.2.5	0x7dd2	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:57.672277927 CET	1.1.1.1	192.168.2.5	0x7dd2	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:57.672277927 CET	1.1.1.1	192.168.2.5	0x7dd2	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:57.672277927 CET	1.1.1.1	192.168.2.5	0x7dd2	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:57.682847023 CET	1.1.1.1	192.168.2.5	0x8cd1	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:57.682847023 CET	1.1.1.1	192.168.2.5	0x8cd1	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:57.682847023 CET	1.1.1.1	192.168.2.5	0x8cd1	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:57.682847023 CET	1.1.1.1	192.168.2.5	0x8cd1	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:57.691704035 CET	1.1.1.1	192.168.2.5	0x61fc	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 17:50:57.691704035 CET	1.1.1.1	192.168.2.5	0x61fc	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 17:50:57.691704035 CET	1.1.1.1	192.168.2.5	0x61fc	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 17:50:57.691704035 CET	1.1.1.1	192.168.2.5	0x61fc	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 17:50:57.957163095 CET	1.1.1.1	192.168.2.5	0xb53	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:57.957163095 CET	1.1.1.1	192.168.2.5	0xb53	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:57.965981007 CET	1.1.1.1	192.168.2.5	0x4b68	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:50:58.966824055 CET	1.1.1.1	192.168.2.5	0xf59b	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:50:58.966824055 CET	1.1.1.1	192.168.2.5	0xf59b	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:51:13.954417944 CET	1.1.1.1	192.168.2.5	0xdd63	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:51:27.667756081 CET	1.1.1.1	192.168.2.5	0xf25b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:51:54.723428965 CET	1.1.1.1	192.168.2.5	0x9525	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:51:55.345752954 CET	1.1.1.1	192.168.2.5	0xe305	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:51:55.345752954 CET	1.1.1.1	192.168.2.5	0xe305	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:53:15.350652933 CET	1.1.1.1	192.168.2.5	0x5c6b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:53:15.359141111 CET	1.1.1.1	192.168.2.5	0x690c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:53:15.979522943 CET	1.1.1.1	192.168.2.5	0x230b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 17:53:15.979522943 CET	1.1.1.1	192.168.2.5	0x230b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:53:28.421829939 CET	1.1.1.1	192.168.2.5	0x32a	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49711	34.107.221.82	80	7784	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 17:50:30.023518085 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:50:30.648773909 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80946 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49719	34.107.221.82	80	7784	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 17:50:31.363275051 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:50:31.961673021 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77717 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:50:32.443475962 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:50:32.568036079 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77718 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:50:35.277240992 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:50:35.401779890 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77721 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:50:36.155586004 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:50:36.288376093 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77722 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:50:36.627711058 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:50:36.752250910 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77722 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:50:36.794665098 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:50:36.919107914 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77722 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:50:37.194695950 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77722 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:50:37.428512096 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:50:37.552953005 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77723 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:50:43.289845943 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:50:43.564609051 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77729 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:50:49.536930084 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:50:49.661843061 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77735 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:50:53.628591061 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:50:53.753062010 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77739 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:50:58.396361113 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:50:58.520812035 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77744 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:50:58.705264091 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:50:58.830573082 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77744 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:51:00.166860104 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:51:00.304703951 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77746 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:51:00.308715105 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:51:00.435206890 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77746 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:51:10.446423054 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:51:14.703996897 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:51:14.829422951 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77760 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:51:24.841519117 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:51:28.794329882 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:51:29.110409975 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77774 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:51:29.394265890 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77774 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:51:39.114064932 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:51:49.128388882 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:51:55.510931969 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:51:55.635582924 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77801 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:52:05.644232035 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:52:15.651155949 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:52:25.901647091 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:52:35.907963037 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:52:45.922585011 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:52:55.938311100 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:53:16.102714062 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:53:16.228171110 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77882 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 17:53:29.164210081 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 17:53:29.288503885 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 19:15:14 GMT Age: 77895 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49720	34.107.221.82	80	7784	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 17:50:31.363333941 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:50:31.961580992 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80947 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:50:34.972887993 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:50:35.099021912 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80951 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:50:36.015147924 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:50:36.140002012 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80952 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:50:36.501012087 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:50:36.625278950 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80952 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:50:36.667376995 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:50:36.791511059 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80952 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:50:37.300801039 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:50:37.425148964 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80953 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:50:42.871027946 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:50:42.995496035 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80958 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:50:49.402631998 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:50:49.534421921 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80965 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:50:53.501034975 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:50:53.625541925 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80969 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:50:58.267652988 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:50:58.392294884 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80974 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:50:58.572103024 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:50:58.696578979 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80974 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:50:58.956118107 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:51:00.163990974 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80975 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:51:00.166184902 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80975 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:51:00.167161942 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80975 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:51:00.172385931 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80975 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:51:00.176781893 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:51:00.305455923 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80976 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:51:10.314929962 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:51:14.575922966 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:51:14.700556040 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 80990 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:51:24.703526020 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:51:28.357563972 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:51:28.481714964 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 81004 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:51:38.481522083 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:51:48.511028051 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:51:55.338851929 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:51:55.507025957 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 81031 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:52:05.521810055 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:52:15.534117937 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:52:25.547323942 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:52:35.560259104 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:52:45.568556070 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:52:55.596896887 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 17:53:15.971798897 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:53:16.098494053 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 81112 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 17:53:29.036081076 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 17:53:29.160571098 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 81125 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Target ID:	0
Start time:	12:50:21
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xcb0000
File size:	919'552 bytes
MD5 hash:	938163B1C71B86D749CC0B79C28D09DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:50:22
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:50:22
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:50:24
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:50:24
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:50:24
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:50:24
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:50:24
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:50:24
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:50:25
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:50:25
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:50:25
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:50:25
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:50:25
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	12:50:26
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2104 -prefMapHandle 2072 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {060f3b44-7a9e-4fd0-86fa-81f240170137} 7784 "\\.\pipe\gecko-crash-server-pipe.7784" 1ec1406eb10 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	12:50:28
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4180 -parentBuildID 20230927232528 -prefsHandle 4184 -prefMapHandle 4072 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aed0bda-8726-46e7-8fa9-e811e3e6a8dd} 7784 "\\.\pipe\gecko-crash-server-pipe.7784" 1ec238b9910 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	12:50:34
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4988 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd8a9153-fef6-4864-8611-95578e74777b} 7784 "\\.\pipe\gecko-crash-server-pipe.7784" 1ec2ce31110 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1545
Total number of Limit Nodes:	67

Executed Functions

Function 00CB42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00CB430D

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

GetCurrentProcess.KERNEL32(?,00D4CB64,00000000,?,?), ref: 00CB4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00CB4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00CB4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00CB4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00CB4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00CB447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00CB44A0

Strings

|O, xrefs: 00CF36F8
kernel32.dll, xrefs: 00CB444F
GetNativeSystemInfo, xrefs: 00CB4460

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 0823085229b336285242525327ac7cb7533de1385d19bc77f6edd1e9bdc08d51
Instruction ID: 7a58aa119b28bde18eed74462b498a76393cd6a63c349c4a259fc8ab9a8e982c
Opcode Fuzzy Hash: 0823085229b336285242525327ac7cb7533de1385d19bc77f6edd1e9bdc08d51
Instruction Fuzzy Hash: 6CA1917E93E3C4EFC716DB697C411E57FAC6B26740B085899E081D3B22D2614A0EDB32

Function 00CB42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00CB50AA,?,?,00000000,00000000), ref: 00CB42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00CB50AA,?,?,00000000,00000000), ref: 00CB42C9
LoadResource.KERNEL32(?,00000000,?,?,00CB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CB4F20), ref: 00CF35BE
SizeofResource.KERNEL32(?,00000000,?,?,00CB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CB4F20), ref: 00CF35D3
LockResource.KERNEL32(00CB50AA,?,?,00CB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CB4F20,?), ref: 00CF35E6

Strings

SCRIPT, xrefs: 00CB42BF

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 2a4b07e74bb5403f67cbcf842e87c50bf61e9a5ac54249b9e02f3bf5aec61a4b
Instruction ID: d77471d7cc93a751cf0b96ba3a730ce6788b27d990166107abdadf92b6bfb7cb
Opcode Fuzzy Hash: 2a4b07e74bb5403f67cbcf842e87c50bf61e9a5ac54249b9e02f3bf5aec61a4b
Instruction Fuzzy Hash: 69118E74201700BFEB258FA5DC89F677BB9EBC6B51F144169F412DA260DBB1DD009631

Function 00CF2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00CB2B6B

Part of subcall function 00CB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D81418,?,00CB2E7F,?,?,?,00000000), ref: 00CB3A78

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00D72224), ref: 00CF2C10
ShellExecuteW.SHELL32(00000000,?,?,00D72224), ref: 00CF2C17

Strings

runas, xrefs: 00CF2C0B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 96e0414a4b839d8bc27e8212bbc8f26f7a021a976ebd467d667c18ecfd64fbb6
Instruction ID: 4ce0196ec84998e520c102abdbba401357ed0113be1669675760732be6afebea
Opcode Fuzzy Hash: 96e0414a4b839d8bc27e8212bbc8f26f7a021a976ebd467d667c18ecfd64fbb6
Instruction Fuzzy Hash: D711BE31208385ABC714FF64D8929FEBBA8AB91700F44142DF196521A2DF218A4EA723

Function 00D1D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D1D501
Process32FirstW.KERNEL32(00000000,?), ref: 00D1D50F
Process32NextW.KERNEL32(00000000,?), ref: 00D1D52F
CloseHandle.KERNELBASE(00000000), ref: 00D1D5DC

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e50a5e144a56e0ea3727c5cafe935705aa83878bae604a0a0eeff58e9732c43c
Instruction ID: 4de3b29042e1758ed0e523f7acd5954589805577d872c50f9fa633a31c38d19d
Opcode Fuzzy Hash: e50a5e144a56e0ea3727c5cafe935705aa83878bae604a0a0eeff58e9732c43c
Instruction Fuzzy Hash: E031A271108300AFD300EF54D885AEFBBF9EF9A354F14092DF585861A1EF719985DBA2

Function 00D1DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00CF5222), ref: 00D1DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00D1DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00D1DBEE
FindClose.KERNEL32(00000000), ref: 00D1DBFA

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 95f0a77237c5c67e00ca71e1480eb0573afb94a181bbf721d46c8b267f4ad5f2
Instruction ID: 3a49b4dfafdbf82eeeb64e07e17b01a01d472b33afe00d04df328eef6a201571
Opcode Fuzzy Hash: 95f0a77237c5c67e00ca71e1480eb0573afb94a181bbf721d46c8b267f4ad5f2
Instruction Fuzzy Hash: C4F0A734421A106782206FB8AC4D4EA377E9E06334B144B02F575C11E0EFF05994C5F9

Function 00CD4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00CE28E9,?,00CD4CBE,00CE28E9,00D788B8,0000000C,00CD4E15,00CE28E9,00000002,00000000,?,00CE28E9), ref: 00CD4D09
TerminateProcess.KERNEL32(00000000,?,00CD4CBE,00CE28E9,00D788B8,0000000C,00CD4E15,00CE28E9,00000002,00000000,?,00CE28E9), ref: 00CD4D10
ExitProcess.KERNEL32 ref: 00CD4D22

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8e84e7606bd8b99796f0d879a9d02d892b7c400ce9d0d6db8d7239ec71fc1732
Instruction ID: aab6652ba8f3e74a0a0d3657421e26e5431bbe5c25cea83a470f31b681c3b6ae
Opcode Fuzzy Hash: 8e84e7606bd8b99796f0d879a9d02d892b7c400ce9d0d6db8d7239ec71fc1732
Instruction Fuzzy Hash: 68E0B635011288ABCF65AF64DD0DA583B6AFB42781B144015FE15CB322CB35EE42DA90

Function 00D3AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00D3B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D3B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D3B1D4
_wcslen.LIBCMT ref: 00D3B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D3B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D3B236
_wcslen.LIBCMT ref: 00D3B332

Part of subcall function 00D205A7: GetStdHandle.KERNEL32(000000F6), ref: 00D205C6

_wcslen.LIBCMT ref: 00D3B34B
_wcslen.LIBCMT ref: 00D3B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D3B3B6
GetLastError.KERNEL32(00000000), ref: 00D3B407
CloseHandle.KERNEL32(?), ref: 00D3B439
CloseHandle.KERNEL32(00000000), ref: 00D3B44A
CloseHandle.KERNEL32(00000000), ref: 00D3B45C
CloseHandle.KERNEL32(00000000), ref: 00D3B46E
CloseHandle.KERNEL32(?), ref: 00D3B4E3

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 4bdc9bdffd865da2bfe05adf900f6071e07d8c6a75ef3ac026041b3ca9def583
Instruction ID: d109858e16eba8791f6960bcc45675ec202544a5dd9f2ecc305798ecec318ab1
Opcode Fuzzy Hash: 4bdc9bdffd865da2bfe05adf900f6071e07d8c6a75ef3ac026041b3ca9def583
Instruction Fuzzy Hash: 8EF18F316043009FC724EF24C891B6EBBE5EF85324F18855EF9959B2A2DB31EC45DB62

Function 00CBD733 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00CBD807
timeGetTime.WINMM ref: 00CBDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CBDB28
TranslateMessage.USER32(?), ref: 00CBDB7B
DispatchMessageW.USER32(?), ref: 00CBDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CBDB9F
Sleep.KERNELBASE(0000000A), ref: 00CBDBB1

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 3425516913d6ad04bfaa96e56d0c284eeabf1303b1c40cda9a9e73e4c7b2fb1c
Instruction ID: 554b2154b5a2b0402df97c86857bc111cde694f55fd425bd8d3409af90e91dca
Opcode Fuzzy Hash: 3425516913d6ad04bfaa96e56d0c284eeabf1303b1c40cda9a9e73e4c7b2fb1c
Instruction Fuzzy Hash: BE42E330605341EFD728CF24C898BBAB7E4FF45304F18455DE4AA87291EB71E944DBA2

Function 00CB2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CB2D07
RegisterClassExW.USER32(00000030), ref: 00CB2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CB2D42
InitCommonControlsEx.COMCTL32(?), ref: 00CB2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CB2D6F
LoadIconW.USER32(000000A9), ref: 00CB2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CB2D94

Strings

+, xrefs: 00CB2CF0
TaskbarCreated, xrefs: 00CB2D37
0, xrefs: 00CB2CE9
AutoIt v3 GUI, xrefs: 00CB2D23

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: ac874d7901126dfb7b77c2dfd3cf5c62130b3e49b17d6ae374f900d926ed0a2b
Instruction ID: 665adf4b98dfa03e90d75937047d70dd42609612885f122aed75d9d47d575d0f
Opcode Fuzzy Hash: ac874d7901126dfb7b77c2dfd3cf5c62130b3e49b17d6ae374f900d926ed0a2b
Instruction Fuzzy Hash: 5421E5B9922308AFDB40EFA4E849BDDBBB8FB09700F10511AF511E63A0D7B10545CFA0

Function 00CF065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CF039A: CreateFileW.KERNELBASE(00000000,00000000,?,00CF0704,?,?,00000000,?,00CF0704,00000000,0000000C), ref: 00CF03B7

GetLastError.KERNEL32 ref: 00CF076F
__dosmaperr.LIBCMT ref: 00CF0776
GetFileType.KERNELBASE(00000000), ref: 00CF0782
GetLastError.KERNEL32 ref: 00CF078C
__dosmaperr.LIBCMT ref: 00CF0795
CloseHandle.KERNEL32(00000000), ref: 00CF07B5
CloseHandle.KERNEL32(?), ref: 00CF08FF
GetLastError.KERNEL32 ref: 00CF0931
__dosmaperr.LIBCMT ref: 00CF0938

Strings

H, xrefs: 00CF08BD

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1c3d9c23d1624c154354e5136aeb853133e23b5b9f76d915419699dacd15a4a3
Instruction ID: c8507e2eeed7a19fa4e13fba79f0564a5435e9d76c065e29556b5d5dfb647bf3
Opcode Fuzzy Hash: 1c3d9c23d1624c154354e5136aeb853133e23b5b9f76d915419699dacd15a4a3
Instruction Fuzzy Hash: 31A11832A101088FDF59AF68D8517BE7BA0AF06320F24415EFA15DF3D2D7319916DBA2

Function 00CB344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D81418,?,00CB2E7F,?,?,?,00000000), ref: 00CB3A78

Part of subcall function 00CB3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CB3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00CB356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00CF318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00CF31CE
RegCloseKey.ADVAPI32(?), ref: 00CF3210
_wcslen.LIBCMT ref: 00CF3277
_wcslen.LIBCMT ref: 00CF3286

Strings

\Include\, xrefs: 00CB3527
Include, xrefs: 00CF3184, 00CF31C5
Software\AutoIt v3\AutoIt, xrefs: 00CB3560
\, xrefs: 00CF328C

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: fe6a3eb7fc59efea91e2511e728faa75cfc232d9137ca5b7f59c148d2ba45129
Instruction ID: f39212bdb8a6428da3d89083079d1b2567430b03117aeb1457b8fd4469997db3
Opcode Fuzzy Hash: fe6a3eb7fc59efea91e2511e728faa75cfc232d9137ca5b7f59c148d2ba45129
Instruction Fuzzy Hash: 89717B71415304AEC314EF69EC919BBBBE8FF85740F40042EF545D32A1EB359A48DB62

Function 00CB2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CB2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00CB2B9D
LoadIconW.USER32(00000063), ref: 00CB2BB3
LoadIconW.USER32(000000A4), ref: 00CB2BC5
LoadIconW.USER32(000000A2), ref: 00CB2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00CB2BEF
RegisterClassExW.USER32(?), ref: 00CB2C40

Part of subcall function 00CB2CD4: GetSysColorBrush.USER32(0000000F), ref: 00CB2D07
Part of subcall function 00CB2CD4: RegisterClassExW.USER32(00000030), ref: 00CB2D31
Part of subcall function 00CB2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CB2D42
Part of subcall function 00CB2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00CB2D5F
Part of subcall function 00CB2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CB2D6F
Part of subcall function 00CB2CD4: LoadIconW.USER32(000000A9), ref: 00CB2D85
Part of subcall function 00CB2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CB2D94

Strings

#, xrefs: 00CB2C16
0, xrefs: 00CB2C0F
AutoIt v3, xrefs: 00CB2C2F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 4e200a3e0cd75400b2e07fb9d23a2edb027d9d3a92d28ff14f177d3b3ced76a3
Instruction ID: 1fe6ed15ba7d86b1292052669bea14d889fc55a7d0b51292001cbd3468953f37
Opcode Fuzzy Hash: 4e200a3e0cd75400b2e07fb9d23a2edb027d9d3a92d28ff14f177d3b3ced76a3
Instruction Fuzzy Hash: 84212978E21318ABDB109FA5EC55AED7FB8FB48B50F10001AE500E67A0D7B11549CFA0

Function 00CB3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00CB316A,?,?), ref: 00CB31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00CB316A,?,?), ref: 00CB3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CB3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00CB316A,?,?), ref: 00CB3232
CreatePopupMenu.USER32 ref: 00CB3246
PostQuitMessage.USER32(00000000), ref: 00CB3267

Strings

TaskbarCreated, xrefs: 00CB322D

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 0fffca7991ac7ff1b9d36801b4bd61445947581dac78a328fead2bd55caaf30b
Instruction ID: 06f3481ad6d4bcdcc4fc67a7b1f775fc5fbd4d991decdbe2d7fa16eed5639feb
Opcode Fuzzy Hash: 0fffca7991ac7ff1b9d36801b4bd61445947581dac78a328fead2bd55caaf30b
Instruction Fuzzy Hash: B241E7392A0388A7DF156B7CDD1ABFD3A1DEB05340F040115F921D63A2DB719B459772

Function 00CB1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00CB1459
CoUninitialize.COMBASE ref: 00CB14F8
UnregisterHotKey.USER32(?), ref: 00CB16DD
DestroyWindow.USER32(?), ref: 00CF24B9
FreeLibrary.KERNEL32(?), ref: 00CF251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CF254B

Strings

close all, xrefs: 00CB1454

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 177ef6e5c202bb9eb3ade7f75ba97fb454cc9a9a75e9d269654ffe06bf2b384d
Instruction ID: d969daeef739378a5d82438044e90d603202f90ef0a27210194af6ea68076bcd
Opcode Fuzzy Hash: 177ef6e5c202bb9eb3ade7f75ba97fb454cc9a9a75e9d269654ffe06bf2b384d
Instruction Fuzzy Hash: B4D17E31702212CFCB69EF15C4A5B69F7A5FF05700F5841ADE94AAB251CB31AD12CF51

Function 00CB2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00CB2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00CB2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00CB1CAD,?), ref: 00CB2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00CB1CAD,?), ref: 00CB2CCF

Strings

edit, xrefs: 00CB2CAC
AutoIt v3, xrefs: 00CB2C89, 00CB2C8E, 00CB2C8F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 968e6873f9edae4647784ab04a6d1d7b060a3025e73e405838d4ec1aaa4143b8
Instruction ID: f94a8d2662ff96068ba38ee73201a1a5820ec7eeadc5df9e90087ff45385ff2c
Opcode Fuzzy Hash: 968e6873f9edae4647784ab04a6d1d7b060a3025e73e405838d4ec1aaa4143b8
Instruction Fuzzy Hash: C8F0B7795613907BEB611B57AC08EB72EBDD7C6F50B00105AF900E26A0C665185ADFB0

Function 00CB3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00CB3B0F,SwapMouseButtons,00000004,?), ref: 00CB3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00CB3B0F,SwapMouseButtons,00000004,?), ref: 00CB3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00CB3B0F,SwapMouseButtons,00000004,?), ref: 00CB3B83

Strings

Control Panel\Mouse, xrefs: 00CB3B3E

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 65eb83b2a59f13b3202e7847af9e913a9632f8e64f7ec412ec590098a31e8cf0
Instruction ID: b6d539c170f6c981422aa8a3412ffff3269820a4387fdc7c41c28de61880a8b0
Opcode Fuzzy Hash: 65eb83b2a59f13b3202e7847af9e913a9632f8e64f7ec412ec590098a31e8cf0
Instruction Fuzzy Hash: 7F1127B5621248FFDB208FA5DC84AEEBBB8EF05745F10856AA805D7214E6319F409BA0

Function 00CB3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00CF33A2

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CB3A04

Strings

Line: , xrefs: 00CF33EB

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: bc870816cd06ec59bb39d2575872d83f8e9d814bad20b8236e7b15e13f365972
Instruction ID: a418daf5bb20f3dbb3081a1b32b1da8d51baf3ef5e1e125235b3a871e10a4641
Opcode Fuzzy Hash: bc870816cd06ec59bb39d2575872d83f8e9d814bad20b8236e7b15e13f365972
Instruction Fuzzy Hash: FC31C171448344ABC325EB20DC45BEBB7ECAB80710F10452AF599821A1EB709B4ED7D2

Function 00CCFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00CD0668

Part of subcall function 00CD32A4: RaiseException.KERNEL32(?,?,?,00CD068A,?,00D81444,?,?,?,?,?,?,00CD068A,00CB1129,00D78738,00CB1129), ref: 00CD3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00CD0685

Strings

Unknown exception, xrefs: 00CD0692

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 04062b1cc174dd505f4659210e611cd027688236fc066975a964cc5eaf526491
Instruction ID: 988abd58e34ade988d981dce1f066ca0440a168b47c082e7a1dba293e11dc0a9
Opcode Fuzzy Hash: 04062b1cc174dd505f4659210e611cd027688236fc066975a964cc5eaf526491
Instruction Fuzzy Hash: 12F0A434900249778B04BA69E84AE5D776D5E00350B70413ABA2896692EF71DB169591

Function 00CB10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CB1BF4
Part of subcall function 00CB1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00CB1BFC
Part of subcall function 00CB1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CB1C07
Part of subcall function 00CB1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CB1C12
Part of subcall function 00CB1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00CB1C1A
Part of subcall function 00CB1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00CB1C22

Part of subcall function 00CB1B4A: RegisterWindowMessageW.USER32(00000004,?,00CB12C4), ref: 00CB1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00CB136A
OleInitialize.OLE32 ref: 00CB1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00CF24AB

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 3ec72773dffeebb489c27e222ddde738eb4930db828eb07f8d867ba1fe1e4ae5
Instruction ID: 4445c26a254bde54042e822afab60cd579a136a6e994ed12918cd120df0965d8
Opcode Fuzzy Hash: 3ec72773dffeebb489c27e222ddde738eb4930db828eb07f8d867ba1fe1e4ae5
Instruction Fuzzy Hash: 75718CBC9213009FC384EF7AE8566953AFCFB89344B5486AAD44AD7361EB30440E9F75

Function 00D1C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CB3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D1C259
KillTimer.USER32(?,00000001,?,?), ref: 00D1C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D1C270

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: ab7b9c4112eba92a977517545b3b85dba9f6e7a0fe64095b8edf7932f12fa5ca
Instruction ID: 5daaf73a739c2bcf4eedc9832dd771ea59a457074002d7c7cbe7f740e6e402da
Opcode Fuzzy Hash: ab7b9c4112eba92a977517545b3b85dba9f6e7a0fe64095b8edf7932f12fa5ca
Instruction Fuzzy Hash: 7131E370950344BFEB328F649845BEBBBEC9B06308F04109ED2DA93241CB745AC8CB65

Function 00CE86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00CE85CC,?,00D78CC8,0000000C), ref: 00CE8704
GetLastError.KERNEL32(?,00CE85CC,?,00D78CC8,0000000C), ref: 00CE870E
__dosmaperr.LIBCMT ref: 00CE8739

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: fd72aca83a6329d09cee2b0a4f3a6224322e5b8d31eb8e11284fffb637c20f11
Instruction ID: 1df5389f93efa75fdc0087dfb4cd64ec03c7db94601d03bd3a9e1ca6b9087efa
Opcode Fuzzy Hash: fd72aca83a6329d09cee2b0a4f3a6224322e5b8d31eb8e11284fffb637c20f11
Instruction Fuzzy Hash: 06018E336156E017C2606737684677E7B4D4F82778F390119F92CCB1E2DEA0CD89D260

Function 00CBDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00CBDB7B
DispatchMessageW.USER32(?), ref: 00CBDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CBDB9F
Sleep.KERNELBASE(0000000A), ref: 00CBDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00D01CC9

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 3574a36dda5b26bf91cea721d5dc1d2bfc70e1e167ebafecbd2d52a2064f4a58
Instruction ID: 2ace7b404421e0ab1cc5b9eef4a66e2bbbe0804105f358115acc8b8bfb7e15de
Opcode Fuzzy Hash: 3574a36dda5b26bf91cea721d5dc1d2bfc70e1e167ebafecbd2d52a2064f4a58
Instruction Fuzzy Hash: E1F05E346553409BEB70CB60CC49FEA73BCEB45311F504618E65AD31C0EB3094898B35

Function 00CC1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00CC17F6

Strings

CALL, xrefs: 00CC17C6

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: cc464617133e6400024978ee7376a86130002745df4cbcec0daea077dabf3a77
Instruction ID: affbc643892b96123180fd229898eea3d376b4716fad484325d1b6f231e15dc0
Opcode Fuzzy Hash: cc464617133e6400024978ee7376a86130002745df4cbcec0daea077dabf3a77
Instruction Fuzzy Hash: 97226B706082019FC714DF16C494F2ABBF1BF86314F28895DF89A8B3A2D731E955DB92

Function 00CB2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00CF2C8C

Part of subcall function 00CB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CB3A97,?,?,00CB2E7F,?,?,?,00000000), ref: 00CB3AC2

Part of subcall function 00CB2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CB2DC4

Strings

X, xrefs: 00CF2C5A

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 560f32af8a6cef71373cc74a074540d664d161d52e50e6a324c5b5acf86b67bc
Instruction ID: 91f09702ab792c5756787df73cc8af2d837a873dfc29f20179d5803ef7b22346
Opcode Fuzzy Hash: 560f32af8a6cef71373cc74a074540d664d161d52e50e6a324c5b5acf86b67bc
Instruction Fuzzy Hash: 4A219371A102989BDB41DF94C845BEE7BFCAF49704F008059E509A7341EBB49A499F61

Function 00CB3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CB3908

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 89ebb1daaf6f6a6a896fc0f2439173681ea031e9b0ea48e369b034b62e196314
Instruction ID: a7733768fcb1de60c9a98a3019633132ced56720404350c24c60b99ac3a36546
Opcode Fuzzy Hash: 89ebb1daaf6f6a6a896fc0f2439173681ea031e9b0ea48e369b034b62e196314
Instruction Fuzzy Hash: 48316B74A047419FD761DF24D8847D7BBE8FB49708F00092EF6A987290E771AA49CB62

Function 00CCF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00CCF661

Part of subcall function 00CBD733: GetInputState.USER32 ref: 00CBD807

Sleep.KERNEL32(00000000), ref: 00D0F2DE

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: c3140cfc9119b7c1bce7eac3149c5c7d285ed838278b4f01af521e1b2dd3d2e6
Instruction ID: f454e875d845b14be3ffa9e9ca41336d9c61399ed64a99e90a4384fc718cb944
Opcode Fuzzy Hash: c3140cfc9119b7c1bce7eac3149c5c7d285ed838278b4f01af521e1b2dd3d2e6
Instruction Fuzzy Hash: 36F08C35240305AFD360EF79D449BAAB7E8EF46760F000029F85AC73A0DBB0AC00CBA1

Function 00CBB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00CBBB4E

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: ac73b2dfd4f62b5cb894f170883f9e00ceb56b49a63f8c306e7d3ccf011d7591
Instruction ID: c8b8ddc90a804604125659ccb5200962ac390c4bffa0b107d87fddd7a941b357
Opcode Fuzzy Hash: ac73b2dfd4f62b5cb894f170883f9e00ceb56b49a63f8c306e7d3ccf011d7591
Instruction Fuzzy Hash: 5A328E74A00209EFDB14CF55C894BBEBBB5EF44310F188059E959AB3A1C7B5EE41CBA1

Function 00CB4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CB4EDD,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4E9C
Part of subcall function 00CB4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CB4EAE
Part of subcall function 00CB4E90: FreeLibrary.KERNEL32(00000000,?,?,00CB4EDD,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4EFD

Part of subcall function 00CB4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CF3CDE,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4E62
Part of subcall function 00CB4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CB4E74
Part of subcall function 00CB4E59: FreeLibrary.KERNEL32(00000000,?,?,00CF3CDE,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4E87

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7d348e9c3554d40429a384477e799e1367357050d22e46589f7f3fa5a2f46d30
Instruction ID: 5a85a5bb91fa504d1e2fc308d9a32688ee14830bd70a428ea7d69430636a73b6
Opcode Fuzzy Hash: 7d348e9c3554d40429a384477e799e1367357050d22e46589f7f3fa5a2f46d30
Instruction Fuzzy Hash: 0A11C432614205ABCF18BBA4DC02BFE77A59F40710F104429F542A71C2EE70DE45A760

Function 00CE8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00CE8440

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: a1745549dff80c1cac675a24f77a755dc6750f8dd5ce35aebac334a72d463b6f
Instruction ID: 6ac58364871d4d3e50826350aad330764273dc3d4de98bef903f6f8cf4ef84a0
Opcode Fuzzy Hash: a1745549dff80c1cac675a24f77a755dc6750f8dd5ce35aebac334a72d463b6f
Instruction Fuzzy Hash: AB11487190420AAFCB05DF59E94099E7BF4EF48310F104059F808AB352DA30EA15CBA5

Function 00CE5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CE4C7D: RtlAllocateHeap.NTDLL(00000008,00CB1129,00000000,?,00CE2E29,00000001,00000364,?,?,?,00CDF2DE,00CE3863,00D81444,?,00CCFDF5,?), ref: 00CE4CBE

_free.LIBCMT ref: 00CE506C

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: aa3366b70a29955f7a057b0180e81a7196aee893612dde1528f93e3567efd73f
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 390126722047846BE3218E669885A5AFBECFB89370F25051DF194832C0EA70A905C6B4

Function 00CDE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: f05a4f1ca0d0c7a9c5a5fcc8ea0b5c7c46ef4f031328b464f0a9ddf3ff693029
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C5F0F432510A1896C6313A6B8C05B9A339C9F52334F10071BF6259A3D2DB74E907A6A5

Function 00CE4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00CB1129,00000000,?,00CE2E29,00000001,00000364,?,?,?,00CDF2DE,00CE3863,00D81444,?,00CCFDF5,?), ref: 00CE4CBE

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: aa0330cea4865b0897b1408e975fad2f0c13426fe502b6d9262a926ca959fd92
Instruction ID: 3452c03550955508b56a62a4554ec904138e9d5c925798659fa4a0d8750bfb1d
Opcode Fuzzy Hash: aa0330cea4865b0897b1408e975fad2f0c13426fe502b6d9262a926ca959fd92
Instruction Fuzzy Hash: F8F0E2316032A467DB295F679C09B5A3788BF817A0B344126BA2AEB790CA30D90196E0

Function 00CE3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00D81444,?,00CCFDF5,?,?,00CBA976,00000010,00D81440,00CB13FC,?,00CB13C6,?,00CB1129), ref: 00CE3852

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7ca1a649e57692edf6cc8f582284577ca8a51095419ae2c6906361ca3a7e08ef
Instruction ID: c2d9bc6337887ed0c00163cdf27fee814961582e717feba556d101624578b758
Opcode Fuzzy Hash: 7ca1a649e57692edf6cc8f582284577ca8a51095419ae2c6906361ca3a7e08ef
Instruction Fuzzy Hash: CEE0E5312012E467D7312AA79C09B9A3748AB827B4F050123BE25976D0CB20FF0192F0

Function 00CB4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4F6D

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d587750582e523508b8a3e704da259042e4081104b02cb65f76f35220ab28a49
Instruction ID: 371810bc6bd8e087aeeefe976e279b5b939894eef31cf790bbb747b89c1aa12a
Opcode Fuzzy Hash: d587750582e523508b8a3e704da259042e4081104b02cb65f76f35220ab28a49
Instruction Fuzzy Hash: E1F03971509752CFDB38AFA5D4908A2BBF4EF14329720897EE2EA83622C7319C44DF10

Function 00D42A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D42A66

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: a9ad8a6b4f9514da3d1bb963b608a51b9c0d8967b1079b57c7c0005597c6bc24
Instruction ID: c53ad82dd5d4011791d8c39b8bc96ce7c8ba6e039f9ac51a9c9f18bedd1e7dc4
Opcode Fuzzy Hash: a9ad8a6b4f9514da3d1bb963b608a51b9c0d8967b1079b57c7c0005597c6bc24
Instruction Fuzzy Hash: CCE04F36360226BBC754EB30FC858FA735CEB613957508536BC56C3110DF30DA9686B0

Function 00CB30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00CB314E

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 7c23dc2e50363a2333801fcca590af2b259eb66f948b84cc057dfc0142465c5e
Instruction ID: 2291cb5e761674f06180c102cb570a9293c91a123a318ac8040f882e2b195d27
Opcode Fuzzy Hash: 7c23dc2e50363a2333801fcca590af2b259eb66f948b84cc057dfc0142465c5e
Instruction Fuzzy Hash: 7CF037749143549FE7529F64DC467D97BBCA701708F0000E9A648D6391E7745B89CF61

Function 00CB2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CB2DC4

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: df1559b053c988b51f0e234bf4b26cbc7cf9aba3bf1d64a97076b4028a957851
Instruction ID: 88cd8a190c56394bacf683fda01a83459860ac081c7acd67d1366c1a01e66ea8
Opcode Fuzzy Hash: df1559b053c988b51f0e234bf4b26cbc7cf9aba3bf1d64a97076b4028a957851
Instruction Fuzzy Hash: 06E0CD766012245BC710D698DC05FEA77EDDFC8790F040071FD09D7248D9A4AD809551

Function 00CB2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CB3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CB3908

Part of subcall function 00CBD733: GetInputState.USER32 ref: 00CBD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00CB2B6B

Part of subcall function 00CB30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00CB314E

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 3162aaddb7d73adb7c5c0efa56c9783a5f1f37407f7e455a25f6eca99a167460
Instruction ID: 8d77ca7b4c68eac29c26a403139c68e204eb34de6d1160b61795ca22ce3d5cd6
Opcode Fuzzy Hash: 3162aaddb7d73adb7c5c0efa56c9783a5f1f37407f7e455a25f6eca99a167460
Instruction Fuzzy Hash: 2DE0862530428407CA04BB74A8565EDA7599BD1751F40153EF143872A3DE254A4A5362

Function 00CF039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00CF0704,?,?,00000000,?,00CF0704,00000000,0000000C), ref: 00CF03B7

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a4cbc7b217a6b666709883b23a6143d1478007c5493318ef03654fbf34ebdb9f
Instruction ID: 04fb20b538360f996cd1eb855a26e1ca83c32b052fa924a3dc478606c3a2f781
Opcode Fuzzy Hash: a4cbc7b217a6b666709883b23a6143d1478007c5493318ef03654fbf34ebdb9f
Instruction Fuzzy Hash: 67D06C3205024DBBDF028F84DD06EDA3BAAFB48714F014000BE1896120C732E821AB90

Function 00CB1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00CB1CBC

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0a7f51076eef21e987fdda40668e96e61e8c2add31553e098cc88ae21312e4a5
Instruction ID: a032e0fbdda815dcf8252e879a347d7bc7ffd37f418a72f003e43c25a2c008c9
Opcode Fuzzy Hash: 0a7f51076eef21e987fdda40668e96e61e8c2add31553e098cc88ae21312e4a5
Instruction Fuzzy Hash: 65C09B392E03049FF2144B80FC4AF647764A348B00F044001F709D57E3C3A12410D770

Non-executed Functions

Function 00D49576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D4961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D4965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00D4969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D496C9
SendMessageW.USER32 ref: 00D496F2
GetKeyState.USER32(00000011), ref: 00D4978B
GetKeyState.USER32(00000009), ref: 00D49798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D497AE
GetKeyState.USER32(00000010), ref: 00D497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D497E9
SendMessageW.USER32 ref: 00D49810
SendMessageW.USER32(?,00001030,?,00D47E95), ref: 00D49918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D4992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D49941
SetCapture.USER32(?), ref: 00D4994A
ClientToScreen.USER32(?,?), ref: 00D499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D499BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D499D6
ReleaseCapture.USER32 ref: 00D499E1
GetCursorPos.USER32(?), ref: 00D49A19
ScreenToClient.USER32(?,?), ref: 00D49A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D49A80
SendMessageW.USER32 ref: 00D49AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D49AEB
SendMessageW.USER32 ref: 00D49B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D49B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D49B4A
GetCursorPos.USER32(?), ref: 00D49B68
ScreenToClient.USER32(?,?), ref: 00D49B75
GetParent.USER32(?), ref: 00D49B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D49BFA
SendMessageW.USER32 ref: 00D49C2B
ClientToScreen.USER32(?,?), ref: 00D49C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D49CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D49CDE
SendMessageW.USER32 ref: 00D49D01
ClientToScreen.USER32(?,?), ref: 00D49D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D49D82

Part of subcall function 00CC9944: GetWindowLongW.USER32(?,000000EB), ref: 00CC9952

GetWindowLongW.USER32(?,000000F0), ref: 00D49E05

Strings

@GUI_DRAGID, xrefs: 00D4997D
F, xrefs: 00D49D07

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 3a3821383ea48523a3369e285978491c87d1b1a84a213fcff0ca3869f435323b
Instruction ID: cd8d2e333d550a6b4b5c7ac7809a7b13962d60ba6c9aacb43cc1d60d6af89158
Opcode Fuzzy Hash: 3a3821383ea48523a3369e285978491c87d1b1a84a213fcff0ca3869f435323b
Instruction Fuzzy Hash: 34428934205301AFDB20DF25CCA4EABBBE9EF49310F194619F6A9872A1D731E855CF61

Function 00D44873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00D448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00D44908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00D44927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00D4494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00D4495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00D4497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00D449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00D449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00D44A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D44A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D44A7E
IsMenu.USER32(?), ref: 00D44A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D44AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D44B20
GetWindowLongW.USER32(?,000000F0), ref: 00D44B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00D44BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00D44C82
wsprintfW.USER32 ref: 00D44CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D44CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D44CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D44D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D44D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D44D5A

Strings

%d/%02d/%02d, xrefs: 00D44CA8

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 7c5e0b6066cb1c228e7a1a420c6195b972e215a54fbdc099bba96f5584252d2b
Instruction ID: 9eea34ed6fb8af273df97547118ad6a18b8214e76786476557689505e1425e5c
Opcode Fuzzy Hash: 7c5e0b6066cb1c228e7a1a420c6195b972e215a54fbdc099bba96f5584252d2b
Instruction Fuzzy Hash: 8612DF71600314ABEB259F24CC49FAE7BF8EF45710F188129F916EA2E1DB74D985CB60

Function 00CCF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00CCF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D0F474
IsIconic.USER32(00000000), ref: 00D0F47D
ShowWindow.USER32(00000000,00000009), ref: 00D0F48A
SetForegroundWindow.USER32(00000000), ref: 00D0F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D0F4AA
GetCurrentThreadId.KERNEL32 ref: 00D0F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D0F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D0F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D0F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00D0F4DE
SetForegroundWindow.USER32(00000000), ref: 00D0F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0F4F6
keybd_event.USER32(00000012,00000000), ref: 00D0F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0F50B
keybd_event.USER32(00000012,00000000), ref: 00D0F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0F519
keybd_event.USER32(00000012,00000000), ref: 00D0F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0F528
keybd_event.USER32(00000012,00000000), ref: 00D0F52D
SetForegroundWindow.USER32(00000000), ref: 00D0F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00D0F557

Strings

Shell_TrayWnd, xrefs: 00D0F46F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7577eea93e1d585bd1fa008cdd4c54d8f84582ec237152c36b3c4aa2a214bcbd
Instruction ID: 82df9588293d383ebcee0b6255dca173bc86fd91d35f48dd66135c49eaa62666
Opcode Fuzzy Hash: 7577eea93e1d585bd1fa008cdd4c54d8f84582ec237152c36b3c4aa2a214bcbd
Instruction Fuzzy Hash: 42316375A51318BBEB306FB59C4AFBF7E6CEB45B50F241025FA04E62D1C6B09D00AA70

Function 00D11201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00D116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D1170D
Part of subcall function 00D116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D1173A
Part of subcall function 00D116C3: GetLastError.KERNEL32 ref: 00D1174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00D11286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00D112A8
CloseHandle.KERNEL32(?), ref: 00D112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D112D1
GetProcessWindowStation.USER32 ref: 00D112EA
SetProcessWindowStation.USER32(00000000), ref: 00D112F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D11310

Part of subcall function 00D110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D111FC), ref: 00D110D4
Part of subcall function 00D110BF: CloseHandle.KERNEL32(?,?,00D111FC), ref: 00D110E9

Strings

, xrefs: 00D1125A
winsta0, xrefs: 00D112CC
default, xrefs: 00D1130B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: bb35f094f0c095f8270f7d1c3a2c900433b5cd6463330e6c7362853855e9c5f6
Instruction ID: 4e20cd7148c187908202f53e2ec8d3eec255ee7f12cc8478fea61a33c4dfe8c1
Opcode Fuzzy Hash: bb35f094f0c095f8270f7d1c3a2c900433b5cd6463330e6c7362853855e9c5f6
Instruction Fuzzy Hash: EB818D75A00309BBDF109FA4EC49BEE7BB9EF05704F184129FA10E62A1DB718984CB31

Function 00D10B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D11114
Part of subcall function 00D110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D11120
Part of subcall function 00D110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D1112F
Part of subcall function 00D110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D11136
Part of subcall function 00D110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D1114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D10BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D10C00
GetLengthSid.ADVAPI32(?), ref: 00D10C17
GetAce.ADVAPI32(?,00000000,?), ref: 00D10C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D10C6D
GetLengthSid.ADVAPI32(?), ref: 00D10C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D10C8C
HeapAlloc.KERNEL32(00000000), ref: 00D10C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D10CB4
CopySid.ADVAPI32(00000000), ref: 00D10CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D10CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D10D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D10D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D10D45
HeapFree.KERNEL32(00000000), ref: 00D10D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D10D55
HeapFree.KERNEL32(00000000), ref: 00D10D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D10D65
HeapFree.KERNEL32(00000000), ref: 00D10D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D10D78
HeapFree.KERNEL32(00000000), ref: 00D10D7F

Part of subcall function 00D11193: GetProcessHeap.KERNEL32(00000008,00D10BB1,?,00000000,?,00D10BB1,?), ref: 00D111A1
Part of subcall function 00D11193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D10BB1,?), ref: 00D111A8
Part of subcall function 00D11193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D10BB1,?), ref: 00D111B7

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 798bd35adfae9e67ca55f01c147a039b8f9755f595fcfaf9380f496deeec79a1
Instruction ID: 5c5d77362d2dc7170a09c2b788e363fce3409b3e57bdc64cca84ca4f4a61a97a
Opcode Fuzzy Hash: 798bd35adfae9e67ca55f01c147a039b8f9755f595fcfaf9380f496deeec79a1
Instruction Fuzzy Hash: 1F715F75A0120ABBDF10EFA4EC44BEEBBBDBF05300F084515E914E6251DBB1A985CB70

Function 00D2EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00D4CC08), ref: 00D2EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00D2EB37
GetClipboardData.USER32(0000000D), ref: 00D2EB43
CloseClipboard.USER32 ref: 00D2EB4F
GlobalLock.KERNEL32(00000000), ref: 00D2EB87
CloseClipboard.USER32 ref: 00D2EB91
GlobalUnlock.KERNEL32(00000000), ref: 00D2EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00D2EBC9
GetClipboardData.USER32(00000001), ref: 00D2EBD1
GlobalLock.KERNEL32(00000000), ref: 00D2EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00D2EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00D2EC38
GetClipboardData.USER32(0000000F), ref: 00D2EC44
GlobalLock.KERNEL32(00000000), ref: 00D2EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00D2EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D2EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D2ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00D2ECF3
CountClipboardFormats.USER32 ref: 00D2ED14
CloseClipboard.USER32 ref: 00D2ED59

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 245acf37924e42ec3154d80607e03802049f3b8d76a69baedc31ddab38b21500
Instruction ID: bf314fbd8b7f87b017e157fa88e75e7a4dfa33f3d7f26c7ee33d63508691c3e5
Opcode Fuzzy Hash: 245acf37924e42ec3154d80607e03802049f3b8d76a69baedc31ddab38b21500
Instruction Fuzzy Hash: D261DE38204301AFD300EF64E888F6A7BA4EF95718F185519F496C72A2DB71ED45DBB2

Function 00D2698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D269BE
FindClose.KERNEL32(00000000), ref: 00D26A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D26A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D26A75

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00D26AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D26ADF

Strings

%4d, xrefs: 00D26BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00D26B32
%02d, xrefs: 00D26C00, 00D26C0A, 00D26C5A, 00D26CAA, 00D26CFA, 00D26D4A
%03d, xrefs: 00D26DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00D26B6A

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 1255950cd9ab1be89b8d9095de1799558a01376cef2fdbf58942f95c91a90d39
Instruction ID: 23ce579d9b2a9e0a0b7503998eef142fecb604c29daa0fd7c5ec8a0296177d7e
Opcode Fuzzy Hash: 1255950cd9ab1be89b8d9095de1799558a01376cef2fdbf58942f95c91a90d39
Instruction Fuzzy Hash: FAD15172508300AFC710EFA4D891EABB7ECAF99704F04491DF589D7291EB74DA48DB62

Function 00D29642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00D29663
GetFileAttributesW.KERNEL32(?), ref: 00D296A1
SetFileAttributesW.KERNEL32(?,?), ref: 00D296BB
FindNextFileW.KERNEL32(00000000,?), ref: 00D296D3
FindClose.KERNEL32(00000000), ref: 00D296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00D296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00D2974A
SetCurrentDirectoryW.KERNEL32(00D76B7C), ref: 00D29768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D29772
FindClose.KERNEL32(00000000), ref: 00D2977F
FindClose.KERNEL32(00000000), ref: 00D2978F

Strings

*.*, xrefs: 00D296F5

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: d83247c4a06fdb90d16e305800b72a0045e1b9a8e77cfe2d0ad38e99890b309a
Instruction ID: 48c4abc32de2c76fd9a9b158e9f5e70a95402877e922efa883b55e7d3aef465f
Opcode Fuzzy Hash: d83247c4a06fdb90d16e305800b72a0045e1b9a8e77cfe2d0ad38e99890b309a
Instruction Fuzzy Hash: 5731E4365016296FDB14EFB4EC58ADEB7ACAF0A325F144156F905E3190EB70DD448E34

Function 00D2979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00D297BE
FindNextFileW.KERNEL32(00000000,?), ref: 00D29819
FindClose.KERNEL32(00000000), ref: 00D29824
FindFirstFileW.KERNEL32(*.*,?), ref: 00D29840
SetCurrentDirectoryW.KERNEL32(?), ref: 00D29890
SetCurrentDirectoryW.KERNEL32(00D76B7C), ref: 00D298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D298B8
FindClose.KERNEL32(00000000), ref: 00D298C5
FindClose.KERNEL32(00000000), ref: 00D298D5

Part of subcall function 00D1DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00D1DB00

Strings

*.*, xrefs: 00D2983B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 6a56cb693863eab87d2bac639cd0d1168c95c4ce164caca683524e212f6801a5
Instruction ID: 92f00c292870f019b8c73cbd8a12edc9e7b6a4b91b4804ada1a38b8c22b4cba9
Opcode Fuzzy Hash: 6a56cb693863eab87d2bac639cd0d1168c95c4ce164caca683524e212f6801a5
Instruction Fuzzy Hash: 483114315016296FDB14EFB4EC58ADEF3ACAF16324F184156E904E2190EB70D949CA74

Function 00D3BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D3B6AE,?,?), ref: 00D3C9B5
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3C9F1
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA68
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D3BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00D3BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00D3BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D3C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00D3C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00D3C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00D3C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00D3C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00D3C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D3C382
RegCloseKey.ADVAPI32(00000000), ref: 00D3C38F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: e520bfbbb0a19206abb9cc95123f360e17fcc1d2f4cf05fedcc01fd9d4ed36f5
Instruction ID: 2c9823e8f693f3be2972368090beb33b0d83d5effcba4e88be76f1b7776a6e26
Opcode Fuzzy Hash: e520bfbbb0a19206abb9cc95123f360e17fcc1d2f4cf05fedcc01fd9d4ed36f5
Instruction Fuzzy Hash: 9A0271716142009FC714DF28C891E2ABBE5EF89314F18D49DF88ADB2A2DB31EC45CB61

Function 00D28195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D28257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D28267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D28273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D28310
SetCurrentDirectoryW.KERNEL32(?), ref: 00D28324
SetCurrentDirectoryW.KERNEL32(?), ref: 00D28356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D2838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00D28395

Strings

*.*, xrefs: 00D2839B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6f6004287303f651e048e8fabb0e2ff6706e89c8c533d9db65dea64059dbd6d9
Instruction ID: c9c55e61246942f308255185a235c14f4ab0ae65120fc8440fa4272f0ccceb13
Opcode Fuzzy Hash: 6f6004287303f651e048e8fabb0e2ff6706e89c8c533d9db65dea64059dbd6d9
Instruction Fuzzy Hash: E9618D725043159FC710EF64D8809AEB3E8FF99314F04891EF989C7251EB31E949DBA2

Function 00D1D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CB3A97,?,?,00CB2E7F,?,?,?,00000000), ref: 00CB3AC2

Part of subcall function 00D1E199: GetFileAttributesW.KERNEL32(?,00D1CF95), ref: 00D1E19A

FindFirstFileW.KERNEL32(?,?), ref: 00D1D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00D1D1DD
MoveFileW.KERNEL32(?,?), ref: 00D1D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00D1D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D1D237

Part of subcall function 00D1D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00D1D21C,?,?), ref: 00D1D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00D1D253
FindClose.KERNEL32(00000000), ref: 00D1D264

Strings

\*.*, xrefs: 00D1D0CD, 00D1D0D6, 00D1D0EB

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 4b5fb9145d31d8a783e5318c2e2b714751a640ca5120d5e7cd69150467f9f997
Instruction ID: 4f8c4deaaa683f2e2ef847ce0a3080f848e3cb4862186fb6266f6fbbbe5aa7cb
Opcode Fuzzy Hash: 4b5fb9145d31d8a783e5318c2e2b714751a640ca5120d5e7cd69150467f9f997
Instruction Fuzzy Hash: 24615B3180124DABCF05EBE0E9929EDB7B6AF55300F244165E402771A1EF31AF89EB70

Function 00D2ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00D2ED91
EmptyClipboard.USER32 ref: 00D2ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00D2EDAC
CloseClipboard.USER32 ref: 00D2EEA3

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 213219cccd4d2529c8022e8da4b14657ecafaa89ddde2473ee6ce9ffc72430f6
Instruction ID: 1358d75ba4260ecf0ec9cfb96fe00907e78f0597d3c50f12baa36b075d5daa8f
Opcode Fuzzy Hash: 213219cccd4d2529c8022e8da4b14657ecafaa89ddde2473ee6ce9ffc72430f6
Instruction Fuzzy Hash: F741AE39205621AFD320DF16E888B29BBE5EF55318F19C099F415CB762C775EC41CBA0

Function 00D1E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00D116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D1170D
Part of subcall function 00D116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D1173A
Part of subcall function 00D116C3: GetLastError.KERNEL32 ref: 00D1174A

ExitWindowsEx.USER32(?,00000000), ref: 00D1E932

Strings

, xrefs: 00D1E95C
@, xrefs: 00D1E925
, xrefs: 00D1E920
SeShutdownPrivilege, xrefs: 00D1E902

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8d92e412a5c0cfbe8b4cb5c605f024c96582fb54fcd4b251f5307928a8af95d7
Instruction ID: 7d49cd5400704207fdd74a67ca8e9763f48f3c53132fb0ba449270d923152bdd
Opcode Fuzzy Hash: 8d92e412a5c0cfbe8b4cb5c605f024c96582fb54fcd4b251f5307928a8af95d7
Instruction Fuzzy Hash: 9B01A776620311BBEB542774BC86BFA735C9B18750F194422FD03E21D1DDA59CC089B4

Function 00D31204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00D31276
WSAGetLastError.WSOCK32 ref: 00D31283
bind.WSOCK32(00000000,?,00000010), ref: 00D312BA
WSAGetLastError.WSOCK32 ref: 00D312C5
closesocket.WSOCK32(00000000), ref: 00D312F4
listen.WSOCK32(00000000,00000005), ref: 00D31303
WSAGetLastError.WSOCK32 ref: 00D3130D
closesocket.WSOCK32(00000000), ref: 00D3133C

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 51e3f457c6eaeff92f200d4679873917a2801b350d781132a12b643821f18cca
Instruction ID: 7a9e3f281d12d62265a7032a02f667f6476c1e51f02b5c90a536bb1160bdd37a
Opcode Fuzzy Hash: 51e3f457c6eaeff92f200d4679873917a2801b350d781132a12b643821f18cca
Instruction Fuzzy Hash: A84191396002019FD710DF64C489B6ABBE5BF46318F188198E8568F396C771EC85CBF1

Function 00CEB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CEB9D4
_free.LIBCMT ref: 00CEB9F8
_free.LIBCMT ref: 00CEBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00D53700), ref: 00CEBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D8121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00CEBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D81270,000000FF,?,0000003F,00000000,?), ref: 00CEBC36
_free.LIBCMT ref: 00CEBD4B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 7ab86a607974fa53b86345a6750258b5a2980f7f84502e2a757ad85b061c7844
Instruction ID: 0cd98c5dfbf392bddc7b42cc44cb1c91a2561b3c31f830ea35c32d12f1b913b1
Opcode Fuzzy Hash: 7ab86a607974fa53b86345a6750258b5a2980f7f84502e2a757ad85b061c7844
Instruction Fuzzy Hash: 29C118759042C59FDB209F6A8C42BBBBBB9EF41310F1441AAE4A4D7252EB309F41D7A0

Function 00D1D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CB3A97,?,?,00CB2E7F,?,?,?,00000000), ref: 00CB3AC2

Part of subcall function 00D1E199: GetFileAttributesW.KERNEL32(?,00D1CF95), ref: 00D1E19A

FindFirstFileW.KERNEL32(?,?), ref: 00D1D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00D1D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D1D481
FindClose.KERNEL32(00000000), ref: 00D1D498
FindClose.KERNEL32(00000000), ref: 00D1D4A1

Strings

\*.*, xrefs: 00D1D3F2

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: d5c000e83238ba89476cf347262a3e2bbd5efc40a99ef303267d7a0e0ed8d246
Instruction ID: 319b01128b349191d51b802d633deba8a735e02ed442548365ad24777c58bbe8
Opcode Fuzzy Hash: d5c000e83238ba89476cf347262a3e2bbd5efc40a99ef303267d7a0e0ed8d246
Instruction Fuzzy Hash: 47317E31019385ABC304EF64D8919EFB7E8AE96300F444A1DF4D1921A1EF70EA49E773

Function 00CEE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00CEE645

Strings

1#QNAN, xrefs: 00CEF84B
1#SNAN, xrefs: 00CEF844
1#IND, xrefs: 00CEF83D
1#INF, xrefs: 00CEF852

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 3776a9c6d4d99aa986c24112f6a257d1fae1ed0a97fbcbfb0b35c963c62d0597
Instruction ID: 2033e09336a48741d648082b4d6a53f3351a77ec67ff20a3493444238ea5eb0c
Opcode Fuzzy Hash: 3776a9c6d4d99aa986c24112f6a257d1fae1ed0a97fbcbfb0b35c963c62d0597
Instruction Fuzzy Hash: FFC26D72E046688FDB25CF29DD407EAB7B5EB48345F1441EAD85DE7280E774AE828F40

Function 00D2648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D264DC
CoInitialize.OLE32(00000000), ref: 00D26639
CoCreateInstance.OLE32(00D4FCF8,00000000,00000001,00D4FB68,?), ref: 00D26650
CoUninitialize.OLE32 ref: 00D268D4

Strings

.lnk, xrefs: 00D264BA, 00D26524, 00D265E0

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: b30622a29c714ef1bab16f2e466ea7884ea44336b328e8168359d54d72f5d1d5
Instruction ID: f9b3dfeb17eff5eba88556277173a9fe59ad128bfc08208a907587bdd2ebbd5a
Opcode Fuzzy Hash: b30622a29c714ef1bab16f2e466ea7884ea44336b328e8168359d54d72f5d1d5
Instruction Fuzzy Hash: 31D15B715083119FC304EF64D8819ABB7E8FF95308F14495DF5958B2A1EB31ED05CBA2

Function 00D322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00D322E8

Part of subcall function 00D2E4EC: GetWindowRect.USER32(?,?), ref: 00D2E504

GetDesktopWindow.USER32 ref: 00D32312
GetWindowRect.USER32(00000000), ref: 00D32319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00D32355
GetCursorPos.USER32(?), ref: 00D32381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D323DF

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 48f444ea5fd7b13e2c08c5c649b462fcb9fdee49a7575d335c9be08c82432b92
Instruction ID: 6bfc427e9375f5ed46a47ae461fb04a6dd31963c4c35bf08fc30fabb71c81651
Opcode Fuzzy Hash: 48f444ea5fd7b13e2c08c5c649b462fcb9fdee49a7575d335c9be08c82432b92
Instruction Fuzzy Hash: 0A31CD72905315ABD720DF14D849AABBBA9FF85314F04091DF985D7291DB34EA08CBA2

Function 00D29B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00D29B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00D29C8B

Part of subcall function 00D23874: GetInputState.USER32 ref: 00D238CB
Part of subcall function 00D23874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D23966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00D29BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00D29C75

Strings

*.*, xrefs: 00D29B5D

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: f6da8f2a587c3555f4b8f7092ef3ca0fde3099ac4ac19db30e10ab5825324848
Instruction ID: 85459b0731a7cf42dd2cb895afe2813c306b2106dca85a5ca1c8ae94abeeec6f
Opcode Fuzzy Hash: f6da8f2a587c3555f4b8f7092ef3ca0fde3099ac4ac19db30e10ab5825324848
Instruction Fuzzy Hash: C841B17190421AAFCF14DFA4D895AEEBBF8FF55304F24405AE805A2291EB309E84DF70

Function 00CC997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00CC9A4E
GetSysColor.USER32(0000000F), ref: 00CC9B23
SetBkColor.GDI32(?,00000000), ref: 00CC9B36

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: fb6a745356b6cc5954779d5de8e2bb7fcf1737dbbe95d5064d0f6b4231a0c31a
Instruction ID: 95389e5578623305956a00ea54f93f3db1d97560d1fd67a8669f4a455c9e67f0
Opcode Fuzzy Hash: fb6a745356b6cc5954779d5de8e2bb7fcf1737dbbe95d5064d0f6b4231a0c31a
Instruction Fuzzy Hash: 5BA11771609544BFE728AA2ECC5DF7B365DEB86340F19010DF016DA6E1CA35AE01E375

Function 00D31806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D3304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D3307A
Part of subcall function 00D3304E: _wcslen.LIBCMT ref: 00D3309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00D3185D
WSAGetLastError.WSOCK32 ref: 00D31884
bind.WSOCK32(00000000,?,00000010), ref: 00D318DB
WSAGetLastError.WSOCK32 ref: 00D318E6
closesocket.WSOCK32(00000000), ref: 00D31915

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: aad2b1bc054c9957d747807a3d8ec1908e2bfcfa06661b4c4a62c4722b43c33d
Instruction ID: 39bd79b01d20be3f2a6c85cdd58f8359a637ba0630e713af2d8cd52d5116a008
Opcode Fuzzy Hash: aad2b1bc054c9957d747807a3d8ec1908e2bfcfa06661b4c4a62c4722b43c33d
Instruction Fuzzy Hash: 8A51B175A00200AFEB10EF24C886F6A77E5AB49718F18809CF9169F3D3C771AD419BB1

Function 00D41C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00D41CC0
IsWindowEnabled.USER32 ref: 00D41CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00D41CDB
IsIconic.USER32 ref: 00D41CE9
IsZoomed.USER32 ref: 00D41CF7

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a317e4c801b980f328f9b2cda4035d48b9795d40e3967e48c9483b75ab1cce62
Instruction ID: cdaf54502f7060b9f6363bd6995c8155d612d802cf2efde667694139db9880b7
Opcode Fuzzy Hash: a317e4c801b980f328f9b2cda4035d48b9795d40e3967e48c9483b75ab1cce62
Instruction Fuzzy Hash: 0A2191397412115FD7208F1ADC84B6ABBA5EF85315F1D9058E84ACB351C771EC82CBB0

Function 00CB8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00CB843C
VUUU, xrefs: 00CB83FA
ERCP, xrefs: 00CB813C
VUUU, xrefs: 00CF5DF0
VUUU, xrefs: 00CB83E8

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 0a13dffd5f822c04e3e486fde9a24584f9dc5206fa44c44ac4daf7a2aae97bac
Instruction ID: 33917e466e234bcfc94ab349acded2720780f0ed51a3c9391f5486f271db8a24
Opcode Fuzzy Hash: 0a13dffd5f822c04e3e486fde9a24584f9dc5206fa44c44ac4daf7a2aae97bac
Instruction Fuzzy Hash: 69A27C70A0061ECBDF64CF58C9507FEB7B5BB54314F2481AAEA25A7284DB309E85CF91

Function 00D1AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00D1AAAC
SetKeyboardState.USER32(00000080), ref: 00D1AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00D1AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00D1AB88

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ac5d41ce285ce94d318f6baae962bd0316e4e698cb558ca234c6605197def393
Instruction ID: e248086b8d0794e363ff978ba34f65e6aac3c31ac8273fac7cf0282fd1bb5a71
Opcode Fuzzy Hash: ac5d41ce285ce94d318f6baae962bd0316e4e698cb558ca234c6605197def393
Instruction Fuzzy Hash: 7A312770A46288BEEB30CB6CED05BFA7BA6AF45310F08421AF081961D1DB7589C1C772

Function 00D2CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00D2CE89
GetLastError.KERNEL32(?,00000000), ref: 00D2CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00D2CEFE

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: cced437b933f14c941b9ef3fd236fa3949990c5e26fe0f3703a1bf25334da69a
Instruction ID: bc1ba96652e34eea1ef1bbe778c9164cce75a02dc3db5cc1a6b727b5537ba963
Opcode Fuzzy Hash: cced437b933f14c941b9ef3fd236fa3949990c5e26fe0f3703a1bf25334da69a
Instruction Fuzzy Hash: 1821EDB1511715ABDB20DFA5E988BAA77F8EF20318F14541EE646D2251E770EE088B70

Function 00D18298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D182AA

Strings

(, xrefs: 00D182F0
|, xrefs: 00D182DA

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 1671cad9c7cb94c6b89f967eb4a089a1a51be51713c29cfbf7e94304d7951543
Instruction ID: 9b4b6c2fe68d86bbc8d9aac44bda71838711980f1c6485781a78ab361efdf5a1
Opcode Fuzzy Hash: 1671cad9c7cb94c6b89f967eb4a089a1a51be51713c29cfbf7e94304d7951543
Instruction Fuzzy Hash: CB323774A00705AFC728CF59D080AAAB7F1FF48710B15C56EE49ADB3A1EB70E981DB54

Function 00D25C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D25CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00D25D17
FindClose.KERNEL32(?), ref: 00D25D5F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: d662604d5565b3c880b128a79a2490d7d2fcc1cafb74fae24acd16c8e8fad3a5
Instruction ID: ec5ba73e53b214a8d289b436a79bb3a6decd5fbe0c6cc94e4097de396a825c68
Opcode Fuzzy Hash: d662604d5565b3c880b128a79a2490d7d2fcc1cafb74fae24acd16c8e8fad3a5
Instruction Fuzzy Hash: C7518A34604A019FC714CF28E494E96B7E4FF4A318F14855EE99A8B3A2DB30ED45CBA1

Function 00CE2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00CE271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CE2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00CE2731

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e30ccef2295b7f3df1bf6d2283dd9799558498094fbfa59b9c57aadebad8b63c
Instruction ID: 6a56f2c01897bc94c718c1047e1dcbe721d92ab029b2b5d5181a3b3391d7df23
Opcode Fuzzy Hash: e30ccef2295b7f3df1bf6d2283dd9799558498094fbfa59b9c57aadebad8b63c
Instruction Fuzzy Hash: 1D31D374911318ABCB21DF68DC8879DBBB8BF08310F5051EAE81CA7260E7709F819F54

Function 00D251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D25238
SetErrorMode.KERNEL32(00000000), ref: 00D252A1

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 775ce6f5449abe96192105af95f6c4725119f762ab852f73fdf6fa76dde5dd2c
Instruction ID: 7f5f3caa6bd5b16111994b0a49738a03ee2e9e13519d446e6ab38ce1c2c259e0
Opcode Fuzzy Hash: 775ce6f5449abe96192105af95f6c4725119f762ab852f73fdf6fa76dde5dd2c
Instruction Fuzzy Hash: D6312F75A10618DFDB00DF54D8C4EADBBB5FF49318F188099E8059B396DB31E855CB60

Function 00D116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00CCFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00CD0668
Part of subcall function 00CCFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00CD0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D1170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D1173A
GetLastError.KERNEL32 ref: 00D1174A

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: b9fb82f237cc4b196817bdaf1c4a987dca69b44e8e04478fdb554acffa6217d1
Instruction ID: 963744f905399ce06e44ec0ecb385341ee1a3ad543b23a33dc33474bc7c26a7b
Opcode Fuzzy Hash: b9fb82f237cc4b196817bdaf1c4a987dca69b44e8e04478fdb554acffa6217d1
Instruction Fuzzy Hash: 7D11C1B2410304BFD7189F54EC86EAAB7B9EB04714B20852EE05693291EB70FC81CA30

Function 00D1D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D1D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00D1D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D1D650

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: ac0ded9e5507226cf3ce6e10501ca071928e5cc06815a164f398865008dd4e42
Instruction ID: 0013e0c18fe0ae7b156cdb1b52d49c1160102f888b27de99e49523131e157675
Opcode Fuzzy Hash: ac0ded9e5507226cf3ce6e10501ca071928e5cc06815a164f398865008dd4e42
Instruction Fuzzy Hash: BE113C75E05328BBDB208F95AC45FAFBBBCEB45B50F108115F904E7290D6B05A058BA1

Function 00D11663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00D1168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D116A1
FreeSid.ADVAPI32(?), ref: 00D116B1

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1afe0910643b6960da015a578e46b3961ce03cae451bb329b01961c829ea70bd
Instruction ID: 7835642fb71cb839eafcffef425ad65bb0f9d389bbecd6269ee8fa3562cee322
Opcode Fuzzy Hash: 1afe0910643b6960da015a578e46b3961ce03cae451bb329b01961c829ea70bd
Instruction Fuzzy Hash: E9F0F475A51309FBDB00DFE49C89AAEBBBCEB08605F504965E501E2281E774AA448A64

Function 00CEC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00CEC36C

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: f3623bc9666993827f2e5ede99c2b4b747ca115daa92b76fbc030bdabed232a6
Instruction ID: c9c7a90aee095059fc8aef279fb5bec8abb14fb2443a424205719be83188337e
Opcode Fuzzy Hash: f3623bc9666993827f2e5ede99c2b4b747ca115daa92b76fbc030bdabed232a6
Instruction Fuzzy Hash: E84129765003596FCB249FBACC89EBB7778EB84314F104269F915D7290E6709E82CB50

Function 00D0D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00D0D28C

Strings

X64, xrefs: 00D0D2A8

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: abaca3d4662244d3e35965a3052625ceb5ef618ca42ad0a604015cb2f1428623
Instruction ID: 234e423eeed505b810c9ff23bf1e7a145ca3c0c279ab77c1661c7d508d101ee0
Opcode Fuzzy Hash: abaca3d4662244d3e35965a3052625ceb5ef618ca42ad0a604015cb2f1428623
Instruction Fuzzy Hash: 0CD0C9B481211DEBCF90CBA0DCC8ED9B37CBB04305F100156F106E2140D73095488F20

Function 00CDCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 4df6fbf500ba29928ad6a8d8aa331780b98fd796c334c7f1f396f2c59dc5e196
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A7020D71E0111A9BDF14CFA9C9C06ADFBF1EF88314F25416ADA29E7384D731AA41CB94

Function 00D268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D26918
FindClose.KERNEL32(00000000), ref: 00D26961

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f37709ec62163e826c5c60ea36c8b9fef1896037b1e3f809ab4f0728b827863c
Instruction ID: a4cc98753cd57bea9f4389d08b8750ef99d6abe1937ab3263c42cffffabfde04
Opcode Fuzzy Hash: f37709ec62163e826c5c60ea36c8b9fef1896037b1e3f809ab4f0728b827863c
Instruction Fuzzy Hash: 4B11AC356042109FC710CF69D484A26BBE0EF85328F08C699E4698B2A2CB70EC45CBA0

Function 00D237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00D34891,?,?,00000035,?), ref: 00D237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00D34891,?,?,00000035,?), ref: 00D237F4

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: d37c583de75900586de7fdf90e89e48e82120148b9ba9213af39a12afda4ab0d
Instruction ID: cdfc3de2dd2a76d3243ec67542b162ede92384896f763223b4f2b74523b2692f
Opcode Fuzzy Hash: d37c583de75900586de7fdf90e89e48e82120148b9ba9213af39a12afda4ab0d
Instruction Fuzzy Hash: 14F0E5B47053286BEB605BA69C4DFEB3AAEEFC5765F000265F609D3291D9A09904C7B0

Function 00D1B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00D1B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00D1B270

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 3150d9f4343a1e4f525aca52f35d6ba96f641d5365ea53815f2eb3160d3d60d5
Instruction ID: be2311588f3a7ac92b16bbf792adef977c1da64064d5e50d609868be6aa959e5
Opcode Fuzzy Hash: 3150d9f4343a1e4f525aca52f35d6ba96f641d5365ea53815f2eb3160d3d60d5
Instruction Fuzzy Hash: 9CF06D7480424DABDB058FA0C805BEE7BB0FF04315F00800AF951A5191C779C2059FA4

Function 00D110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D111FC), ref: 00D110D4
CloseHandle.KERNEL32(?,?,00D111FC), ref: 00D110E9

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2c1aa82fc8653695c15831529246588cdc423576a98f803b014f4a1063ee0077
Instruction ID: ca4be5dc8ab00d8440d61147baf06a26a84cdbc63e581f1cc05008d4ecec0f32
Opcode Fuzzy Hash: 2c1aa82fc8653695c15831529246588cdc423576a98f803b014f4a1063ee0077
Instruction Fuzzy Hash: F8E04F36015710AFE7252F11FC09F7377A9EB04310B14882DF5A6C04B1DB626C90EB20

Function 00CBCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00D00C40

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: ef86a60432b4cc845b73516a8dace5632ed6e45dd8fd4181ccdcb2bc53dd928f
Instruction ID: 077927ccf4ef2427df8610de862f30600b23afc22b48fe64b3a96780593db1f6
Opcode Fuzzy Hash: ef86a60432b4cc845b73516a8dace5632ed6e45dd8fd4181ccdcb2bc53dd928f
Instruction Fuzzy Hash: BE328B74900218EBDF14DF94C8C5BFDBBB5BF05304F248069E81AAB292DB75AE45DB60

Function 00CE676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CE6766,?,?,00000008,?,?,00CEFEFE,00000000), ref: 00CE6998

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ffc226a674e3d6ade988c0172a04618396c7c74777fcb5c4cb6ede584b4b71e9
Instruction ID: 7a14245d19c20d88168a5254e3814ec5aa5d54fe7461e5139d60a8af477aa17c
Opcode Fuzzy Hash: ffc226a674e3d6ade988c0172a04618396c7c74777fcb5c4cb6ede584b4b71e9
Instruction Fuzzy Hash: 66B14A316206489FD715CF29C48AB657BE0FF553A4F258658E8E9CF2E2C335EA91CB40

Function 00CCB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00D0851F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 13928628abd20dfce4fce78b7508705d809ae8dba0ffbfe00f10e8129c2995f0
Instruction ID: 3b4b93f0d1626ed1796afb21576ad510dd5296f45cf42445c214de0209ef8a8c
Opcode Fuzzy Hash: 13928628abd20dfce4fce78b7508705d809ae8dba0ffbfe00f10e8129c2995f0
Instruction Fuzzy Hash: 2E123275D002299BDB14CF99C881BEEB7B5FF48710F14815AE849EB295DB309E81DFA0

Function 00D2EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00D2EABD

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7bd55d87dbb682fc5a43c44c62083de68764bf10b58fecfbfeeeb55e45948aa3
Instruction ID: 01406eda90e7f7ae42dd53e42b291bac3cb57c318abfb010aed3477817e6b3d5
Opcode Fuzzy Hash: 7bd55d87dbb682fc5a43c44c62083de68764bf10b58fecfbfeeeb55e45948aa3
Instruction Fuzzy Hash: 06E04F352102149FC710EF59E844E9AF7EDAFA9764F00841AFC4AC7361DBB0EC408BA1

Function 00CD09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00CD03EE), ref: 00CD09DA

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 72d9eb1eb4624c74dcbb7336089bd4c4ffeb5c4d44d410f1c226f48fba7ced13
Instruction ID: ca0b3149f2327715815c20ae95f18e33ab609aca341a303c067e74bb0c07c8bf
Opcode Fuzzy Hash: 72d9eb1eb4624c74dcbb7336089bd4c4ffeb5c4d44d410f1c226f48fba7ced13
Instruction Fuzzy Hash:

Function 00CD781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00CD798B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: ad1e91533b4ec43b00539ee065d58df94d06badc36dacef1d223a837e2b82221
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 7B51787260C6455BDB3856298D6A7BE63859B02300F18070BDBA6E73C2F635DF05F352

Function 00CE6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010011f3062d93eb9f335f6e0aab3d6a31512ebf8624efab819e13e5bb4e0dd1
Instruction ID: bc910f394976bf99bb763bf25188831e1c0876a2529b9567038f25711a4daf1c
Opcode Fuzzy Hash: 010011f3062d93eb9f335f6e0aab3d6a31512ebf8624efab819e13e5bb4e0dd1
Instruction Fuzzy Hash: 48324522D29F814DD7239635DC223356659AFB73C6F24C737FC2AB5AA9EB29C5834100

Function 00CCCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01be1581cfe9e27a69d40088f3b56fbf4342e50a05bf280eba31e7437245d3ce
Instruction ID: 992fbaf7073ab1fd593e7c73222a0ad1a1917fd06b4708535decb2a737589c44
Opcode Fuzzy Hash: 01be1581cfe9e27a69d40088f3b56fbf4342e50a05bf280eba31e7437245d3ce
Instruction Fuzzy Hash: 9932E331A201558BDF38CB29C4D4BBD77A1EB45310F28966AE89EDB2D1E230DD81DB71

Function 00CB7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0d4ec192a4b61c8279525f326e0158bb826c500ef2e13b77e9cbf1e9470da4
Instruction ID: ed4bc30155827dfdba6633a66f3f28638370f019a103a3c6744ab3820403fde9
Opcode Fuzzy Hash: 5e0d4ec192a4b61c8279525f326e0158bb826c500ef2e13b77e9cbf1e9470da4
Instruction Fuzzy Hash: 1922CF70A046099FDF14CF69C881AEEB7F6FF44300F204229EA16E7291EB369E55DB51

Function 00CB91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe54e32ed0ef6f6dbdaa4157f9e2f7a19ff99831d544c593d10a8e027bb403ac
Instruction ID: 3c3010c5b0dd8294f196dce5f68c0d89323db08aff66753436f98f2664a1b0ed
Opcode Fuzzy Hash: fe54e32ed0ef6f6dbdaa4157f9e2f7a19ff99831d544c593d10a8e027bb403ac
Instruction Fuzzy Hash: E102A6B0E00209EBDB14DF55D881BAEB7B1FF44300F218169E916DB3A1EB31AE51DB95

Function 00CE9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c736aba4b6c93ed1410442544ff55214081edb24273a709081406d03068a8d
Instruction ID: 28892d51ff8e04603258dd394e8e2e30cb6462f05aae443a2a3e28aa57888703
Opcode Fuzzy Hash: 28c736aba4b6c93ed1410442544ff55214081edb24273a709081406d03068a8d
Instruction Fuzzy Hash: E0B1F321D2AF414DD72396398831336B75CAFBB6D6F91D71BFC26B4E62EB2186834140

Function 00CD1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 041029ab5c7e4cada80318825c87e43d10b85d79db64f0ff0bff9624009c91cc
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 9C9167722080E35ADB2A463E857403EFFE15A923A131E079FDDF2CA3C5EE14CA54D620

Function 00CD1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: eb14fde57e0d5d5b7aeb96ccfbaf09a4b32b2f914f1e42f663e9815e6931d1e4
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 1B917B732090A349DB2D477A857403DFFE15AA23A131E479FDAF2CB2C5EE24DA54D620

Function 00CD19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 4120916e1e761d3711803a953a0e30765e636d0ad994897c866a67258b95a6db
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 8F9165722090A36EDB2D427A857403EFFE15A923A131E079FD9F6CA2C5FD14C754E620

Function 00CD7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0172fa1913dfdf8a903a67007aadf8643e3a8c2c830568926afcab3e27dd8e
Instruction ID: c83006fb9fa871d46fdd0e34018dd347816cd8011c1a7641c3d41cd6e70c8ce7
Opcode Fuzzy Hash: 0f0172fa1913dfdf8a903a67007aadf8643e3a8c2c830568926afcab3e27dd8e
Instruction Fuzzy Hash: 1F614671208709B7DE349A2889A6BBE6394DF41700F101B1BEB97DB381FA319F46E355

Function 00CD7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d5cfaea98e0b0ec977febf462f9418a741ada31302812964bc1a731d23392c
Instruction ID: 1f46e193a91921fd849fd6058c6712d3d8f7c57d7d392f3132f19dfbb1c2d811
Opcode Fuzzy Hash: 73d5cfaea98e0b0ec977febf462f9418a741ada31302812964bc1a731d23392c
Instruction Fuzzy Hash: 70617B312087095BDE385A288896BBF6396DF42704F100B5BEB53DB781FA32EF469355

Function 00CD1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 19cf736c139af9d0fdf1e7a2646f4d608df0c9e6ba7ce6615c44438ed11a3c72
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: BD8175726080A319DB2D867A857403EFFE15A923A131F079FD9F2CA2D1EE24C754E620

Function 00D22046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb912c1cd5a9ce12e2f07c155a7cb40ff180a15d956a36f081664958353aed4
Instruction ID: 078d34f0f4dc02c1c053e425f40b45b189e46d6d80d052e29daab6692d8a849c
Opcode Fuzzy Hash: 0eb912c1cd5a9ce12e2f07c155a7cb40ff180a15d956a36f081664958353aed4
Instruction Fuzzy Hash: 4621B7326206118BD728CF79C92367E73E5EB64314F19862EE4A7C77D0DE35A904CBA0

Function 00D32ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D32B30
DeleteObject.GDI32(00000000), ref: 00D32B43
DestroyWindow.USER32 ref: 00D32B52
GetDesktopWindow.USER32 ref: 00D32B6D
GetWindowRect.USER32(00000000), ref: 00D32B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00D32CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00D32CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32CF8
GetClientRect.USER32(00000000,?), ref: 00D32D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00D32D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32D80
GlobalLock.KERNEL32(00000000), ref: 00D32D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32D98
GlobalUnlock.KERNEL32(00000000), ref: 00D32DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32DA8
GlobalFree.KERNEL32(00000000), ref: 00D32DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D4FC38,00000000), ref: 00D32DDB
GlobalFree.KERNEL32(00000000), ref: 00D32DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00D32E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00D32E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D3303F

Strings

static, xrefs: 00D32D3A, 00D32E91
DISPLAY, xrefs: 00D32EA2
, xrefs: 00D32FC5
AutoIt v3, xrefs: 00D32CF2

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 46414b326882e631b8dd32b6dc4072656eda60f288c8ac85a27cc188ef41a42b
Instruction ID: 997ed36b2dbd3311195eca152100bf634d8b8ba35254f3207c992e22a5a18c73
Opcode Fuzzy Hash: 46414b326882e631b8dd32b6dc4072656eda60f288c8ac85a27cc188ef41a42b
Instruction Fuzzy Hash: 38026775A10209AFDB14DFA4CC89EAE7BB9EF49310F048158F915EB2A1DB70AD05CB70

Function 00D470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00D4712F
GetSysColorBrush.USER32(0000000F), ref: 00D47160
GetSysColor.USER32(0000000F), ref: 00D4716C
SetBkColor.GDI32(?,000000FF), ref: 00D47186
SelectObject.GDI32(?,?), ref: 00D47195
InflateRect.USER32(?,000000FF,000000FF), ref: 00D471C0
GetSysColor.USER32(00000010), ref: 00D471C8
CreateSolidBrush.GDI32(00000000), ref: 00D471CF
FrameRect.USER32(?,?,00000000), ref: 00D471DE
DeleteObject.GDI32(00000000), ref: 00D471E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00D47230
FillRect.USER32(?,?,?), ref: 00D47262
GetWindowLongW.USER32(?,000000F0), ref: 00D47284

Part of subcall function 00D473E8: GetSysColor.USER32(00000012), ref: 00D47421
Part of subcall function 00D473E8: SetTextColor.GDI32(?,?), ref: 00D47425
Part of subcall function 00D473E8: GetSysColorBrush.USER32(0000000F), ref: 00D4743B
Part of subcall function 00D473E8: GetSysColor.USER32(0000000F), ref: 00D47446
Part of subcall function 00D473E8: GetSysColor.USER32(00000011), ref: 00D47463
Part of subcall function 00D473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D47471
Part of subcall function 00D473E8: SelectObject.GDI32(?,00000000), ref: 00D47482
Part of subcall function 00D473E8: SetBkColor.GDI32(?,00000000), ref: 00D4748B
Part of subcall function 00D473E8: SelectObject.GDI32(?,?), ref: 00D47498
Part of subcall function 00D473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00D474B7
Part of subcall function 00D473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D474CE
Part of subcall function 00D473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00D474DB

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 5fa12805b109bdacb3d4c9e375f4b174a7431bbc6eafdece212d86ed72d7aea7
Instruction ID: 8c1d12ceed8108a3c7e49b9337ac33d0d32f24dad569c68c3a999006ca57912e
Opcode Fuzzy Hash: 5fa12805b109bdacb3d4c9e375f4b174a7431bbc6eafdece212d86ed72d7aea7
Instruction Fuzzy Hash: F8A1B076019301AFDB509F60DC48E6F7BA9FB4A320F141A19F9A2E62E1D770E944CF61

Function 00CC8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00CC8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00D06AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00D06AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00D06F43

Part of subcall function 00CC8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CC8BE8,?,00000000,?,?,?,?,00CC8BBA,00000000,?), ref: 00CC8FC5

SendMessageW.USER32(?,00001053), ref: 00D06F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D06F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00D06FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00D06FB7

Strings

0, xrefs: 00D06DCF

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: a5767962969a5f953494796b4977cf383bb12a2a8ffa058d90e4345e6eafc6e7
Instruction ID: 345210bd74a70d0d5faa91aace513c321f105157df2c0a65e713dab7a6a342d1
Opcode Fuzzy Hash: a5767962969a5f953494796b4977cf383bb12a2a8ffa058d90e4345e6eafc6e7
Instruction Fuzzy Hash: 57127B38601211AFD725DF24C854BAABBA5FB45300F18846DF599CB2A1CB31EC66DFA1

Function 00D32711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00D3273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00D3286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00D328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00D328B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00D32900
GetClientRect.USER32(00000000,?), ref: 00D3290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00D32955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D32964
GetStockObject.GDI32(00000011), ref: 00D32974
SelectObject.GDI32(00000000,00000000), ref: 00D32978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00D32988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D32991
DeleteDC.GDI32(00000000), ref: 00D3299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00D329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00D329DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00D32A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00D32A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00D32A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00D32A77
GetStockObject.GDI32(00000011), ref: 00D32A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00D32A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00D32A97

Strings

DISPLAY, xrefs: 00D3295A
static, xrefs: 00D3294F, 00D32A71
msctls_progress32, xrefs: 00D32A13
AutoIt v3, xrefs: 00D328F8

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 0340c14c8d854ccf802a2284d336dc6b43a632888563c6c9a65003136df61263
Instruction ID: f53af5fe218e20cb44f4a4c9a44409ff93a882293405abdab9080ecd8ccf6fad
Opcode Fuzzy Hash: 0340c14c8d854ccf802a2284d336dc6b43a632888563c6c9a65003136df61263
Instruction Fuzzy Hash: BDB16DB5A10315AFEB14DFA8CC49FAE7BA9EB49710F008614F915E72A0D770ED44CBA4

Function 00D24ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D24AED
GetDriveTypeW.KERNEL32(?,00D4CB68,?,\\.\,00D4CC08), ref: 00D24BCA
SetErrorMode.KERNEL32(00000000,00D4CB68,?,\\.\,00D4CC08), ref: 00D24D36

Strings

USB, xrefs: 00D24CB4
Fibre, xrefs: 00D24CAD
Virtual, xrefs: 00D24CE5
MMC, xrefs: 00D24CDE
SAS, xrefs: 00D24CC9
SCSI, xrefs: 00D24C8A
Network, xrefs: 00D24C02
PhysicalDrive, xrefs: 00D24B76
ATAPI, xrefs: 00D24C91
RAMDisk, xrefs: 00D24BF4
ATA, xrefs: 00D24C98
Fixed, xrefs: 00D24C09
RAID, xrefs: 00D24CBB
Removable, xrefs: 00D24C10, 00D24C15
SSD, xrefs: 00D24C4A
Unknown, xrefs: 00D24BED, 00D24C83
CDROM, xrefs: 00D24BFB
iSCSI, xrefs: 00D24CC2
FileBackedVirtual, xrefs: 00D24CEC
SATA, xrefs: 00D24CD0
\\.\, xrefs: 00D24B3F
1394, xrefs: 00D24C9F
SSA, xrefs: 00D24CA6

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: b7a36ed22581628f71b9c4a7b742422928b8170b58e13ba8da9cfbe801a99702
Instruction ID: 3a6722cb4d39232767f7518122a4295a4b807d140d9d1a33a217a18a6961f391
Opcode Fuzzy Hash: b7a36ed22581628f71b9c4a7b742422928b8170b58e13ba8da9cfbe801a99702
Instruction Fuzzy Hash: 7061D2306016159FCB15DF28EA829A977B0EF64308B248016FC4AAB792FB31DD45EB71

Function 00D473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00D47421
SetTextColor.GDI32(?,?), ref: 00D47425
GetSysColorBrush.USER32(0000000F), ref: 00D4743B
GetSysColor.USER32(0000000F), ref: 00D47446
CreateSolidBrush.GDI32(?), ref: 00D4744B
GetSysColor.USER32(00000011), ref: 00D47463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D47471
SelectObject.GDI32(?,00000000), ref: 00D47482
SetBkColor.GDI32(?,00000000), ref: 00D4748B
SelectObject.GDI32(?,?), ref: 00D47498
InflateRect.USER32(?,000000FF,000000FF), ref: 00D474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00D474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D4752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D47554
InflateRect.USER32(?,000000FD,000000FD), ref: 00D47572
DrawFocusRect.USER32(?,?), ref: 00D4757D
GetSysColor.USER32(00000011), ref: 00D4758E
SetTextColor.GDI32(?,00000000), ref: 00D47596
DrawTextW.USER32(?,00D470F5,000000FF,?,00000000), ref: 00D475A8
SelectObject.GDI32(?,?), ref: 00D475BF
DeleteObject.GDI32(?), ref: 00D475CA
SelectObject.GDI32(?,?), ref: 00D475D0
DeleteObject.GDI32(?), ref: 00D475D5
SetTextColor.GDI32(?,?), ref: 00D475DB
SetBkColor.GDI32(?,?), ref: 00D475E5

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 432b7b0f4274d86909961ca80e33a0647a40971bc1d1a966a7cae04963708772
Instruction ID: 8c7722046d6b70869b7e9b02be7f45e62036eeacead77b210392819b6f11cc2b
Opcode Fuzzy Hash: 432b7b0f4274d86909961ca80e33a0647a40971bc1d1a966a7cae04963708772
Instruction Fuzzy Hash: 7C617A76901218AFDF009FA4DC48EAEBFB9EB09320F155115F915FB2A1D7709940CFA0

Function 00D40FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D41128
GetDesktopWindow.USER32 ref: 00D4113D
GetWindowRect.USER32(00000000), ref: 00D41144
GetWindowLongW.USER32(?,000000F0), ref: 00D41199
DestroyWindow.USER32(?), ref: 00D411B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D4120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D4121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00D41232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00D41245
IsWindowVisible.USER32(00000000), ref: 00D412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00D412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00D412D0
GetWindowRect.USER32(00000000,?), ref: 00D412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00D4130E
GetMonitorInfoW.USER32(00000000,?), ref: 00D41328
CopyRect.USER32(?,?), ref: 00D4133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00D413AA

Strings

(, xrefs: 00D4131B
0, xrefs: 00D410D3
tooltips_class32, xrefs: 00D411E6

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 3249e651cfaa5395f4f7c7f4e67bc2d72b5bd89c87360130e91aada84344113d
Instruction ID: 7e7efc9ae76a628af58e52da8c5fc87f355d7854ec87b4a96a154fc67c1842e1
Opcode Fuzzy Hash: 3249e651cfaa5395f4f7c7f4e67bc2d72b5bd89c87360130e91aada84344113d
Instruction Fuzzy Hash: D5B18C75604341AFD714DF64C889BAEBBE4FF85350F048918F9999B2A1C771EC84CBA2

Function 00D40241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D402E5
_wcslen.LIBCMT ref: 00D4031F
_wcslen.LIBCMT ref: 00D40389
_wcslen.LIBCMT ref: 00D403F1
_wcslen.LIBCMT ref: 00D40475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00D404C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D40504

Part of subcall function 00CCF9F2: _wcslen.LIBCMT ref: 00CCF9FD

Part of subcall function 00D1223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D12258
Part of subcall function 00D1223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D1228A

Strings

GETSELECTED, xrefs: 00D405E1
FINDITEM, xrefs: 00D40627
SELECTINVERT, xrefs: 00D4057E
SELECT, xrefs: 00D40548
GETITEMCOUNT, xrefs: 00D40316, 00D40337
GETTEXT, xrefs: 00D403EC, 00D40407
SELECTCLEAR, xrefs: 00D4052D
GETSUBITEMCOUNT, xrefs: 00D40384, 00D4039F
SELECTALL, xrefs: 00D40515
GETSELECTEDCOUNT, xrefs: 00D40470, 00D4048B
DESELECT, xrefs: 00D4059C
VIEWCHANGE, xrefs: 00D40675
ISSELECTED, xrefs: 00D404DD

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: c36957053def03a320f38b0303a1824de377d74c502e1cebe910cf655c789186
Instruction ID: c3ecb43d3a3107ecfe7113283e043ca040f535333e25818e3d4a9ed4b6b2db35
Opcode Fuzzy Hash: c36957053def03a320f38b0303a1824de377d74c502e1cebe910cf655c789186
Instruction Fuzzy Hash: 1DE191312082419FCB14DF24C45196EBBE6FF88314F14895DF99A9B3A1DB30ED45DBA2

Function 00CC8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CC8968
GetSystemMetrics.USER32(00000007), ref: 00CC8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CC899B
GetSystemMetrics.USER32(00000008), ref: 00CC89A3
GetSystemMetrics.USER32(00000004), ref: 00CC89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00CC89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00CC89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00CC8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00CC8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00CC8A5A
GetStockObject.GDI32(00000011), ref: 00CC8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CC8A81

Part of subcall function 00CC912D: GetCursorPos.USER32(?), ref: 00CC9141
Part of subcall function 00CC912D: ScreenToClient.USER32(00000000,?), ref: 00CC915E
Part of subcall function 00CC912D: GetAsyncKeyState.USER32(00000001), ref: 00CC9183
Part of subcall function 00CC912D: GetAsyncKeyState.USER32(00000002), ref: 00CC919D

SetTimer.USER32(00000000,00000000,00000028,00CC90FC), ref: 00CC8AA8

Strings

AutoIt v3 GUI, xrefs: 00CC8A20

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 42a661137234515969637dc4967a7f0425cf43b22599d3c7474e3ee4f6772008
Instruction ID: 7eaa6569fad4bf2c6fcaf4146dfd3fb934ad6113cadc9bcab0e6c3f6298f58c1
Opcode Fuzzy Hash: 42a661137234515969637dc4967a7f0425cf43b22599d3c7474e3ee4f6772008
Instruction Fuzzy Hash: BBB16839A0020AAFDB14DFA8C845BAE3BB5FB48314F154229FA15E72D0DB34E945CF64

Function 00D10D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D11114
Part of subcall function 00D110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D11120
Part of subcall function 00D110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D1112F
Part of subcall function 00D110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D11136
Part of subcall function 00D110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D1114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D10DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D10E29
GetLengthSid.ADVAPI32(?), ref: 00D10E40
GetAce.ADVAPI32(?,00000000,?), ref: 00D10E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D10E96
GetLengthSid.ADVAPI32(?), ref: 00D10EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D10EB5
HeapAlloc.KERNEL32(00000000), ref: 00D10EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D10EDD
CopySid.ADVAPI32(00000000), ref: 00D10EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D10F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D10F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D10F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D10F6E
HeapFree.KERNEL32(00000000), ref: 00D10F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D10F7E
HeapFree.KERNEL32(00000000), ref: 00D10F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D10F8E
HeapFree.KERNEL32(00000000), ref: 00D10F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00D10FA1
HeapFree.KERNEL32(00000000), ref: 00D10FA8

Part of subcall function 00D11193: GetProcessHeap.KERNEL32(00000008,00D10BB1,?,00000000,?,00D10BB1,?), ref: 00D111A1
Part of subcall function 00D11193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D10BB1,?), ref: 00D111A8
Part of subcall function 00D11193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D10BB1,?), ref: 00D111B7

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3f534c53a4cc1a3b9260b0c6937d5a8c07ac3294ee50a19de50c5c5041f30380
Instruction ID: 7ff7f79626f28b7ea68a42d7a574d95474eafc373639e4472f776f8d7f92ae62
Opcode Fuzzy Hash: 3f534c53a4cc1a3b9260b0c6937d5a8c07ac3294ee50a19de50c5c5041f30380
Instruction Fuzzy Hash: 68714C7590530ABBDF20AFA5EC45BEEBBB8BF05300F084115F919E6291DB719986CB70

Function 00D3C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D3C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D4CC08,00000000,?,00000000,?,?), ref: 00D3C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00D3C5A4
_wcslen.LIBCMT ref: 00D3C5F4
_wcslen.LIBCMT ref: 00D3C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00D3C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00D3C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00D3C84D
RegCloseKey.ADVAPI32(?), ref: 00D3C881
RegCloseKey.ADVAPI32(00000000), ref: 00D3C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00D3C960

Strings

REG_EXPAND_SZ, xrefs: 00D3C5CD
REG_MULTI_SZ, xrefs: 00D3C6F5
REG_BINARY, xrefs: 00D3C913
REG_DWORD, xrefs: 00D3C804
REG_QWORD, xrefs: 00D3C8C3
REG_SZ, xrefs: 00D3C644

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: f3587c68a1b97a03624455850e8e805bbc4b1a691618bee0f6fb0fe85491d98c
Instruction ID: be7c60bad22b5b99a671818fb7a6dd4e27da693dc2d80e68bd7a7b9095e5191f
Opcode Fuzzy Hash: f3587c68a1b97a03624455850e8e805bbc4b1a691618bee0f6fb0fe85491d98c
Instruction Fuzzy Hash: EA126A356142019FC714DF14C881A6AB7E5EF88714F08889DF98AAB3A2DB31FD45DBA1

Function 00D4091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D409C6
_wcslen.LIBCMT ref: 00D40A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D40A54
_wcslen.LIBCMT ref: 00D40A8A
_wcslen.LIBCMT ref: 00D40B06
_wcslen.LIBCMT ref: 00D40B81

Part of subcall function 00CCF9F2: _wcslen.LIBCMT ref: 00CCF9FD

Part of subcall function 00D12BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D12BFA

Strings

GETSELECTED, xrefs: 00D40C4E
ISCHECKED, xrefs: 00D40CE1
SELECT, xrefs: 00D40D11
UNCHECK, xrefs: 00D40D3E
EXPAND, xrefs: 00D40BF8
GETTOTALCOUNT, xrefs: 00D409F2, 00D40A17
GETITEMCOUNT, xrefs: 00D40C1E
EXISTS, xrefs: 00D40B7C, 00D40B97
GETTEXT, xrefs: 00D40C97
CHECK, xrefs: 00D40A85, 00D40AA0
COLLAPSE, xrefs: 00D40B01, 00D40B1C

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: dd63a4636b3faeba39c6fb1fbb05f2c0e419d89a0b6f45d068849eb7df9afc70
Instruction ID: 2e17aa06b56fc729494b74198c0b81625877112130e70a2758e18a16558f6b65
Opcode Fuzzy Hash: dd63a4636b3faeba39c6fb1fbb05f2c0e419d89a0b6f45d068849eb7df9afc70
Instruction Fuzzy Hash: CCE1B0312083019FCB14DF24C45196ABBE1FF98314F18895DF99A9B762DB31ED4ACBA1

Function 00D3C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D3B6AE,?,?), ref: 00D3C9B5
_wcslen.LIBCMT ref: 00D3C9F1
_wcslen.LIBCMT ref: 00D3CA68
_wcslen.LIBCMT ref: 00D3CA9E
_wcslen.LIBCMT ref: 00D3CAF9
_wcslen.LIBCMT ref: 00D3CB2F
_wcslen.LIBCMT ref: 00D3CB7F

Strings

HKCR, xrefs: 00D3CB29, 00D3CB2E
HKEY_CURRENT_CONFIG, xrefs: 00D3CB79, 00D3CB7E
HKEY_CLASSES_ROOT, xrefs: 00D3CAF3, 00D3CAF8
HKEY_USERS, xrefs: 00D3CBDF
HKEY_LOCAL_MACHINE, xrefs: 00D3CA62, 00D3CA67
HKLM, xrefs: 00D3CA98, 00D3CA9D
HKCU, xrefs: 00D3CBCE
HKCC, xrefs: 00D3CBAC
HKU, xrefs: 00D3CBF0
HKEY_CURRENT_USER, xrefs: 00D3CBBD

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f39534c291437705c1eb1720693a63a3fa6a1271da330daf2d8d8abc113410d3
Instruction ID: 0c64553d4a7d36c70c6ede9dd115b09a5e3f1857bcc29cf386f298fd9cd278ca
Opcode Fuzzy Hash: f39534c291437705c1eb1720693a63a3fa6a1271da330daf2d8d8abc113410d3
Instruction Fuzzy Hash: 2871D43362012A8BCB20DF7CCD516BE7395AF60754F296529F896B7284EA31CD45D3B0

Function 00D4833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D4835A
_wcslen.LIBCMT ref: 00D4836E
_wcslen.LIBCMT ref: 00D48391
_wcslen.LIBCMT ref: 00D483B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00D45BF2), ref: 00D4844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D48487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D484CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D48501
FreeLibrary.KERNEL32(?), ref: 00D4850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D4851D
DestroyIcon.USER32(?,?,?,?,?,00D45BF2), ref: 00D4852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D48549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D48555

Strings

.dll, xrefs: 00D483AB
.icl, xrefs: 00D48368
.exe, xrefs: 00D48388

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 8e7543262049f189abeaf3b4c1fe783faf39c292495c705d0df2a18e7fda7285
Instruction ID: 614086689c35b9e5c90d7a7425bafe71104ad235eee06d4ae972ed411085fe94
Opcode Fuzzy Hash: 8e7543262049f189abeaf3b4c1fe783faf39c292495c705d0df2a18e7fda7285
Instruction Fuzzy Hash: AB61BF71940315BFEB14DF64CC85BBE77A8BB04B61F10460AF919E61D1DB74AA80EBB0

Function 00CB7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Bad directive syntax error, xrefs: 00CF519A
#comments-end, xrefs: 00CB78D9
#include, xrefs: 00CB7847
", xrefs: 00CF5153
#cs, xrefs: 00CB7873, 00CB78C5
#ce, xrefs: 00CB78ED
', xrefs: 00CF5169
Cannot parse #include, xrefs: 00CF5279
#notrayicon, xrefs: 00CB77E7
#include-once, xrefs: 00CB782F
#pragma compile, xrefs: 00CB77D3
#comments-start, xrefs: 00CB785F, 00CB78B1
#OnAutoItStartRegister, xrefs: 00CB7817
#requireadmin, xrefs: 00CB77FF
Unterminated group of comments, xrefs: 00CF528C

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 3af7270dcc80dc9e43f815ff6a3c6cf88e52fc29d7ebb0b46710e2bdacea0c03
Instruction ID: 7b905bb21029c62ea63fcb7f30d352c1496ee92f49b268541f1345c2dc6d2b44
Opcode Fuzzy Hash: 3af7270dcc80dc9e43f815ff6a3c6cf88e52fc29d7ebb0b46710e2bdacea0c03
Instruction Fuzzy Hash: E681E571A44609BFDB21AF60CC42FFE37A9AF55300F044125FF15AA192EB70DA15E7A1

Function 00D23E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00D23EF8
_wcslen.LIBCMT ref: 00D23F03
_wcslen.LIBCMT ref: 00D23F5A
_wcslen.LIBCMT ref: 00D23F98
GetDriveTypeW.KERNEL32(?), ref: 00D23FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D2401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D24059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D24087

Strings

open , xrefs: 00D23FE5
set cd door , xrefs: 00D24028
closed, xrefs: 00D23F08, 00D23F2D, 00D23F46, 00D23F7E, 00D23F97
open, xrefs: 00D23F54, 00D23F59
type cdaudio alias cd wait, xrefs: 00D24001
wait, xrefs: 00D24044
close cd wait, xrefs: 00D24072
close, xrefs: 00D23EFE, 00D23F18

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 427d88168f35aa2a9709c44dacea9e7bb677b0489940cf3d85b8932b91205b7d
Instruction ID: 5411cfa116a62198fa943477f60a16f9d202285d2a3df5ed5900b9d6144c4758
Opcode Fuzzy Hash: 427d88168f35aa2a9709c44dacea9e7bb677b0489940cf3d85b8932b91205b7d
Instruction Fuzzy Hash: 0C7112326043219FC310EF24D9808ABB7F4EFA4758F14892DF995972A1EB31DD49CBA1

Function 00D15A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00D15A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D15A40
SetWindowTextW.USER32(?,?), ref: 00D15A57
GetDlgItem.USER32(?,000003EA), ref: 00D15A6C
SetWindowTextW.USER32(00000000,?), ref: 00D15A72
GetDlgItem.USER32(?,000003E9), ref: 00D15A82
SetWindowTextW.USER32(00000000,?), ref: 00D15A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D15AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D15AC3
GetWindowRect.USER32(?,?), ref: 00D15ACC
_wcslen.LIBCMT ref: 00D15B33
SetWindowTextW.USER32(?,?), ref: 00D15B6F
GetDesktopWindow.USER32 ref: 00D15B75
GetWindowRect.USER32(00000000), ref: 00D15B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00D15BD3
GetClientRect.USER32(?,?), ref: 00D15BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00D15C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D15C2F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: aca9230ffbf873abf9726f05cf11dfe1a0c2edc27dce1e6c66d8d9738f8da49c
Instruction ID: 57f41997fdfebfb06b39cd763a5a9ef4214b4333528b7614944315503ca3ed30
Opcode Fuzzy Hash: aca9230ffbf873abf9726f05cf11dfe1a0c2edc27dce1e6c66d8d9738f8da49c
Instruction Fuzzy Hash: D3716F35900B05EFDB20DFA8EE85BAEBBF5FF48704F144518E542A26A4DB75E940CB60

Function 00D2FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00D2FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00D2FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00D2FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00D2FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00D2FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00D2FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00D2FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00D2FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00D2FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00D2FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00D2FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00D2FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00D2FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00D2FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00D2FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00D2FECC
GetCursorInfo.USER32(?), ref: 00D2FEDC
GetLastError.KERNEL32 ref: 00D2FF1E

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 6c03b785b19fd6cea57bd84aeaeb27e63185e3f64329d8a2bd44bca5481863cd
Instruction ID: 57fa41a64c89d3de04a60e89fc4e6f9ffd7a41d2689b10a6a70a58d93e0a47b5
Opcode Fuzzy Hash: 6c03b785b19fd6cea57bd84aeaeb27e63185e3f64329d8a2bd44bca5481863cd
Instruction Fuzzy Hash: FF4160B0D083196ADB109FBA9C8985EBFF8FF04354B54453AE119E7291DB78A9018EA0

Function 00CD00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00CD00C6

Part of subcall function 00CD00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00D8070C,00000FA0,301BBAB0,?,?,?,?,00CF23B3,000000FF), ref: 00CD011C
Part of subcall function 00CD00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00CF23B3,000000FF), ref: 00CD0127
Part of subcall function 00CD00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00CF23B3,000000FF), ref: 00CD0138
Part of subcall function 00CD00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00CD014E
Part of subcall function 00CD00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00CD015C
Part of subcall function 00CD00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00CD016A
Part of subcall function 00CD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00CD0195
Part of subcall function 00CD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00CD01A0

___scrt_fastfail.LIBCMT ref: 00CD00E7

Part of subcall function 00CD00A3: __onexit.LIBCMT ref: 00CD00A9

Strings

kernel32.dll, xrefs: 00CD0133
SleepConditionVariableCS, xrefs: 00CD0154
WakeAllConditionVariable, xrefs: 00CD0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00CD0122
InitializeConditionVariable, xrefs: 00CD0148

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 4c25f98c4fad79c9c5e0b10bf4335e977aa01cfc1e9e5c14dc9d3c0315b060bc
Instruction ID: a7b0fae049b08a79b67923d90e6e6aa1b45e63d292b74d8436f589118bc2d700
Opcode Fuzzy Hash: 4c25f98c4fad79c9c5e0b10bf4335e977aa01cfc1e9e5c14dc9d3c0315b060bc
Instruction Fuzzy Hash: 9621C636A557106FE7506FA8AC46B6E7798EB05B61F20013FFA01E23A1DB7498048AB0

Function 00D130F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D1318D
_wcslen.LIBCMT ref: 00D131F8

Strings

INSTANCE, xrefs: 00D13453
CLASS, xrefs: 00D13188, 00D131A5
NAME, xrefs: 00D13335, 00D13346
REGEXPCLASS, xrefs: 00D13255, 00D13266
TEXT, xrefs: 00D1347C
CLASSNN, xrefs: 00D131F3, 00D13204

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 3ff596b25e5134a158fbb8bc0ab715ef93845c65ac327788ca4df94af67211f5
Instruction ID: f24176d50e43ad7a3e4dd0bd967d6cea54aae116c666a05aaf623ab6ecf6a147
Opcode Fuzzy Hash: 3ff596b25e5134a158fbb8bc0ab715ef93845c65ac327788ca4df94af67211f5
Instruction Fuzzy Hash: DFE1E532A00616BBDB18DFA8E4517EDBBB5BF44710F58811AE456A7240EF30AEC597B0

Function 00D244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00D4CC08), ref: 00D24527
_wcslen.LIBCMT ref: 00D2453B
_wcslen.LIBCMT ref: 00D24599
_wcslen.LIBCMT ref: 00D245F4
_wcslen.LIBCMT ref: 00D2463F
_wcslen.LIBCMT ref: 00D246A7

Part of subcall function 00CCF9F2: _wcslen.LIBCMT ref: 00CCF9FD

GetDriveTypeW.KERNEL32(?,00D76BF0,00000061), ref: 00D24743

Strings

ramdisk, xrefs: 00D246F1
network, xrefs: 00D2469D, 00D246A2
unknown, xrefs: 00D24708
all, xrefs: 00D24531, 00D24536
cdrom, xrefs: 00D2458F, 00D24594
fixed, xrefs: 00D24635, 00D2463A
removable, xrefs: 00D245EA, 00D245EF

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 32a552537b31bdda931c5fbeb64b185fff94b7af225d75ee7fc225120328d5dd
Instruction ID: b49d5541352a5ddc18b031273a3015bfcb155bb2d23ae81887a24011f8b8249a
Opcode Fuzzy Hash: 32a552537b31bdda931c5fbeb64b185fff94b7af225d75ee7fc225120328d5dd
Instruction Fuzzy Hash: 4BB1D5316083229FC710DF28E890AAEB7E5EFA5718F54491DF996C7291E730D845CBB2

Function 00D33FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D4CC08), ref: 00D340BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00D340CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00D4CC08), ref: 00D340F2
FreeLibrary.KERNEL32(00000000,?,00D4CC08), ref: 00D3413E
StringFromGUID2.OLE32(?,?,00000028,?,00D4CC08), ref: 00D341A8
SysFreeString.OLEAUT32(00000009), ref: 00D34262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D342C8
SysFreeString.OLEAUT32(?), ref: 00D342F2

Strings

kernel32.dll, xrefs: 00D340B6
GetModuleHandleExW, xrefs: 00D340C7

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 9b32af13f6fd5f449f9aa2967a8c9b8d7d6663ce36969e0a368ecc34bab3581b
Instruction ID: 234aeff25d79003a279bfa264b5ff7e646e1726847df0d9c42fef9f7cce9a46f
Opcode Fuzzy Hash: 9b32af13f6fd5f449f9aa2967a8c9b8d7d6663ce36969e0a368ecc34bab3581b
Instruction Fuzzy Hash: B2122B75A00219EFDB14CF94C884EAEBBB5FF45314F288098E905AB261D775FD46CBA0

Function 00CB326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00D81990), ref: 00CF2F8D
GetMenuItemCount.USER32(00D81990), ref: 00CF303D
GetCursorPos.USER32(?), ref: 00CF3081
SetForegroundWindow.USER32(00000000), ref: 00CF308A
TrackPopupMenuEx.USER32(00D81990,00000000,?,00000000,00000000,00000000), ref: 00CF309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00CF30A9

Strings

0, xrefs: 00CB327D

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 53b8ee1e1f5fcad1b54541d3ee9eb38fd31df1d5511f759b5e507aa6f0cfb108
Instruction ID: a67a4b85f669cf8959e6fc364e444f19247c3a07e935bef5a1b800be6e39436d
Opcode Fuzzy Hash: 53b8ee1e1f5fcad1b54541d3ee9eb38fd31df1d5511f759b5e507aa6f0cfb108
Instruction Fuzzy Hash: 59713F30640259BFEB218F65CC49FEABF64FF01324F204206F624AA1E1C7B19D50DB62

Function 00D46CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00D46DEB

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D46E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D46E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D46E94
DestroyWindow.USER32(?), ref: 00D46EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00CB0000,00000000), ref: 00D46EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D46EFD
GetDesktopWindow.USER32 ref: 00D46F16
GetWindowRect.USER32(00000000), ref: 00D46F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D46F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D46F4D

Part of subcall function 00CC9944: GetWindowLongW.USER32(?,000000EB), ref: 00CC9952

Strings

0, xrefs: 00D46D98
tooltips_class32, xrefs: 00D46E58, 00D46EDD

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: f8ba903d2ec1c52c5ea26f3e2a7c3bbdfd2f96872f17dce66000b3a139f19b4d
Instruction ID: 8d053564d3939e96a39d97f654077c958067340cdf921d7a532ae58248bfbca0
Opcode Fuzzy Hash: f8ba903d2ec1c52c5ea26f3e2a7c3bbdfd2f96872f17dce66000b3a139f19b4d
Instruction Fuzzy Hash: 20714A74104344AFDB21DF18D844BAABBE9FF8A304F08441DF99AD7261D770E90ADB22

Function 00D4911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

DragQueryPoint.SHELL32(?,?), ref: 00D49147

Part of subcall function 00D47674: ClientToScreen.USER32(?,?), ref: 00D4769A
Part of subcall function 00D47674: GetWindowRect.USER32(?,?), ref: 00D47710
Part of subcall function 00D47674: PtInRect.USER32(?,?,00D48B89), ref: 00D47720

SendMessageW.USER32(?,000000B0,?,?), ref: 00D491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D49225
SendMessageW.USER32(?,000000B0,?,?), ref: 00D4923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00D49255
SendMessageW.USER32(?,000000B1,?,?), ref: 00D49277
DragFinish.SHELL32(?), ref: 00D4927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D49371

Strings

@GUI_DRAGID, xrefs: 00D492E9
@GUI_DRAGFILE, xrefs: 00D49320
@GUI_DROPID, xrefs: 00D4929E

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 5f0db3d4d602aae15bb72faaf682991ca0f7674cef268d5e4bf1d399a12a668f
Instruction ID: 87a5a154e109966ce2ae8fabe5e161313cfb58c05ae1a4b97bdfdc6c2c6691be
Opcode Fuzzy Hash: 5f0db3d4d602aae15bb72faaf682991ca0f7674cef268d5e4bf1d399a12a668f
Instruction Fuzzy Hash: CA616B71108301AFD701EF64DC95DAFBBE8EF89750F40091EF595932A1DB70AA49CB62

Function 00D2C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D2C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D2C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D2C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00D2C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00D2C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00D2C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D2C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D2C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D2C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D2C5F0
InternetCloseHandle.WININET(00000000), ref: 00D2C5FB

Strings

, xrefs: 00D2C575

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 2d3876d2f6c9334ed0bda22184051f0965ae2f0b5610eec5a3c03a3a4253fe18
Instruction ID: 7343f6420210fd193f2d8a3f0729881dd2234f43159b88dd7a568dbec2d89c73
Opcode Fuzzy Hash: 2d3876d2f6c9334ed0bda22184051f0965ae2f0b5610eec5a3c03a3a4253fe18
Instruction Fuzzy Hash: F85168B4111718AFEB219F609988AAB7BBCFF19348F04641AF945D6210EB75ED049B70

Function 00D4856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00D48592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D485A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D485AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D485BA
GlobalLock.KERNEL32(00000000), ref: 00D485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D485D7
GlobalUnlock.KERNEL32(00000000), ref: 00D485E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D485F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00D4FC38,?), ref: 00D48611
GlobalFree.KERNEL32(00000000), ref: 00D48621
GetObjectW.GDI32(?,00000018,?), ref: 00D48641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00D48671
DeleteObject.GDI32(?), ref: 00D48699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00D486AF

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 12a3fba9b5ca43280707030a1b3a7cd7721b7b3331fdc92f8b4597bb3ebf066d
Instruction ID: 6443dd01b0020031bc179fb2b58f34c049e4751e2100801e6b03f168060c462d
Opcode Fuzzy Hash: 12a3fba9b5ca43280707030a1b3a7cd7721b7b3331fdc92f8b4597bb3ebf066d
Instruction Fuzzy Hash: B6412979601304AFDB519FA5CC88EAE7BB8EF8A751F148058F909E7260DB709901DF30

Function 00D214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00D21502
VariantCopy.OLEAUT32(?,?), ref: 00D2150B
VariantClear.OLEAUT32(?), ref: 00D21517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00D215FB
VarR8FromDec.OLEAUT32(?,?), ref: 00D21657
VariantInit.OLEAUT32(?), ref: 00D21708
SysFreeString.OLEAUT32(?), ref: 00D2178C
VariantClear.OLEAUT32(?), ref: 00D217D8
VariantClear.OLEAUT32(?), ref: 00D217E7
VariantInit.OLEAUT32(00000000), ref: 00D21823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00D21625
Default, xrefs: 00D216AF

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 5dfc4e18940243144c31d84cee40ce009f25aa057ef68d4227dc84b4a123a591
Instruction ID: 984ded34f174ad0a836cea3516cb42b823a02aae9127b0d41c63266806abec63
Opcode Fuzzy Hash: 5dfc4e18940243144c31d84cee40ce009f25aa057ef68d4227dc84b4a123a591
Instruction Fuzzy Hash: 2CD12335A00225EBDB009F65E885BBDB7B5BF65708F14C49AF446AB280DB30EC41EB71

Function 00D3B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D3B6AE,?,?), ref: 00D3C9B5
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3C9F1
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA68
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D3B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D3B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00D3B80A
RegCloseKey.ADVAPI32(?), ref: 00D3B87E
RegCloseKey.ADVAPI32(?), ref: 00D3B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00D3B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D3B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00D3B922
FreeLibrary.KERNEL32(00000000), ref: 00D3B983
RegCloseKey.ADVAPI32(00000000), ref: 00D3B994

Strings

advapi32.dll, xrefs: 00D3B8ED
RegDeleteKeyExW, xrefs: 00D3B8FE

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: c864a2d154720881a7b1a682e0b8a32a3f36581836fc9be65311d22cda849177
Instruction ID: 5852c6cb81e9c7836b2a29c7a33df1d855a7579d63553b43c84745bcda95cce1
Opcode Fuzzy Hash: c864a2d154720881a7b1a682e0b8a32a3f36581836fc9be65311d22cda849177
Instruction Fuzzy Hash: 7BC18A34208201AFD710DF14C495F6ABBE5FF84318F18859DF69A8B2A2CB71ED45DBA1

Function 00D3255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00D325E8
CreateCompatibleDC.GDI32(?), ref: 00D325F4
SelectObject.GDI32(00000000,?), ref: 00D32601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00D3266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00D326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00D326D0
SelectObject.GDI32(?,?), ref: 00D326D8
DeleteObject.GDI32(?), ref: 00D326E1
DeleteDC.GDI32(?), ref: 00D326E8
ReleaseDC.USER32(00000000,?), ref: 00D326F3

Strings

(, xrefs: 00D3268D

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 53792f48b217022f755bdf7e752fdb1bac50d5db69546f2f975e45e1dc9863e1
Instruction ID: 044b76ed8a6bd71fbff1afac50613ccccfa20f5e320167bec5e03108300b30c7
Opcode Fuzzy Hash: 53792f48b217022f755bdf7e752fdb1bac50d5db69546f2f975e45e1dc9863e1
Instruction Fuzzy Hash: F961D1B5D01219EFCF14CFA8D885AAEBBB6FF48310F208529E955A7350D770A941CFA0

Function 00CEDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00CEDAA1

Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED659
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED66B
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED67D
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED68F
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED6A1
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED6B3
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED6C5
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED6D7
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED6E9
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED6FB
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED70D
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED71F
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED731

_free.LIBCMT ref: 00CEDA96

Part of subcall function 00CE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000), ref: 00CE29DE
Part of subcall function 00CE29C8: GetLastError.KERNEL32(00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000,00000000), ref: 00CE29F0

_free.LIBCMT ref: 00CEDAB8
_free.LIBCMT ref: 00CEDACD
_free.LIBCMT ref: 00CEDAD8
_free.LIBCMT ref: 00CEDAFA
_free.LIBCMT ref: 00CEDB0D
_free.LIBCMT ref: 00CEDB1B
_free.LIBCMT ref: 00CEDB26
_free.LIBCMT ref: 00CEDB5E
_free.LIBCMT ref: 00CEDB65
_free.LIBCMT ref: 00CEDB82
_free.LIBCMT ref: 00CEDB9A

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 5f0efd061fc2a70c84980f512faaf9cd31ae632f0b64011295a69aaced4ae2c5
Instruction ID: 000496fa921bed2439fd28a7324bcae5a1d335f27faa1e12318053b3d4c3eb35
Opcode Fuzzy Hash: 5f0efd061fc2a70c84980f512faaf9cd31ae632f0b64011295a69aaced4ae2c5
Instruction Fuzzy Hash: 683162316043899FDB21AE3AE846B5A77E9FF00310F155429F46AD7192EF35EE80E720

Function 00D1365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D1369C
_wcslen.LIBCMT ref: 00D136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D13797
GetClassNameW.USER32(?,?,00000400), ref: 00D1380C
GetDlgCtrlID.USER32(?), ref: 00D1385D
GetWindowRect.USER32(?,?), ref: 00D13882
GetParent.USER32(?), ref: 00D138A0
ScreenToClient.USER32(00000000), ref: 00D138A7
GetClassNameW.USER32(?,?,00000100), ref: 00D13921
GetWindowTextW.USER32(?,?,00000400), ref: 00D1395D

Strings

%s%u, xrefs: 00D13734

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 2d8983f5f48048af8592d6e1561ded59cacdade970f7f22f94b65d5667088444
Instruction ID: e6e3837ac1bcb17707648d43caae0db3b50f87d6739fa588ec986cd53572b4ae
Opcode Fuzzy Hash: 2d8983f5f48048af8592d6e1561ded59cacdade970f7f22f94b65d5667088444
Instruction Fuzzy Hash: AE91AD71204706BFD718DF24E885BEAB7A8FF44350F048629F999D2190DB30EA85CBB1

Function 00D14954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00D14994
GetWindowTextW.USER32(?,?,00000400), ref: 00D149DA
_wcslen.LIBCMT ref: 00D149EB
CharUpperBuffW.USER32(?,00000000), ref: 00D149F7
_wcsstr.LIBVCRUNTIME ref: 00D14A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00D14A64
GetWindowTextW.USER32(?,?,00000400), ref: 00D14A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00D14AE6
GetClassNameW.USER32(?,?,00000400), ref: 00D14B20
GetWindowRect.USER32(?,?), ref: 00D14B8B

Strings

ThumbnailClass, xrefs: 00D14A6F, 00D14AF1

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 03360ec9f04a50feb25aa6a0f99974955e738eea400895ad3b51e78f4fff692b
Instruction ID: cfda011b7b8f9005e97e3e42f5db1eab0923df48e901842a15ab0b1006df18b4
Opcode Fuzzy Hash: 03360ec9f04a50feb25aa6a0f99974955e738eea400895ad3b51e78f4fff692b
Instruction Fuzzy Hash: F4919C71109205AFDB04CF14E985BEA77A8EF84354F08846AFD899A196DF30ED85CBB1

Function 00D48D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D48D5A
GetFocus.USER32 ref: 00D48D6A
GetDlgCtrlID.USER32(00000000), ref: 00D48D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00D48E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00D48ECF
GetMenuItemCount.USER32(?), ref: 00D48EEC
GetMenuItemID.USER32(?,00000000), ref: 00D48EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00D48F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00D48F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D48FA1

Strings

0, xrefs: 00D48E9F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 7dcdcd12baef4a0cba37bbf36e0e0344aeae4a5574509a782d4591e5679af898
Instruction ID: 2aed6753c6f87dcda541b1036af7c66a9feada9a4d3577432cef069611d3243f
Opcode Fuzzy Hash: 7dcdcd12baef4a0cba37bbf36e0e0344aeae4a5574509a782d4591e5679af898
Instruction Fuzzy Hash: 0E817B71504341ABD710CF24C884AAFBBE9EF89794F080929F99597291DB31D905EBB2

Function 00D1BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00D81990,000000FF,00000000,00000030), ref: 00D1BFAC
SetMenuItemInfoW.USER32(00D81990,00000004,00000000,00000030), ref: 00D1BFE1
Sleep.KERNEL32(000001F4), ref: 00D1BFF3
GetMenuItemCount.USER32(?), ref: 00D1C039
GetMenuItemID.USER32(?,00000000), ref: 00D1C056
GetMenuItemID.USER32(?,-00000001), ref: 00D1C082
GetMenuItemID.USER32(?,?), ref: 00D1C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D1C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D1C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D1C145

Strings

0, xrefs: 00D1BF3D

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: a73021e09a016ae0b08aff538b0c6d88c988d200549bbf46dd3ef5c1bcca3086
Instruction ID: 4991fe0a0b51487f661df280d7e472c0d86bc7df9b0f9127dfff8b81372d0aa0
Opcode Fuzzy Hash: a73021e09a016ae0b08aff538b0c6d88c988d200549bbf46dd3ef5c1bcca3086
Instruction Fuzzy Hash: C7618EB49A038ABFDF11CF64EC88AEE7BB8EB05354F045055E841A3291DB31AD85CB70

Function 00D1DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00D1DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00D1DC46
_wcslen.LIBCMT ref: 00D1DC50
_wcsstr.LIBVCRUNTIME ref: 00D1DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00D1DCBC

Strings

DefaultLangCodepage, xrefs: 00D1DD1F
04090000, xrefs: 00D1DCF2
%u.%u.%u.%u, xrefs: 00D1DD9A
\VarFileInfo\Translation, xrefs: 00D1DCB4
StringFileInfo\, xrefs: 00D1DC8F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: ba09e5a43b055168d7034cf3f81547e7e569255f1d08398830b842e02282f3e8
Instruction ID: 1b252860f0854c33aa405b9148a35e5386abe61a49032442573f9868698db9d5
Opcode Fuzzy Hash: ba09e5a43b055168d7034cf3f81547e7e569255f1d08398830b842e02282f3e8
Instruction Fuzzy Hash: CC41FF72A403017BDB14AB64EC43EFF776DEF56710F14406EFA01A6282EB70E901A6B5

Function 00D3CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D3CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00D3CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D3CD48

Part of subcall function 00D3CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00D3CCAA
Part of subcall function 00D3CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00D3CCBD
Part of subcall function 00D3CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D3CCCF
Part of subcall function 00D3CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D3CD05
Part of subcall function 00D3CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D3CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00D3CCF3

Strings

advapi32.dll, xrefs: 00D3CCB8
RegDeleteKeyExW, xrefs: 00D3CCC9

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: e28bb4627bacea53e001cd20d9239fa42f56cd95aa24537f10cdbe39201126d1
Instruction ID: 35b67c0789e40b2f2717fa98f12548a9d65288be8c1246fa6aa18e5af03459cf
Opcode Fuzzy Hash: e28bb4627bacea53e001cd20d9239fa42f56cd95aa24537f10cdbe39201126d1
Instruction Fuzzy Hash: 41316E75912229BBDB208F55DC88EFFBB7CEF46750F041165B905E2240DA349A45DBB0

Function 00D23D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D23D40
_wcslen.LIBCMT ref: 00D23D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D23D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00D23DBE
RemoveDirectoryW.KERNEL32(?), ref: 00D23DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00D23E55
CloseHandle.KERNEL32(00000000), ref: 00D23E60
CloseHandle.KERNEL32(00000000), ref: 00D23E6B

Strings

\, xrefs: 00D23D77
:, xrefs: 00D23D82
\??\%s, xrefs: 00D23D5B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: c0c14e53159c227913166f5e43e1647482fc3c94de5d1407f9fe754192303b0f
Instruction ID: b5315c3051cd7e78eb469694a264bdbb4dd2170557b7acffbffebb598cff3577
Opcode Fuzzy Hash: c0c14e53159c227913166f5e43e1647482fc3c94de5d1407f9fe754192303b0f
Instruction Fuzzy Hash: 2631AF76A10219ABDB209FA0DC89FEB37BCEF89704F1441A6F609D6160EB7497448B34

Function 00D1E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00D1E6B4

Part of subcall function 00CCE551: timeGetTime.WINMM(?,?,00D1E6D4), ref: 00CCE555

Sleep.KERNEL32(0000000A), ref: 00D1E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00D1E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00D1E727
SetActiveWindow.USER32 ref: 00D1E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D1E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00D1E773
Sleep.KERNEL32(000000FA), ref: 00D1E77E
IsWindow.USER32 ref: 00D1E78A
EndDialog.USER32(00000000), ref: 00D1E79B

Strings

BUTTON, xrefs: 00D1E719

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1a9c341390b0d8a05774d6d8a5b46479efcec005a10816d90677c017c8bf7f38
Instruction ID: 0c38af0b3ad754bf8f4150c587dbb142098f78f5701e557d3b94de51385eea61
Opcode Fuzzy Hash: 1a9c341390b0d8a05774d6d8a5b46479efcec005a10816d90677c017c8bf7f38
Instruction Fuzzy Hash: 14214C74221304BFFB005F61FC8AA753BA9FB56748B145424F905C23A1EE71AC449B34

Function 00D1E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D1EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D1EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D1EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D1EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D1EAA7

Strings

close PlayMe, xrefs: 00D1EA6E, 00D1EA9B
alias PlayMe, xrefs: 00D1EA36
open , xrefs: 00D1EA0C
play PlayMe, xrefs: 00D1EAA2
play PlayMe wait, xrefs: 00D1EA91
status PlayMe mode, xrefs: 00D1EA58

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 57591803cc47c4223fb2ca4142b61ed93c2eb4ade74b3668f7ddd46b916c8f23
Instruction ID: 19e7466a951a80e4fa41236b29fdee0d4bf3f0dc9397fd9ed20d5715eadf9b29
Opcode Fuzzy Hash: 57591803cc47c4223fb2ca4142b61ed93c2eb4ade74b3668f7ddd46b916c8f23
Instruction Fuzzy Hash: F5114F21A902697DD724A7A2EC4ADFB6B7CEFD1B00F444429B905A20D1FF704949C9B0

Function 00D19F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D1A012
SetKeyboardState.USER32(?), ref: 00D1A07D
GetAsyncKeyState.USER32(000000A0), ref: 00D1A09D
GetKeyState.USER32(000000A0), ref: 00D1A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00D1A0E3
GetKeyState.USER32(000000A1), ref: 00D1A0F4
GetAsyncKeyState.USER32(00000011), ref: 00D1A120
GetKeyState.USER32(00000011), ref: 00D1A12E
GetAsyncKeyState.USER32(00000012), ref: 00D1A157
GetKeyState.USER32(00000012), ref: 00D1A165
GetAsyncKeyState.USER32(0000005B), ref: 00D1A18E
GetKeyState.USER32(0000005B), ref: 00D1A19C

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a0080fb8d401f9e065d80550e0aa5dca585c3b1155189d08165060367ca3c16b
Instruction ID: fbe62bcd60d7c2af23ce4c1b59c53e46d7d4b3f83fc57b764b650d94ce534d93
Opcode Fuzzy Hash: a0080fb8d401f9e065d80550e0aa5dca585c3b1155189d08165060367ca3c16b
Instruction Fuzzy Hash: 7551D9609057843AFB35EBB4A9207EAEFB49F12380F0C8599D5C2571C2DE649ACCC772

Function 00D15CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00D15CE2
GetWindowRect.USER32(00000000,?), ref: 00D15CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00D15D59
GetDlgItem.USER32(?,00000002), ref: 00D15D69
GetWindowRect.USER32(00000000,?), ref: 00D15D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00D15DCF
GetDlgItem.USER32(?,000003E9), ref: 00D15DDD
GetWindowRect.USER32(00000000,?), ref: 00D15DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00D15E31
GetDlgItem.USER32(?,000003EA), ref: 00D15E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D15E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00D15E67

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f3e5a5701189d4ec223c09c0dffbb641bf1fdc24c840ff5d7a1daaad033a2a96
Instruction ID: a70051c2da096d651df7fba1511db441c8c4f9f88366b90f488c32032e5dee2a
Opcode Fuzzy Hash: f3e5a5701189d4ec223c09c0dffbb641bf1fdc24c840ff5d7a1daaad033a2a96
Instruction Fuzzy Hash: 77511F74B10705AFDB18CF68ED89AAE7BB5EB89300F148129F915E6294DB749E40CB60

Function 00CC8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CC8BE8,?,00000000,?,?,?,?,00CC8BBA,00000000,?), ref: 00CC8FC5

DestroyWindow.USER32(?), ref: 00CC8C81
KillTimer.USER32(00000000,?,?,?,?,00CC8BBA,00000000,?), ref: 00CC8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00D06973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00CC8BBA,00000000,?), ref: 00D069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00CC8BBA,00000000,?), ref: 00D069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00CC8BBA,00000000), ref: 00D069D4
DeleteObject.GDI32(00000000), ref: 00D069E6

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 0a76f572e8cab97b2cceea1e6a72c11469ec0e291bc4a78757069a67c288cf82
Instruction ID: bffdf17165cf7bff67502600837ec5aba431edf3c2851fde34c050f6ee645daf
Opcode Fuzzy Hash: 0a76f572e8cab97b2cceea1e6a72c11469ec0e291bc4a78757069a67c288cf82
Instruction Fuzzy Hash: B461A838112700DFCB21AF15D948B2A7BF1FB45312F14451CE0569BAA0CB35AD99DFB0

Function 00CC9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00CC9944: GetWindowLongW.USER32(?,000000EB), ref: 00CC9952

GetSysColor.USER32(0000000F), ref: 00CC9862

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8ec4233e2f2b7ad54d415cffb5d6cefd7d56ecdb2fb9cbc741771aef6e1945a6
Instruction ID: ac8e36a1fc3d088e91adb776d2886d408593ed0b7ffa3d269313adcca508dea4
Opcode Fuzzy Hash: 8ec4233e2f2b7ad54d415cffb5d6cefd7d56ecdb2fb9cbc741771aef6e1945a6
Instruction Fuzzy Hash: 9E417B35905740AFDB205F38DC8CFB93BA5EB07320F185659F9B69B2E2D6319942DB20

Function 00D196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00CFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00D19717
LoadStringW.USER32(00000000,?,00CFF7F8,00000001), ref: 00D19720

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00CFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00D19742
LoadStringW.USER32(00000000,?,00CFF7F8,00000001), ref: 00D19745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00D19866

Strings

Error: , xrefs: 00D1981D
%s (%d) : ==> %s: %s %s, xrefs: 00D1984A
Line %d:, xrefs: 00D197A0
Line %d (File "%s"):, xrefs: 00D1978F
^ ERROR, xrefs: 00D197FB

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 30cf7c9292a534da507bf830ddaf6412bcd7e532a05f8240dde6aaa2c179fff6
Instruction ID: 9ea6b648522d559e49afcf13136db53d77ce825313e4d7c21c1fc17b95805634
Opcode Fuzzy Hash: 30cf7c9292a534da507bf830ddaf6412bcd7e532a05f8240dde6aaa2c179fff6
Instruction Fuzzy Hash: DE411972900219ABCB04EBE0DDA6DEEB778EF55340F600065F605B20A2EE356F49DB71

Function 00D106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00D107A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00D107BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00D107DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00D10804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00D1082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D10837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D1083C

Strings

\IPC$, xrefs: 00D10784
SOFTWARE\Classes\, xrefs: 00D1070E
\CLSID, xrefs: 00D10724

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 45c6d51ba1e185124ba2fa07223802375811700ed5e851971beac01ad39cba27
Instruction ID: 6bfd9482d59c653f15d7e06d1ebe4769cc47e7e76d58b532740f6728e32ac75f
Opcode Fuzzy Hash: 45c6d51ba1e185124ba2fa07223802375811700ed5e851971beac01ad39cba27
Instruction Fuzzy Hash: 57411876C10229ABDF11EFA4EC95CEEB778FF44350F144129E905A72A1EB709E44DBA0

Function 00D43F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00D4403B
CreateCompatibleDC.GDI32(00000000), ref: 00D44042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00D44055
SelectObject.GDI32(00000000,00000000), ref: 00D4405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00D44068
DeleteDC.GDI32(00000000), ref: 00D44072
GetWindowLongW.USER32(?,000000EC), ref: 00D4407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00D44092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00D4409E

Strings

static, xrefs: 00D43FD3

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 167a7593e8af1039ff6c6d6de324eb43f80dfb224b85af62be9291eeb6027cb0
Instruction ID: 21e2490215821a314f2b5b88652e24ecafa42ce0c68ff2e459221ecc52b565a1
Opcode Fuzzy Hash: 167a7593e8af1039ff6c6d6de324eb43f80dfb224b85af62be9291eeb6027cb0
Instruction Fuzzy Hash: 62318C36112219ABDF219FA8DC09FDA3B68EF0E320F050211FA58E61A0C775D860DBB4

Function 00D33C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D33C5C
CoInitialize.OLE32(00000000), ref: 00D33C8A
CoUninitialize.OLE32 ref: 00D33C94
_wcslen.LIBCMT ref: 00D33D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00D33DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00D33ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00D33F0E
CoGetObject.OLE32(?,00000000,00D4FB98,?), ref: 00D33F2D
SetErrorMode.KERNEL32(00000000), ref: 00D33F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D33FC4
VariantClear.OLEAUT32(?), ref: 00D33FD8

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 25709804b3995bbef4a86c1d52cd5e04a75833db619aed84ef13a320eff52a55
Instruction ID: abb95ecc0e7df7ab401843ab84cb13853ec6904fcdffc6d260316523ea473da6
Opcode Fuzzy Hash: 25709804b3995bbef4a86c1d52cd5e04a75833db619aed84ef13a320eff52a55
Instruction Fuzzy Hash: A5C13471608305AFD700DF68C98492BBBE9FF89744F14491DF98A9B220DB71EE45CB62

Function 00D27A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D27AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00D27B8F
SHGetDesktopFolder.SHELL32(?), ref: 00D27BA3
CoCreateInstance.OLE32(00D4FD08,00000000,00000001,00D76E6C,?), ref: 00D27BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00D27C74
CoTaskMemFree.OLE32(?,?), ref: 00D27CCC
SHBrowseForFolderW.SHELL32(?), ref: 00D27D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D27D7A
CoTaskMemFree.OLE32(00000000), ref: 00D27D81
CoTaskMemFree.OLE32(00000000), ref: 00D27DD6
CoUninitialize.OLE32 ref: 00D27DDC

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: bb9b57671866b7446ec2cdcca99174cfd7bf1fe12c7c03dc3598392da836ad42
Instruction ID: 8057dc282a6142c91bbd0ad384abe888c29fe6c4e3a5451e8c9037df17a9c9f3
Opcode Fuzzy Hash: bb9b57671866b7446ec2cdcca99174cfd7bf1fe12c7c03dc3598392da836ad42
Instruction Fuzzy Hash: 12C12B75A04219AFCB14DF64D884DAEBBF9FF48304B148499E81ADB361D730ED45CBA0

Function 00D4541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D45504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D45515
CharNextW.USER32(00000158), ref: 00D45544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D45585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D4559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D455AC

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: f07d00210e3522308b45cc048aba17bd3f1bd3d9a1c3be2d44c26962552c5111
Instruction ID: 714c303dc468e897c68bc27f3622da42ccedaa5d50dda4911ea7e19b0adde3aa
Opcode Fuzzy Hash: f07d00210e3522308b45cc048aba17bd3f1bd3d9a1c3be2d44c26962552c5111
Instruction Fuzzy Hash: E361A034905608EFDF109F64EC849FE7BB9EB0A720F148145F965AB2A6D7708A81DF70

Function 00D0FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00D0FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00D0FB08
VariantInit.OLEAUT32(?), ref: 00D0FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00D0FB3A
VariantCopy.OLEAUT32(?,?), ref: 00D0FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00D0FBA1
VariantClear.OLEAUT32(?), ref: 00D0FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00D0FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D0FBCC
VariantClear.OLEAUT32(?), ref: 00D0FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D0FBE9

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 1776458e6dcec2f5b562384acd9950b68e7c92798f8cb5a927a73f199acbfe6e
Instruction ID: ef8b65470b86302b633dab752092106711e56a4e7b04171148b2dd4277c6c9e7
Opcode Fuzzy Hash: 1776458e6dcec2f5b562384acd9950b68e7c92798f8cb5a927a73f199acbfe6e
Instruction Fuzzy Hash: 82413E35A012199FCB10DFA8D854AAEBBB9EF48354F148069E959E7261CB30E945CFB0

Function 00D19C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D19CA1
GetAsyncKeyState.USER32(000000A0), ref: 00D19D22
GetKeyState.USER32(000000A0), ref: 00D19D3D
GetAsyncKeyState.USER32(000000A1), ref: 00D19D57
GetKeyState.USER32(000000A1), ref: 00D19D6C
GetAsyncKeyState.USER32(00000011), ref: 00D19D84
GetKeyState.USER32(00000011), ref: 00D19D96
GetAsyncKeyState.USER32(00000012), ref: 00D19DAE
GetKeyState.USER32(00000012), ref: 00D19DC0
GetAsyncKeyState.USER32(0000005B), ref: 00D19DD8
GetKeyState.USER32(0000005B), ref: 00D19DEA

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6ff86bfb853843af8c3dbc75718e52afd12cd94f67808203d0893d6c24aba327
Instruction ID: 224aa9230a41b4c1121d6111e1f3bb72e46899e50344177b04f7fdb005abad1d
Opcode Fuzzy Hash: 6ff86bfb853843af8c3dbc75718e52afd12cd94f67808203d0893d6c24aba327
Instruction Fuzzy Hash: B341C5346047C97AFF708A64F8343E5FEA16B12344F0C805ADAC6566C2DFA499C8C7B2

Function 00D3055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D305BC
inet_addr.WSOCK32(?), ref: 00D3061C
gethostbyname.WSOCK32(?), ref: 00D30628
IcmpCreateFile.IPHLPAPI ref: 00D30636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00D307B9
WSACleanup.WSOCK32 ref: 00D307BF

Strings

Ping, xrefs: 00D30676

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 7d27699e58d00aee8e2b8e7e8d9a9b47ea3f86bfd5e6ea358968b70a80457d8a
Instruction ID: 4f5a2df860237127ceed41eb502770a56d4a8f8d4f2fe80b608073bb24aee0cf
Opcode Fuzzy Hash: 7d27699e58d00aee8e2b8e7e8d9a9b47ea3f86bfd5e6ea358968b70a80457d8a
Instruction Fuzzy Hash: E1918B756043019FD320DF15C899F1ABBE0AF44318F1885A9F4AA9B7A2C770ED45CFA1

Function 00D38CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00D38CF3

Part of subcall function 00D18E54: _wcslen.LIBCMT ref: 00D18E77

_wcslen.LIBCMT ref: 00D38D4E
_wcslen.LIBCMT ref: 00D38D9C
_wcslen.LIBCMT ref: 00D38DDC
_wcslen.LIBCMT ref: 00D38E6E

Strings

winapi, xrefs: 00D38D96, 00D38D9B
stdcall, xrefs: 00D38DD6, 00D38DDB
none, xrefs: 00D38E65, 00D38E6A
cdecl, xrefs: 00D38D48, 00D38D4D

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 5be5dd4b05c260ebd314d6ca9ebe49ac915b43c1500647f60d97cf08881739ba
Instruction ID: f8b6cf717e7e6af4e5a5a2b2a64ca6454701d035523e4ba9f75eb728f25d4a25
Opcode Fuzzy Hash: 5be5dd4b05c260ebd314d6ca9ebe49ac915b43c1500647f60d97cf08881739ba
Instruction Fuzzy Hash: 31519131A002169BCF14DF68C9509BEB7A5BF64720F244229F566E73C4EB35DD40E7A0

Function 00D3372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00D33774
CoUninitialize.OLE32 ref: 00D3377F
CoCreateInstance.OLE32(?,00000000,00000017,00D4FB78,?), ref: 00D337D9
IIDFromString.OLE32(?,?), ref: 00D3384C
VariantInit.OLEAUT32(?), ref: 00D338E4
VariantClear.OLEAUT32(?), ref: 00D33936

Strings

NULL Pointer assignment, xrefs: 00D3381E
Failed to create object, xrefs: 00D337E4, 00D3389A
Invalid parameter, xrefs: 00D33865

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 35f1ff04c545e755cd58239515510cec32fe55ea1a41ceb47aff981638218298
Instruction ID: f273899231eb19a7212c1a3254140daae43cd354b8ac5319fdb03443991608f7
Opcode Fuzzy Hash: 35f1ff04c545e755cd58239515510cec32fe55ea1a41ceb47aff981638218298
Instruction Fuzzy Hash: 8361ADB4608301AFD310DF54C989F6ABBE8EF49714F044919F9859B2A1D770EE48CBB2

Function 00D23388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00D233CF

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00D233F0

Strings

Incorrect parameters to object property !, xrefs: 00D234AB
Error: , xrefs: 00D234D1
^ ERROR , xrefs: 00D2349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00D23504
Line %d (File "%s"):, xrefs: 00D23443, 00D2345C
"%s" (%d) : ==> %s:, xrefs: 00D23522

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: d543d293105d074fb4e6e6b4be14734048804b3e9f936b3a359557e7cb89fd66
Instruction ID: 2356ef8c611b8ddac2a95e4f419505c23a5122b079c40b8c696a57a24ecf21eb
Opcode Fuzzy Hash: d543d293105d074fb4e6e6b4be14734048804b3e9f936b3a359557e7cb89fd66
Instruction Fuzzy Hash: AC517D31900219ABDB14EBE0DD52EEEB7B8EF14344F244065F509721A2EB356F99EB70

Function 00D1B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D1B5FC
_wcslen.LIBCMT ref: 00D1B608
_wcslen.LIBCMT ref: 00D1B64D
_wcslen.LIBCMT ref: 00D1B68C
_wcslen.LIBCMT ref: 00D1B6C7

Strings

APPEND, xrefs: 00D1B6C1, 00D1B6C6
EXISTS, xrefs: 00D1B686, 00D1B68B
KEYS, xrefs: 00D1B647, 00D1B64C
REMOVE, xrefs: 00D1B602, 00D1B607

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: dac53eec56faad73b46484b4d0ef7e8b2811a6f48775b9cdf5d8ca371a5df82d
Instruction ID: dc3178d17be63c4dac58cf1906adb6c751b81f02bd523a4bd63f83d4021232ae
Opcode Fuzzy Hash: dac53eec56faad73b46484b4d0ef7e8b2811a6f48775b9cdf5d8ca371a5df82d
Instruction Fuzzy Hash: ED41B732A00126ABCB105F7D99905FE77A5AB70774B28412BE565DB284FB31CDC1C7B0

Function 00D25393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00D25416
GetLastError.KERNEL32 ref: 00D25420
SetErrorMode.KERNEL32(00000000,READY), ref: 00D254A7

Strings

READONLY, xrefs: 00D25452
UNKNOWN, xrefs: 00D25444
READY, xrefs: 00D25460, 00D25468
INVALID, xrefs: 00D25459
NOTREADY, xrefs: 00D2544B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 0b82946586646caa5ace7b887b688cefb37c0e1e777d67bf8ac20c8c5c0f146b
Instruction ID: 8372173f2bf9ad85532fe17d7e072c17c5c3fb7664c6d8f28df4a259b9343631
Opcode Fuzzy Hash: 0b82946586646caa5ace7b887b688cefb37c0e1e777d67bf8ac20c8c5c0f146b
Instruction Fuzzy Hash: B2319335A006149FD710EF68E484EA9BBB4EF55309F188056E505CB396E771DD87CBB0

Function 00D43C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00D43C79
SetMenu.USER32(?,00000000), ref: 00D43C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D43D10
IsMenu.USER32(?), ref: 00D43D24
CreatePopupMenu.USER32 ref: 00D43D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D43D5B
DrawMenuBar.USER32 ref: 00D43D63

Strings

0, xrefs: 00D43C54
F, xrefs: 00D43D4E

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 9fa399a68c01c4ff844785f3430e357f922943bd549c5229f3a5c24b5f888b20
Instruction ID: 142856d162905e6829e5378a2a0e8ab874b270eb074c0da00f04e0e9c8893fe7
Opcode Fuzzy Hash: 9fa399a68c01c4ff844785f3430e357f922943bd549c5229f3a5c24b5f888b20
Instruction Fuzzy Hash: A4416B79A01309AFDF14DF68D884AAE7BB9FF49350F180029F95697360D730AA11CFA0

Function 00D11EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D13CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00D11F64
GetDlgCtrlID.USER32 ref: 00D11F6F
GetParent.USER32 ref: 00D11F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D11F8E
GetDlgCtrlID.USER32(?), ref: 00D11F97
GetParent.USER32(?), ref: 00D11FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D11FAE

Strings

ListBox, xrefs: 00D11F21
ComboBox, xrefs: 00D11EEC

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 54995216f6a2e9885c6448295fb0815080a0b0ae3ff19fc039147e130bf21f5b
Instruction ID: 63a94988198a6f1da3fa6d77f27dba770fbc5a03c3fdede02d2446ca338d4132
Opcode Fuzzy Hash: 54995216f6a2e9885c6448295fb0815080a0b0ae3ff19fc039147e130bf21f5b
Instruction Fuzzy Hash: E721B079A00214BFCF04AFA0DC85AEEBBB8EF06310F104115BA65A72A1DB7599499B70

Function 00D11FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D13CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00D12043
GetDlgCtrlID.USER32 ref: 00D1204E
GetParent.USER32 ref: 00D1206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D1206D
GetDlgCtrlID.USER32(?), ref: 00D12076
GetParent.USER32(?), ref: 00D1208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D1208D

Strings

ListBox, xrefs: 00D12002
ComboBox, xrefs: 00D11FCD

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: b93767fe8c348fd76f988db8e7a809751b821d2f0029523503acd324149aed98
Instruction ID: 88f8046f6ba1b60c6379e30548b84b90b462e417f5b9bebbacd8b5202ac8d255
Opcode Fuzzy Hash: b93767fe8c348fd76f988db8e7a809751b821d2f0029523503acd324149aed98
Instruction Fuzzy Hash: C721A475A01218BFCF14AFA0DC85EFEBBB8EF09340F104115B955A72A1DA768958DB70

Function 00D43A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D43A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D43AA0
GetWindowLongW.USER32(?,000000F0), ref: 00D43AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D43AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D43B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00D43BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00D43BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00D43BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00D43BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00D43C13

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 73d5001202a4d91f4f5667cca2b496b2e63fc71673136977786a52fc06c8c13a
Instruction ID: ac39b5229bc76e6128e5cbcf1bc153b92a26abb14667dae8d3b0848c75d3bf70
Opcode Fuzzy Hash: 73d5001202a4d91f4f5667cca2b496b2e63fc71673136977786a52fc06c8c13a
Instruction Fuzzy Hash: EA613A75A00248AFDB10DFA8CC81EEE77B8EB09710F144199FA15E72A1D774AE46DF60

Function 00D1B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D1B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00D1A1E1,?,00000001), ref: 00D1B165
GetWindowThreadProcessId.USER32(00000000), ref: 00D1B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D1A1E1,?,00000001), ref: 00D1B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D1B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00D1A1E1,?,00000001), ref: 00D1B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D1A1E1,?,00000001), ref: 00D1B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00D1A1E1,?,00000001), ref: 00D1B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00D1A1E1,?,00000001), ref: 00D1B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00D1A1E1,?,00000001), ref: 00D1B21D

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 9267f6b4c3c0e9be87f942b44a3be6483376bc9a33860ce4b4525081f9c6e22f
Instruction ID: 4d421f20ed26680e4416d9f3af2ced3d0e477da1f4d58553b4abf2c790a31571
Opcode Fuzzy Hash: 9267f6b4c3c0e9be87f942b44a3be6483376bc9a33860ce4b4525081f9c6e22f
Instruction Fuzzy Hash: 2931F2B5220304BFDB109F64EC58FAD7BA9BB11721F159006FA04D63A0CBB49E808F34

Function 00CE2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CE2C94

Part of subcall function 00CE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000), ref: 00CE29DE
Part of subcall function 00CE29C8: GetLastError.KERNEL32(00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000,00000000), ref: 00CE29F0

_free.LIBCMT ref: 00CE2CA0
_free.LIBCMT ref: 00CE2CAB
_free.LIBCMT ref: 00CE2CB6
_free.LIBCMT ref: 00CE2CC1
_free.LIBCMT ref: 00CE2CCC
_free.LIBCMT ref: 00CE2CD7
_free.LIBCMT ref: 00CE2CE2
_free.LIBCMT ref: 00CE2CED
_free.LIBCMT ref: 00CE2CFB

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: eeff270471242c5e031148705a292a8ccce6335dfe2e1fc014b869517a8a2a01
Instruction ID: cff6f595574dc6d4d9d69e191dff322ccf858c6bfcf8edaccc7b937ee07e356a
Opcode Fuzzy Hash: eeff270471242c5e031148705a292a8ccce6335dfe2e1fc014b869517a8a2a01
Instruction Fuzzy Hash: 8F11B67610014CBFCB02EF56D882EDD3BA9FF05350F5254A5FA489F222DA35EE50AB90

Function 00D27DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D27FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00D27FC1
GetFileAttributesW.KERNEL32(?), ref: 00D27FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00D28005
SetCurrentDirectoryW.KERNEL32(?), ref: 00D28017
SetCurrentDirectoryW.KERNEL32(?), ref: 00D28060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D280B0

Strings

*.*, xrefs: 00D28066

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: e7d25d035af883e1871f5cf671c19f0e04b6c1188a20c957bf2a9778b70708b3
Instruction ID: d781388701cdb6f49fec73cb54fbd9d7d052620a46df99e81929f697c6dc0e6c
Opcode Fuzzy Hash: e7d25d035af883e1871f5cf671c19f0e04b6c1188a20c957bf2a9778b70708b3
Instruction Fuzzy Hash: B681C1715083129BCB30EF54D4849AAB3E8BFA9318F19485EF885C7250EB35DD489B72

Function 00CB5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00CB5C7A

Part of subcall function 00CB5D0A: GetClientRect.USER32(?,?), ref: 00CB5D30
Part of subcall function 00CB5D0A: GetWindowRect.USER32(?,?), ref: 00CB5D71
Part of subcall function 00CB5D0A: ScreenToClient.USER32(?,?), ref: 00CB5D99

GetDC.USER32 ref: 00CF46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00CF4708
SelectObject.GDI32(00000000,00000000), ref: 00CF4716
SelectObject.GDI32(00000000,00000000), ref: 00CF472B
ReleaseDC.USER32(?,00000000), ref: 00CF4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00CF47C4

Strings

U, xrefs: 00CF4693

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 069de3592bcf47d06cd09cb69dc13f1f23d0448aae9dcb7bc84c81211e9461e2
Instruction ID: ec0a25c4970848dc4116c3cce15315f4ce8d0ff3dea67ddf1494ee91f8ca6ddc
Opcode Fuzzy Hash: 069de3592bcf47d06cd09cb69dc13f1f23d0448aae9dcb7bc84c81211e9461e2
Instruction Fuzzy Hash: 8971E334400209DFCF699F64C984AFB7BB6FF4A350F14426AFE659A2A6C3318941DF61

Function 00D2359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00D235E4

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

LoadStringW.USER32(00D82390,?,00000FFF,?), ref: 00D2360A

Strings

Error: , xrefs: 00D236EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00D23724
Line %d (File "%s"):, xrefs: 00D2366B
"%s" (%d) : ==> %s:, xrefs: 00D23742
^ ERROR, xrefs: 00D236C9

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 7dcac3ac82b75e80c323e19deb46df1dc447836f2fe2e88d3523d80627af45b5
Instruction ID: a4b85128671f88c5d0f15fa2fa54233843aa73046a39061bada4a592047e81e2
Opcode Fuzzy Hash: 7dcac3ac82b75e80c323e19deb46df1dc447836f2fe2e88d3523d80627af45b5
Instruction Fuzzy Hash: 0F515A71800219BBCF14EBA0DC92EEEBB78EF14305F144165F605721A1EB356A99EFB0

Function 00D48B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

Part of subcall function 00CC912D: GetCursorPos.USER32(?), ref: 00CC9141
Part of subcall function 00CC912D: ScreenToClient.USER32(00000000,?), ref: 00CC915E
Part of subcall function 00CC912D: GetAsyncKeyState.USER32(00000001), ref: 00CC9183
Part of subcall function 00CC912D: GetAsyncKeyState.USER32(00000002), ref: 00CC919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00D48B6B
ImageList_EndDrag.COMCTL32 ref: 00D48B71
ReleaseCapture.USER32 ref: 00D48B77
SetWindowTextW.USER32(?,00000000), ref: 00D48C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00D48C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00D48CFF

Strings

@GUI_DRAGFILE, xrefs: 00D48C9A
@GUI_DROPID, xrefs: 00D48C51

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 5ee61386efa88384c3641faf6d0dbf8b7021293b12da1154239adc761605c22f
Instruction ID: f020b00c19ea5a4432d9dbba0cb6fdac6243b32890632800fe7e65525baf4e13
Opcode Fuzzy Hash: 5ee61386efa88384c3641faf6d0dbf8b7021293b12da1154239adc761605c22f
Instruction Fuzzy Hash: 16517874205304AFD700EF24C896BAE77E8FB88750F00062DF996972A1CB719948DB72

Function 00D2C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D2C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D2C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D2C2CA
GetLastError.KERNEL32 ref: 00D2C322
SetEvent.KERNEL32(?), ref: 00D2C336
InternetCloseHandle.WININET(00000000), ref: 00D2C341

Strings

, xrefs: 00D2C2BB

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 108757c90d8ec9efe6d3e6de947fce2a583d9e86202c29c94990f21034af8b1e
Instruction ID: ef986373f250d35c0cb4775dd6964729a5f81b8d30d591f0c61e6be135811d21
Opcode Fuzzy Hash: 108757c90d8ec9efe6d3e6de947fce2a583d9e86202c29c94990f21034af8b1e
Instruction Fuzzy Hash: 45319E71511714AFD721DF64A888AAF7AFCEB6A748B149919F486D2210DB70DD048B70

Function 00D1989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00CF3AAF,?,?,Bad directive syntax error,00D4CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00D198BC
LoadStringW.USER32(00000000,?,00CF3AAF,?), ref: 00D198C3

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00D19987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00D198F1
., xrefs: 00D1996D
Line %d:, xrefs: 00D19912
Error: , xrefs: 00D19955
Line %d (File "%s"):, xrefs: 00D1992D

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 3c9c0fcf99dba84adb1687cb79334b2d017d95a77a551f389d49b204e34e5f18
Instruction ID: 04d00a53ce95f88fa5b987a252dfb5745ec55aa1d0f81b453e5c2cceaaa59979
Opcode Fuzzy Hash: 3c9c0fcf99dba84adb1687cb79334b2d017d95a77a551f389d49b204e34e5f18
Instruction Fuzzy Hash: 17217E3194021ABBCF15AF90CC56EEE7B75FF18304F045459F519660A2EB319A58EB20

Function 00D1209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00D120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00D120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D1214D

Strings

SHELLDLL_DefView, xrefs: 00D120CC
list, xrefs: 00D1212F
largeicons, xrefs: 00D120E1
details, xrefs: 00D120FB
smallicons, xrefs: 00D12115

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: ab0d257f0d723da69c66b90a75d1d9193e7582b45f4938e14814b45a1c58ac6f
Instruction ID: 453e6acb082e28998726556d3320c32965f643d16f44318b6ce9959f6aa7d6f9
Opcode Fuzzy Hash: ab0d257f0d723da69c66b90a75d1d9193e7582b45f4938e14814b45a1c58ac6f
Instruction Fuzzy Hash: 8B113A7A684706BAF605A620FC07DFB339CCB05324B205016FB4CA41E6FEB298D56634

Function 00CE8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815a14e6ad4aad3e9da7eb7496a8119af194e116816f323321c266c8009c86ef
Instruction ID: c2fe8555bcd3fdd857421f4f610ecd864708575968eb26119def1612ea508bd9
Opcode Fuzzy Hash: 815a14e6ad4aad3e9da7eb7496a8119af194e116816f323321c266c8009c86ef
Instruction Fuzzy Hash: 86C1F274904389AFCB11DFAAC845BADBFB0FF0D310F444199E529AB392C7349A46DB61

Function 00CECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00CECEB7
_free.LIBCMT ref: 00CECF22
_free.LIBCMT ref: 00CECF48
_free.LIBCMT ref: 00CECF71
_free.LIBCMT ref: 00CECFA9
_free.LIBCMT ref: 00CECFDA
_free.LIBCMT ref: 00CED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00CED09C
_free.LIBCMT ref: 00CED0B5

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 660e09018820d01442cdad1d61f22b9cdaf0d322f87cd66dd5ef9e47012f367c
Instruction ID: 6914b4104a7788f1e1708de871da77770febdc7b654b34e71c079b27cf157cda
Opcode Fuzzy Hash: 660e09018820d01442cdad1d61f22b9cdaf0d322f87cd66dd5ef9e47012f367c
Instruction Fuzzy Hash: 186156729043C4AFDB25AFF798C2B697BA9AF05320F08416DF951D7382D6359E0297A0

Function 00CC8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00D06890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00D068A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00D068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00CC8874,00000000,00000000,00000000,000000FF,00000000), ref: 00D06901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D0691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00CC8874,00000000,00000000,00000000,000000FF,00000000), ref: 00D0692D

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 72d9a4fd952b34427a9c333e9ff10e2ba4569618d46d35e7cc99d90088e90855
Instruction ID: 6c41bf2480e2f3c46b6c3df29de65aa63b39b247c00f7db59bfb69ac4e77c4c6
Opcode Fuzzy Hash: 72d9a4fd952b34427a9c333e9ff10e2ba4569618d46d35e7cc99d90088e90855
Instruction Fuzzy Hash: 79518574600309AFDB208F25CC65FAA7BB5EB48710F144518F916D62E0DB70EE94DB60

Function 00D2C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D2C182
GetLastError.KERNEL32 ref: 00D2C195
SetEvent.KERNEL32(?), ref: 00D2C1A9

Part of subcall function 00D2C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D2C272
Part of subcall function 00D2C253: GetLastError.KERNEL32 ref: 00D2C322
Part of subcall function 00D2C253: SetEvent.KERNEL32(?), ref: 00D2C336
Part of subcall function 00D2C253: InternetCloseHandle.WININET(00000000), ref: 00D2C341

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: ad64aa913bdf95300a7186c364a07a4d71ef5440f2dba0696c51679fca74f375
Instruction ID: 9be1efb55b5411406aeba24644ada04f3d2db0bd16076fc4e3bbc548b33de8c7
Opcode Fuzzy Hash: ad64aa913bdf95300a7186c364a07a4d71ef5440f2dba0696c51679fca74f375
Instruction Fuzzy Hash: CB318B75221711EFDB219FA5AC44A6ABBE8FF29308B04641DF956C6620DB31EC109BB0

Function 00D125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D13A57
Part of subcall function 00D13A3D: GetCurrentThreadId.KERNEL32 ref: 00D13A5E
Part of subcall function 00D13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D125B3), ref: 00D13A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00D125BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00D125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00D125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D125E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00D12601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00D12605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D1260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00D12623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00D12627

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: edcbe5cf0b4a9b250d894e66b6db9912a4fecf4f77da2474f7813de58d027b69
Instruction ID: 360b4fcf5fe00df64d6d2ec85a3a1aa15585d298612e92bf74feb8aca8b39c37
Opcode Fuzzy Hash: edcbe5cf0b4a9b250d894e66b6db9912a4fecf4f77da2474f7813de58d027b69
Instruction Fuzzy Hash: 5B01B1303A1310BBFB106B689C8AF993E59DF5AB12F101001F358EE1E1CDE264848AB9

Function 00D11803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00D11449,?,?,00000000), ref: 00D1180C
HeapAlloc.KERNEL32(00000000,?,00D11449,?,?,00000000), ref: 00D11813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D11449,?,?,00000000), ref: 00D11828
GetCurrentProcess.KERNEL32(?,00000000,?,00D11449,?,?,00000000), ref: 00D11830
DuplicateHandle.KERNEL32(00000000,?,00D11449,?,?,00000000), ref: 00D11833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D11449,?,?,00000000), ref: 00D11843
GetCurrentProcess.KERNEL32(00D11449,00000000,?,00D11449,?,?,00000000), ref: 00D1184B
DuplicateHandle.KERNEL32(00000000,?,00D11449,?,?,00000000), ref: 00D1184E
CreateThread.KERNEL32(00000000,00000000,00D11874,00000000,00000000,00000000), ref: 00D11868

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 81c3d5534cffba6ebcd8d126b9cb270137ede3a034a095abb341fabd02a801d2
Instruction ID: a9a198952ec2684c1a7ff9ddbc89ff67192e3c1b12d62acfd172d8ca71dfd185
Opcode Fuzzy Hash: 81c3d5534cffba6ebcd8d126b9cb270137ede3a034a095abb341fabd02a801d2
Instruction Fuzzy Hash: 2401AC79351304BFE650AFA5DC4DF573B6CEB8AB11F045411FA05DB291CA7098008B30

Function 00D3A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00D1D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00D1D501
Part of subcall function 00D1D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00D1D50F
Part of subcall function 00D1D4DC: CloseHandle.KERNELBASE(00000000), ref: 00D1D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D3A16D
GetLastError.KERNEL32 ref: 00D3A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D3A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D3A268
GetLastError.KERNEL32(00000000), ref: 00D3A273
CloseHandle.KERNEL32(00000000), ref: 00D3A2C4

Strings

SeDebugPrivilege, xrefs: 00D3A18F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 254aa5508a36841f8a0f802662db317330f0014f71fc2c155caa9385f2e7182b
Instruction ID: b3813525038a7c73b9fec517cdf0c34d8b71c61d1c69bc4ee41d319994715743
Opcode Fuzzy Hash: 254aa5508a36841f8a0f802662db317330f0014f71fc2c155caa9385f2e7182b
Instruction Fuzzy Hash: 05619034205342AFD720DF18C494F66BBE1AF44318F18849CE4A68B7A3C776ED45CBA6

Function 00D43886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D43925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00D4393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D43954
_wcslen.LIBCMT ref: 00D43999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00D439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D439F4

Strings

SysListView32, xrefs: 00D438F7

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 5f7adef2ccb757f3e88b13f7be14d78b9f1dee77e146d45f40f9d14e2a56075e
Instruction ID: 3d806abd1ac4f79d0eae3020d1ade630e28b83ff80b767edd5fa463dab10edca
Opcode Fuzzy Hash: 5f7adef2ccb757f3e88b13f7be14d78b9f1dee77e146d45f40f9d14e2a56075e
Instruction Fuzzy Hash: C9418371A00319ABEF219F68CC45BEA7BA9EF08350F150526F958E7291D771DE84CBA0

Function 00D1BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D1BCFD
IsMenu.USER32(00000000), ref: 00D1BD1D
CreatePopupMenu.USER32 ref: 00D1BD53
GetMenuItemCount.USER32(016057D8), ref: 00D1BDA4
InsertMenuItemW.USER32(016057D8,?,00000001,00000030), ref: 00D1BDCC

Strings

0, xrefs: 00D1BCA8
2, xrefs: 00D1BD37

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: edb0d1afbe86c2ceac6676dca14e82fc64e019d321d573f21b6f6b6e2d2e0c8a
Instruction ID: d16716771abf9ca8bf58bbc6eeb03bc0316eb2dc007ea6ac330fadd6555ffc7d
Opcode Fuzzy Hash: edb0d1afbe86c2ceac6676dca14e82fc64e019d321d573f21b6f6b6e2d2e0c8a
Instruction Fuzzy Hash: 42518E70600205ABDB18CFA8F884BEEBBF5EF55324F18415AE452D7291EB709981CB71

Function 00D1C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00D1C913

Strings

stop, xrefs: 00D1C8E4
question, xrefs: 00D1C8CC
info, xrefs: 00D1C8B4
warning, xrefs: 00D1C8FC
blank, xrefs: 00D1C895

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: aa7245b669d6e2268614b85c0e1fcaa92c3b53c74a907bf15ee1912f4b8994e0
Instruction ID: d1ff9a7acb9cf219e811e4be9f51a40ee78f31bf626c7afa6cffb1c809702095
Opcode Fuzzy Hash: aa7245b669d6e2268614b85c0e1fcaa92c3b53c74a907bf15ee1912f4b8994e0
Instruction Fuzzy Hash: B81108716D9706BFA7085B54ACC3CEF279CDF15365B20602BF608AA282FB709D806674

Function 00D1DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D1DE42
gethostname.WSOCK32(?,00000100), ref: 00D1DE5C
gethostbyname.WSOCK32(?), ref: 00D1DE69
inet_ntoa.WSOCK32(?), ref: 00D1DEAB
_strcat.LIBCMT ref: 00D1DEB9
WSACleanup.WSOCK32 ref: 00D1DEDE

Strings

0.0.0.0, xrefs: 00D1DE87

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 2e80884b4b95f5200de1f0f3e974e3d46cb9bcfe79874d0cea9949c411598b80
Instruction ID: a4a4cb60b40d8d6e581cd4bd3a9a4bfcf57b21f45464657f0f014a090e43dae9
Opcode Fuzzy Hash: 2e80884b4b95f5200de1f0f3e974e3d46cb9bcfe79874d0cea9949c411598b80
Instruction Fuzzy Hash: 3211E471904204BFCB24AB70AC4AEEE77ADDB11711F04016AF685D6291EF708AC19AB0

Function 00D49F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

GetSystemMetrics.USER32(0000000F), ref: 00D49FC7
GetSystemMetrics.USER32(0000000F), ref: 00D49FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00D4A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00D4A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00D4A263
ShowWindow.USER32(00000003,00000000), ref: 00D4A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00D4A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00D4A2CA

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: c2b9207919ec0bd2173b675e737820fc05c60954e4320bee67d994b401faa5c7
Instruction ID: 1508969247a736f09a19f5d7172f503f646cf784811179192bdc3eeb4107677b
Opcode Fuzzy Hash: c2b9207919ec0bd2173b675e737820fc05c60954e4320bee67d994b401faa5c7
Instruction Fuzzy Hash: 50B1B835640215AFDF14CF6CC9C57AE7BB2BF48701F088069EC89AF299D771AA40DB61

Function 00D1ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00D1ED2A
_wcslen.LIBCMT ref: 00D1ED3B
_wcslen.LIBCMT ref: 00D1ED79
_wcslen.LIBCMT ref: 00D1EDAF
_wcslen.LIBCMT ref: 00D1EDDF
_wcslen.LIBCMT ref: 00D1EDEF
_wcslen.LIBCMT ref: 00D1EE2B
_wcslen.LIBCMT ref: 00D1EE5A

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: bf151425219456becf12d39d20e83f097efc65a9727b61ac7a0e094dcc024e0e
Instruction ID: f0b918afdb648e51ab3c6a48008a7fa724a2386abf581813cca01d1d7046c6b1
Opcode Fuzzy Hash: bf151425219456becf12d39d20e83f097efc65a9727b61ac7a0e094dcc024e0e
Instruction Fuzzy Hash: A4418F65C1021876CB11EBB4DC8A9CFB7ACAF45710F508463FA18E3221EB34E695C7E5

Function 00CCF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00D0682C,00000004,00000000,00000000), ref: 00CCF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00D0682C,00000004,00000000,00000000), ref: 00D0F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00D0682C,00000004,00000000,00000000), ref: 00D0F454

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c528af36ea08c4d41667f14d549d245c69c289c1444b2aaa23e010f13055d2ad
Instruction ID: 2f6446737b44a65244027bbefae1e55d200402f54498e3e256b20e14b8dbdb08
Opcode Fuzzy Hash: c528af36ea08c4d41667f14d549d245c69c289c1444b2aaa23e010f13055d2ad
Instruction Fuzzy Hash: 84415234614740BBCF789F29C888F2E7B93AB47310F14503CE49B96AA0C631E982CB31

Function 00D42D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D42D1B
GetDC.USER32(00000000), ref: 00D42D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D42D2E
ReleaseDC.USER32(00000000,00000000), ref: 00D42D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D42D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D42D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D45A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00D42DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D42DE1

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 5b37696a208a96b4019d599a28da18794859235835a01fd67a234e6a166fbbbf
Instruction ID: 2223ffd15be2fae5d498ae43639a602ec96a997167a84fbfff60c95ae45272a9
Opcode Fuzzy Hash: 5b37696a208a96b4019d599a28da18794859235835a01fd67a234e6a166fbbbf
Instruction Fuzzy Hash: 89316D76212614BBEB214F508C89FFB3BA9EB0A715F084055FE08DA2A1D6759C50CBB4

Function 00D15622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00D15637
_memcmp.LIBVCRUNTIME ref: 00D15659
_memcmp.LIBVCRUNTIME ref: 00D15671
_memcmp.LIBVCRUNTIME ref: 00D15684
_memcmp.LIBVCRUNTIME ref: 00D1569E
_memcmp.LIBVCRUNTIME ref: 00D156B1
_memcmp.LIBVCRUNTIME ref: 00D156C9
_memcmp.LIBVCRUNTIME ref: 00D156E4

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 29c54ac14f4b8923bdc8dd9e36cd58ccfd7c4085218e3979f5be675408024125
Instruction ID: 7610cb4b8feb641bd681497c319ff1903fe51010768dc90072af22ede45de8cf
Opcode Fuzzy Hash: 29c54ac14f4b8923bdc8dd9e36cd58ccfd7c4085218e3979f5be675408024125
Instruction Fuzzy Hash: 6E21D761640A09FBD6145620BDC2FFA335CAFA1384F480021FE449A696FF68ED54D2F5

Function 00D34FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00D3502E, 00D35383
Not an Object type, xrefs: 00D35007

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 206743e84de5fb877681c50ea2de7e56bdb38fd36b8c3906d8c14c9f4bdd888f
Instruction ID: f90af2c6e108661a3d9dfa8109a210a764855af61c7aa90c15f84ac7dfc2e91a
Opcode Fuzzy Hash: 206743e84de5fb877681c50ea2de7e56bdb38fd36b8c3906d8c14c9f4bdd888f
Instruction Fuzzy Hash: F3D1AF75A0060A9FDF14CF98D880BAEB7B5FF48344F188469E915AB284E771ED45CBB0

Function 00CF1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00CF17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00CF15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00CF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CF1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00CF17FB,?,00CF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CF16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00CF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CF16FB

Part of subcall function 00CE3820: RtlAllocateHeap.NTDLL(00000000,?,00D81444,?,00CCFDF5,?,?,00CBA976,00000010,00D81440,00CB13FC,?,00CB13C6,?,00CB1129), ref: 00CE3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00CF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CF1777
__freea.LIBCMT ref: 00CF17A2
__freea.LIBCMT ref: 00CF17AE

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 16d1943bb77f6d22ac2fb520c0a74c984bd63051c5e579a7bd95981f34d06e9f
Instruction ID: 2d0d9a5e738f10f114cbe15b865d6d594dbca7e0bca7325ae022a571bf05dda2
Opcode Fuzzy Hash: 16d1943bb77f6d22ac2fb520c0a74c984bd63051c5e579a7bd95981f34d06e9f
Instruction Fuzzy Hash: 9D91C271E0020EDADB649E75C881AFE7BB5DF49310F1C065AEE15E7281DB25DE40CB62

Function 00D34523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D34648
VariantInit.OLEAUT32(?), ref: 00D34749
VariantClear.OLEAUT32(?), ref: 00D34753
VariantClear.OLEAUT32(?), ref: 00D347B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00D3472C
Null Object assignment in FOR..IN loop, xrefs: 00D345D8, 00D34706, 00D347BE

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 25b882a49b3bc1732b4f0b692bff4476e351b6c7ef0ad18d3f51b554f38994be
Instruction ID: c7c947e5575386b8a3b2fd7ed392f98494d88d0f7edc2e919d6f46c731821513
Opcode Fuzzy Hash: 25b882a49b3bc1732b4f0b692bff4476e351b6c7ef0ad18d3f51b554f38994be
Instruction Fuzzy Hash: 90919DB1A00219AFDF20CFA5C885FAEBBB8EF46714F148559F505AB280D774A945CFB0

Function 00D21187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00D2125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00D21284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00D212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D2135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D21430

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: be2499abb0402f577732e8e0eaf8cb5865b15242542ae5ef1ec440cc6d2cdd6b
Instruction ID: cc96f1dc14c63354ac482b6e7762cb1acffac65768ce209062e6d923fb297a95
Opcode Fuzzy Hash: be2499abb0402f577732e8e0eaf8cb5865b15242542ae5ef1ec440cc6d2cdd6b
Instruction Fuzzy Hash: F4911579900228AFDB00DF98E885BBE77B5FF65318F148069E544E7291D774E942CBB0

Function 00CC948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a9ccf32609b573426624d5f3f4c08acb78279ff58341689c74409cf57223d9fb
Instruction ID: ad4e21aa67fab5a3a10152292785577e6970121f7103657bf4855d6703abb11b
Opcode Fuzzy Hash: a9ccf32609b573426624d5f3f4c08acb78279ff58341689c74409cf57223d9fb
Instruction Fuzzy Hash: D9910471D00219EFCB14CFA9CC88AEEBBB8FF49320F148559E515B7291D774AA42DB60

Function 00D33947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D3396B
CharUpperBuffW.USER32(?,?), ref: 00D33A7A
_wcslen.LIBCMT ref: 00D33A8A
VariantClear.OLEAUT32(?), ref: 00D33C1F

Part of subcall function 00D20CDF: VariantInit.OLEAUT32(00000000), ref: 00D20D1F
Part of subcall function 00D20CDF: VariantCopy.OLEAUT32(?,?), ref: 00D20D28
Part of subcall function 00D20CDF: VariantClear.OLEAUT32(?), ref: 00D20D34

Strings

Incorrect Parameter format, xrefs: 00D339A6, 00D33BA1
AUTOIT.ERROR, xrefs: 00D33A80, 00D33A85

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 90823fac4b74c74d3821780460ba832ec50c77fd849932f4217b7b17f6bd52a2
Instruction ID: 6036ba6b565b8291a2cef770e6e1f808aabfb03bca0b86080528f82568346b00
Opcode Fuzzy Hash: 90823fac4b74c74d3821780460ba832ec50c77fd849932f4217b7b17f6bd52a2
Instruction Fuzzy Hash: 9F9179756083419FC704DF28C58196ABBE4FF89314F18892DF88A9B351DB31EE45CBA2

Function 00D34BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00D1000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?,?,?,00D1035E), ref: 00D1002B
Part of subcall function 00D1000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?,?), ref: 00D10046
Part of subcall function 00D1000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?,?), ref: 00D10054
Part of subcall function 00D1000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?), ref: 00D10064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00D34C51
_wcslen.LIBCMT ref: 00D34D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00D34DCF
CoTaskMemFree.OLE32(?), ref: 00D34DDA

Strings

NULL Pointer assignment, xrefs: 00D34E23, 00D34E52

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: ac20f1962eb94717254eb0ea65f53284c9c7644bd7e74cfd2d25b8b9b41e0940
Instruction ID: 492b4f9b8e5a140c6aa8fe92cbd9f1aedbf6e4b477a45fe7e022daa797085343
Opcode Fuzzy Hash: ac20f1962eb94717254eb0ea65f53284c9c7644bd7e74cfd2d25b8b9b41e0940
Instruction Fuzzy Hash: 47912771D00219AFDF14DFA4D891AEEB7B8FF08310F10816AE915B7291EB34AA44DF60

Function 00D420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00D42183
GetMenuItemCount.USER32(00000000), ref: 00D421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D421DD
_wcslen.LIBCMT ref: 00D42213
GetMenuItemID.USER32(?,?), ref: 00D4224D
GetSubMenu.USER32(?,?), ref: 00D4225B

Part of subcall function 00D13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D13A57
Part of subcall function 00D13A3D: GetCurrentThreadId.KERNEL32 ref: 00D13A5E
Part of subcall function 00D13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D125B3), ref: 00D13A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D422E3

Part of subcall function 00D1E97B: Sleep.KERNEL32 ref: 00D1E9F3

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 820f6a552f84f07f05479776e8538359ca6634249e7070b76005619ca06b729a
Instruction ID: a04b4acdfaa4d1a4ab581e7fc6c9b0d8acbc67c5ea674c71d97d0add8f7e07c4
Opcode Fuzzy Hash: 820f6a552f84f07f05479776e8538359ca6634249e7070b76005619ca06b729a
Instruction Fuzzy Hash: 32717D75A00205AFCB10DFA8C885ABEB7F5EF88310F548459F956EB351DB74EE418BA0

Function 00D47E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01605580), ref: 00D47F37
IsWindowEnabled.USER32(01605580), ref: 00D47F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00D4801E
SendMessageW.USER32(01605580,000000B0,?,?), ref: 00D48051
IsDlgButtonChecked.USER32(?,?), ref: 00D48089
GetWindowLongW.USER32(01605580,000000EC), ref: 00D480AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D480C3

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 2b171e3363b9c0234a4084f8fcbeca432a091608795c59af49f08c977db8f59e
Instruction ID: ce3bffca2406efa18610e25f101f21020e21a447fd06f9bd4bb4aa5ffe8e8495
Opcode Fuzzy Hash: 2b171e3363b9c0234a4084f8fcbeca432a091608795c59af49f08c977db8f59e
Instruction Fuzzy Hash: F7716F38609204AFEB219F64C894FBEBBB9EF09340F18445AF95597361CB31AC49DB30

Function 00D1AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00D1AEF9
GetKeyboardState.USER32(?), ref: 00D1AF0E
SetKeyboardState.USER32(?), ref: 00D1AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00D1AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00D1AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00D1AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00D1B020

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5213e7d4195ead1c89dffdbc3fbe1abb8d06645df73ca5d09849f7315bfc8dc3
Instruction ID: 63fbb30714e3462ac2d9a722ef3874740c16b6ab083fdd34f17baa26bc924027
Opcode Fuzzy Hash: 5213e7d4195ead1c89dffdbc3fbe1abb8d06645df73ca5d09849f7315bfc8dc3
Instruction Fuzzy Hash: 6051D2A06057D53DFB3682389845BFABEA95F06314F0C848AF1D9854D2CBA8ACC9D771

Function 00D1ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00D1AD19
GetKeyboardState.USER32(?), ref: 00D1AD2E
SetKeyboardState.USER32(?), ref: 00D1AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00D1ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00D1ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00D1AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00D1AE38

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1bb07b1655af419cde6ff293f10f0a33b7dddb66ff50242cd50a09fb4b7c549b
Instruction ID: acb29c75a3b131060656c612db94aae4bce9e317902d95bd34c60ef9d3d22750
Opcode Fuzzy Hash: 1bb07b1655af419cde6ff293f10f0a33b7dddb66ff50242cd50a09fb4b7c549b
Instruction Fuzzy Hash: 9951F7A06057D13DFB328378AC55BFA7EA85B46300F0C8489F0D5468C2DAA4ECD8D772

Function 00CE542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00CF3CD6,?,?,?,?,?,?,?,?,00CE5BA3,?,?,00CF3CD6,?,?), ref: 00CE5470
__fassign.LIBCMT ref: 00CE54EB
__fassign.LIBCMT ref: 00CE5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00CF3CD6,00000005,00000000,00000000), ref: 00CE552C
WriteFile.KERNEL32(?,00CF3CD6,00000000,00CE5BA3,00000000,?,?,?,?,?,?,?,?,?,00CE5BA3,?), ref: 00CE554B
WriteFile.KERNEL32(?,?,00000001,00CE5BA3,00000000,?,?,?,?,?,?,?,?,?,00CE5BA3,?), ref: 00CE5584

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: bc098d716e7a8eea3afd5676663128ac55f3dbc32b9ac1af784619f47dff2588
Instruction ID: b810adf8dc8cc1ecbde271bbc4de96be568a983f663fdec04e9c2295954b8ac7
Opcode Fuzzy Hash: bc098d716e7a8eea3afd5676663128ac55f3dbc32b9ac1af784619f47dff2588
Instruction Fuzzy Hash: F951E3B1A017899FDB10CFA9D845AEEBBF9EF09304F24411AF555E7391E730AA41CB60

Function 00CD2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00CD2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00CD2D53
_ValidateLocalCookies.LIBCMT ref: 00CD2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00CD2E0C
_ValidateLocalCookies.LIBCMT ref: 00CD2E61

Strings

csm, xrefs: 00CD2DF6

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c32195aadec9fe3953016e22b2579d94aa19817728dde7882b6c436dfb6902e1
Instruction ID: bd972bea0f94eb6f0f5695bc76845e8902a9f1a9b3e76b1583adf288248bf832
Opcode Fuzzy Hash: c32195aadec9fe3953016e22b2579d94aa19817728dde7882b6c436dfb6902e1
Instruction Fuzzy Hash: FE419234A00249ABCF10DF68CC45A9EBBB5BF54325F148157EA24AB392D731EA05DBD1

Function 00D310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D3304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D3307A
Part of subcall function 00D3304E: _wcslen.LIBCMT ref: 00D3309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00D31112
WSAGetLastError.WSOCK32 ref: 00D31121
WSAGetLastError.WSOCK32 ref: 00D311C9
closesocket.WSOCK32(00000000), ref: 00D311F9

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 207ac4b9d638332523a590d3addc884fb67bd87352b6270f3c00e38f441c54d4
Instruction ID: 7279ca2ae97cce234484381890cbde9aaa57726f1dcdb7ca075b33a4c2756762
Opcode Fuzzy Hash: 207ac4b9d638332523a590d3addc884fb67bd87352b6270f3c00e38f441c54d4
Instruction Fuzzy Hash: 5A41EF39600305AFDB109F64C884BEABBE9EF45324F188059FD469B291C770ED41CBB1

Function 00D1CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D1DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D1CF22,?), ref: 00D1DDFD

Part of subcall function 00D1DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D1CF22,?), ref: 00D1DE16

lstrcmpiW.KERNEL32(?,?), ref: 00D1CF45
MoveFileW.KERNEL32(?,?), ref: 00D1CF7F
_wcslen.LIBCMT ref: 00D1D005
_wcslen.LIBCMT ref: 00D1D01B
SHFileOperationW.SHELL32(?), ref: 00D1D061

Strings

\*.*, xrefs: 00D1CFF3

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 5b5b4cec5c0056776f99015fa6c77ef459e9be8792f707c43d22f3fbefafd5f9
Instruction ID: d5d3c92e4fe07e3159f979cfbeb0b49f89a4a076c7489280206dd4c639ecab20
Opcode Fuzzy Hash: 5b5b4cec5c0056776f99015fa6c77ef459e9be8792f707c43d22f3fbefafd5f9
Instruction Fuzzy Hash: 6B4144719462196FDF12EFA4E981ADDB7B9AF48340F1400E6E605EB141EF34A689CB60

Function 00D42DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D42E1C
GetWindowLongW.USER32(?,000000F0), ref: 00D42E4F
GetWindowLongW.USER32(?,000000F0), ref: 00D42E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D42EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D42EE0
GetWindowLongW.USER32(?,000000F0), ref: 00D42EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D42F0B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e8410dafa445dbbdddd5ad6f55d0a447a3c2f4f6f2f53f41be6efbb6ed1d9986
Instruction ID: 45abaee79f268dec1b85ef27507f0869e2b71f7bb71bc1e87765d908aaaee79c
Opcode Fuzzy Hash: e8410dafa445dbbdddd5ad6f55d0a447a3c2f4f6f2f53f41be6efbb6ed1d9986
Instruction Fuzzy Hash: D1311238615240AFEB20DF58DC84F6537E8EB8A710F9911A4F924CB2B2CB71AC45DB20

Function 00D17726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D17769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D1778F
SysAllocString.OLEAUT32(00000000), ref: 00D17792
SysAllocString.OLEAUT32(?), ref: 00D177B0
SysFreeString.OLEAUT32(?), ref: 00D177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00D177DE
SysAllocString.OLEAUT32(?), ref: 00D177EC

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 78df1cd3ab3e6cec0564255331c11477365fbf5f514a8b302b5071b441c79293
Instruction ID: 550aeab62ae74318528bbbd6e42a748b2ad26c46aad0a2eae8056709337f1b47
Opcode Fuzzy Hash: 78df1cd3ab3e6cec0564255331c11477365fbf5f514a8b302b5071b441c79293
Instruction Fuzzy Hash: E121917A605219BFDB109FA8DC84DFA73ACEB09364B088025F915DB2A1DA70DC81C770

Function 00D177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D17842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D17868
SysAllocString.OLEAUT32(00000000), ref: 00D1786B
SysAllocString.OLEAUT32 ref: 00D1788C
SysFreeString.OLEAUT32 ref: 00D17895
StringFromGUID2.OLE32(?,?,00000028), ref: 00D178AF
SysAllocString.OLEAUT32(?), ref: 00D178BD

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f19df43e20ad775aed386d502994c7f3c425e608dc02f3414063da85b1ad07be
Instruction ID: 3d8128ef3bb92322886d8e0d6e118bb6a9b20e7683761923744551e6db77669b
Opcode Fuzzy Hash: f19df43e20ad775aed386d502994c7f3c425e608dc02f3414063da85b1ad07be
Instruction Fuzzy Hash: 71213075609204BFDB10AFA8EC88DEA77BCEB097607148125F915CB2B1DA74EC81CB74

Function 00D204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00D204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D2052E

Strings

nul, xrefs: 00D20567

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7934b6d58348dd326f4c60530437a0d527bc722f76a57065bc44ba95ed1343ba
Instruction ID: fb03ab93cf8893a7082ceeea33ea4db42dbfe76f72feede7b982af6ee670c78a
Opcode Fuzzy Hash: 7934b6d58348dd326f4c60530437a0d527bc722f76a57065bc44ba95ed1343ba
Instruction Fuzzy Hash: 892162756003159FDB209F29EC44A5A7BF4AF65728F244A19F8A1D62E1D7B0D940CF70

Function 00D205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00D205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D20601

Strings

nul, xrefs: 00D20639

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 07b41f7f37bbec370060445e478ed5cfa31437122324bdfb209c3f1c48a1cd98
Instruction ID: 6d79914472f3612a812790508a9d4da3ca63f85eebb66c2348292523d8fcd0fe
Opcode Fuzzy Hash: 07b41f7f37bbec370060445e478ed5cfa31437122324bdfb209c3f1c48a1cd98
Instruction Fuzzy Hash: 722195755003259FDB209F69EC44A5A7BE4FFA5729F240A19F8A1E72E1D7B09860CB30

Function 00D440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CB604C
Part of subcall function 00CB600E: GetStockObject.GDI32(00000011), ref: 00CB6060
Part of subcall function 00CB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CB606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D44112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D4411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D4412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D44139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D44145

Strings

Msctls_Progress32, xrefs: 00D440E3

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0cf77ce58e5da3b981688807797951ee58cdd4ea90a4a035dca84a49d3fd1c75
Instruction ID: e20c5ed7c378757473e0aa47e25f006839e1839f444089479f75d6a997165c5f
Opcode Fuzzy Hash: 0cf77ce58e5da3b981688807797951ee58cdd4ea90a4a035dca84a49d3fd1c75
Instruction Fuzzy Hash: B51190B2150219BFEF119F64CC86EE77F6DEF08798F014111BA18A2150C6729C619BB4

Function 00CED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CED7A3: _free.LIBCMT ref: 00CED7CC

_free.LIBCMT ref: 00CED82D

Part of subcall function 00CE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000), ref: 00CE29DE
Part of subcall function 00CE29C8: GetLastError.KERNEL32(00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000,00000000), ref: 00CE29F0

_free.LIBCMT ref: 00CED838
_free.LIBCMT ref: 00CED843
_free.LIBCMT ref: 00CED897
_free.LIBCMT ref: 00CED8A2
_free.LIBCMT ref: 00CED8AD
_free.LIBCMT ref: 00CED8B8

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 1db384e3ea27c2d5cd41456130134e1d8d0ed70d5a9b15e3736fbd49554f67cd
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 03112E71540B88AAD621BFB2CC47FCB7BDCAF04700F404865B69AE6493DA69B505A660

Function 00D1DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00D1DA74
LoadStringW.USER32(00000000), ref: 00D1DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D1DA91
LoadStringW.USER32(00000000), ref: 00D1DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D1DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00D1DAB9

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: cbf40819f617ab0baad266456cbf45f4de262a868dbc8e0d0788c7f0cb16a2e1
Instruction ID: 8ee3f44090a5ccddc3ad5a67c1d10f780e97e6267b36de10ec5431a798ae195e
Opcode Fuzzy Hash: cbf40819f617ab0baad266456cbf45f4de262a868dbc8e0d0788c7f0cb16a2e1
Instruction Fuzzy Hash: 000181F69103187FE750EBA0AD89EEB736CEB09305F405492F746E2141EA749E848F74

Function 00D2096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(015FE130,015FE130), ref: 00D2097B
EnterCriticalSection.KERNEL32(015FE110,00000000), ref: 00D2098D
TerminateThread.KERNEL32(?,000001F6), ref: 00D2099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00D209A9
CloseHandle.KERNEL32(?), ref: 00D209B8
InterlockedExchange.KERNEL32(015FE130,000001F6), ref: 00D209C8
LeaveCriticalSection.KERNEL32(015FE110), ref: 00D209CF

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 57b9a2f9c22a54d33f7a295596710ca4fc979f54d15fe4f7006665d5d12559b3
Instruction ID: 7c548f771091cc46bfe8600087d0b024f6e0b89bf6a870ca378ebeddf9cd2aae
Opcode Fuzzy Hash: 57b9a2f9c22a54d33f7a295596710ca4fc979f54d15fe4f7006665d5d12559b3
Instruction Fuzzy Hash: ABF01D31553A12ABDB915F94EE8CAD67A25BF06702F482015F102909A1C7B59465CFB4

Function 00D31C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00D31DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00D31DE1
WSAGetLastError.WSOCK32 ref: 00D31DF2
htons.WSOCK32(?,?,?,?,?), ref: 00D31EDB
inet_ntoa.WSOCK32(?), ref: 00D31E8C

Part of subcall function 00D139E8: _strlen.LIBCMT ref: 00D139F2

Part of subcall function 00D33224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00D2EC0C), ref: 00D33240

_strlen.LIBCMT ref: 00D31F35

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: c98f9b9124ae6a5fc2eac1bd7f6c4b7bdb006e688bfb1ae4d206530354f5309d
Instruction ID: 3534ea834263d28e368c8263a75026cd4b4cfacb136fc361f53927154837351a
Opcode Fuzzy Hash: c98f9b9124ae6a5fc2eac1bd7f6c4b7bdb006e688bfb1ae4d206530354f5309d
Instruction Fuzzy Hash: AAB1D235204301AFC324DF24C885F6ABBE5AF85318F58895CF5565B2E2CB71ED46CBA1

Function 00CB5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00CB5D30
GetWindowRect.USER32(?,?), ref: 00CB5D71
ScreenToClient.USER32(?,?), ref: 00CB5D99
GetClientRect.USER32(?,?), ref: 00CB5ED7
GetWindowRect.USER32(?,?), ref: 00CB5EF8

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: dcf0c7f2723bf779caee3f8d63aac149bf1293e0083db4e6a26e792ca194ae9b
Instruction ID: 7db24b9d8f9612039f0f6950ff8289162d0ff6dc658af908cf298d18b261c371
Opcode Fuzzy Hash: dcf0c7f2723bf779caee3f8d63aac149bf1293e0083db4e6a26e792ca194ae9b
Instruction Fuzzy Hash: 83B16734A00A8ADBDB14CFA9C4807EAB7F1BF48310F14951AE8A9D7290DB34EA41CB55

Function 00CE01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00CE00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CE00D6
__allrem.LIBCMT ref: 00CE00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CE010B
__allrem.LIBCMT ref: 00CE0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CE0140

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 7114697d2589a9e38fcfe6d46bedd904af5c00cee1fcd18c18f42eca04109661
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: F681F8726007469BE724AF6ACC82B6F73E9AF41324F24453EF561DA381E7B0DE419790

Function 00CE61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00CD82D9,00CD82D9,?,?,?,00CE644F,00000001,00000001,8BE85006), ref: 00CE6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CE644F,00000001,00000001,8BE85006,?,?,?), ref: 00CE62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CE63D8
__freea.LIBCMT ref: 00CE63E5

Part of subcall function 00CE3820: RtlAllocateHeap.NTDLL(00000000,?,00D81444,?,00CCFDF5,?,?,00CBA976,00000010,00D81440,00CB13FC,?,00CB13C6,?,00CB1129), ref: 00CE3852

__freea.LIBCMT ref: 00CE63EE
__freea.LIBCMT ref: 00CE6413

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 61e3ad09023a8aeb3dce638b8da6878f9a97ab44b1467a3278477732cfdf1989
Instruction ID: 2a2883e22c719b8bb803f573e96238c5516896f82678979db302a66f3c38291b
Opcode Fuzzy Hash: 61e3ad09023a8aeb3dce638b8da6878f9a97ab44b1467a3278477732cfdf1989
Instruction Fuzzy Hash: 55513372620286ABDB258F66CC81EBF7BA9EF50790F144229FE15D7190EB34DD40D660

Function 00D3BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D3B6AE,?,?), ref: 00D3C9B5
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3C9F1
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA68
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D3BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D3BD25
RegCloseKey.ADVAPI32(00000000), ref: 00D3BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D3BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D3BDF3
RegCloseKey.ADVAPI32(?), ref: 00D3BDFF

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 870a028b1e1c1d67d910dc131d66dc881e9bf0013ec4fb43bd97624b5d0e2732
Instruction ID: a4669a1caca4000ea6c789a8fe3d5b29b9e41824e5129657ad4ab5e659f471ef
Opcode Fuzzy Hash: 870a028b1e1c1d67d910dc131d66dc881e9bf0013ec4fb43bd97624b5d0e2732
Instruction Fuzzy Hash: 7A81B230218241EFC714DF24C881E6ABBE5FF84318F18855DF5968B2A2DB31ED45DBA2

Function 00D0F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00D0F7B9
SysAllocString.OLEAUT32(00000001), ref: 00D0F860
VariantCopy.OLEAUT32(00D0FA64,00000000), ref: 00D0F889
VariantClear.OLEAUT32(00D0FA64), ref: 00D0F8AD
VariantCopy.OLEAUT32(00D0FA64,00000000), ref: 00D0F8B1
VariantClear.OLEAUT32(?), ref: 00D0F8BB

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: cd716bd0520c09dd2a20f112797c82e4dcd03394651bb51b3207e1e64564d474
Instruction ID: 9c0205f4452188af2bfed1ef9f0a9f5bdc1e33a2ea557e882d58d74c87b25a9a
Opcode Fuzzy Hash: cd716bd0520c09dd2a20f112797c82e4dcd03394651bb51b3207e1e64564d474
Instruction Fuzzy Hash: B551C335600310AACF34AF65E895B6DB3A4EF45310F34946AE90ADF6D1DB709C40DBB6

Function 00D2910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00CB7620: _wcslen.LIBCMT ref: 00CB7625

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00D294E5
_wcslen.LIBCMT ref: 00D29506
_wcslen.LIBCMT ref: 00D2952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00D29585

Strings

X, xrefs: 00D29412

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 04d26da7107ca3ef8af7b2d75aa564d27108a2f14377ff881c22984e78a575f2
Instruction ID: e6f432c0aa8d955f6686e776d536e77708399419d063bd08f74dc8dcec045ce6
Opcode Fuzzy Hash: 04d26da7107ca3ef8af7b2d75aa564d27108a2f14377ff881c22984e78a575f2
Instruction Fuzzy Hash: 10E1B331604350CFD724DF24D891AAAB7E4FF95314F18896DF8899B2A2DB31DD05CBA2

Function 00CC920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

BeginPaint.USER32(?,?,?), ref: 00CC9241
GetWindowRect.USER32(?,?), ref: 00CC92A5
ScreenToClient.USER32(?,?), ref: 00CC92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00CC92D3
EndPaint.USER32(?,?,?,?,?), ref: 00CC9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00D071EA

Part of subcall function 00CC9339: BeginPath.GDI32(00000000), ref: 00CC9357

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 295952f07393b2dfa013a58b94b1253f5888ab1704bf3a9bbf4bc117bc66be50
Instruction ID: f72b82fddb87afb1801862e649147061036dff32ead0f0b0b2f92aea7248559a
Opcode Fuzzy Hash: 295952f07393b2dfa013a58b94b1253f5888ab1704bf3a9bbf4bc117bc66be50
Instruction Fuzzy Hash: 1E418D74505300AFD711DF25CC88FAA7BA8EB46320F140669F9A5CB2F1C7319846DB72

Function 00D207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00D2080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00D20847
EnterCriticalSection.KERNEL32(?), ref: 00D20863
LeaveCriticalSection.KERNEL32(?), ref: 00D208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00D208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00D20921

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c6c1d9b2113ebd42f7f6ce261267fad836dc8d9b024ce80c2ce6e3c889c2708d
Instruction ID: c78711d7e0f2cb932f39f3b9d4c2552b1a54af7d6bd72612a90a42519057decd
Opcode Fuzzy Hash: c6c1d9b2113ebd42f7f6ce261267fad836dc8d9b024ce80c2ce6e3c889c2708d
Instruction Fuzzy Hash: 00416B71A00205EBDF14AF54DC85A6ABBB9FF04304F1480A9ED04DA297DB70DE61EBB4

Function 00D481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00D0F3AB,00000000,?,?,00000000,?,00D0682C,00000004,00000000,00000000), ref: 00D4824C
EnableWindow.USER32(?,00000000), ref: 00D48272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00D482D1
ShowWindow.USER32(?,00000004), ref: 00D482E5
EnableWindow.USER32(?,00000001), ref: 00D4830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00D4832F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: a45dbb555626bd433e5cde44f4f0aafd35e5b034a88db8417d11cfc990b62e61
Instruction ID: 2960834c08e073d12ada8e38415066c687f0cb429c70aa5c4a6a70d3ca2bb2c4
Opcode Fuzzy Hash: a45dbb555626bd433e5cde44f4f0aafd35e5b034a88db8417d11cfc990b62e61
Instruction Fuzzy Hash: 1741B234601740AFDF11CF14C8D9BA87BE4BB0AB55F1C5268E5188B262CB71A845DF74

Function 00D14C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00D14C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D14CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D14CEA
_wcslen.LIBCMT ref: 00D14D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D14D10
_wcsstr.LIBVCRUNTIME ref: 00D14D1A

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: f19bf4381bd45967e2bcd0f7e93b87b84b9cb3972fb0357db6979e412c334c14
Instruction ID: 747fe4f510ca4dc50ca5c4f68b64e6c560a73ffbbe4d6cd3d9d2f28012e07653
Opcode Fuzzy Hash: f19bf4381bd45967e2bcd0f7e93b87b84b9cb3972fb0357db6979e412c334c14
Instruction Fuzzy Hash: 7721F676205200BBEB255B39FC49EBB7B9DDF45750F14802EF905CA2A2EE61DC8196B0

Function 00D2581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CB3A97,?,?,00CB2E7F,?,?,?,00000000), ref: 00CB3AC2

_wcslen.LIBCMT ref: 00D2587B
CoInitialize.OLE32(00000000), ref: 00D25995
CoCreateInstance.OLE32(00D4FCF8,00000000,00000001,00D4FB68,?), ref: 00D259AE
CoUninitialize.OLE32 ref: 00D259CC

Strings

.lnk, xrefs: 00D25876, 00D258C1, 00D25985

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: cc7695dc2e291bffa479e4ef9f0e7c2c8fcfb693cb2a7d20789561b43e85da23
Instruction ID: 55fa6598d22be624e7f16e36031c7ea612a5776bfdecb3a0c75868702c7cec46
Opcode Fuzzy Hash: cc7695dc2e291bffa479e4ef9f0e7c2c8fcfb693cb2a7d20789561b43e85da23
Instruction Fuzzy Hash: 2AD163746087119FC714DF24E480E6ABBE1EF99318F14895DF88A9B361DB31EC45CBA2

Function 00D1175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D10FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D10FCA
Part of subcall function 00D10FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D10FD6
Part of subcall function 00D10FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D10FE5
Part of subcall function 00D10FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D10FEC
Part of subcall function 00D10FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D11002

GetLengthSid.ADVAPI32(?,00000000,00D11335), ref: 00D117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D117BA
HeapAlloc.KERNEL32(00000000), ref: 00D117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00D117DA
GetProcessHeap.KERNEL32(00000000,00000000,00D11335), ref: 00D117EE
HeapFree.KERNEL32(00000000), ref: 00D117F5

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f166591ad87be4b4258fdab54dca58c650dafdeb08a397d4693fa2419f70ee55
Instruction ID: 62658e632aecafbfac8204e072c2c6a380ac7dddcb1b42975829584adeaf6f4f
Opcode Fuzzy Hash: f166591ad87be4b4258fdab54dca58c650dafdeb08a397d4693fa2419f70ee55
Instruction Fuzzy Hash: E5118939612305FBDB109FA4EC49BEE7BA9EB42355F144018E581E7250CB35A984CB70

Function 00D114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D114FF
OpenProcessToken.ADVAPI32(00000000), ref: 00D11506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D11515
CloseHandle.KERNEL32(00000004), ref: 00D11520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D1154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00D11563

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3278d6193c5f11276af2cee3c96cc25a3209eff594d09876fa09c3814668d7ce
Instruction ID: 44e5f44b2ed39743aad3fcc579269b740091f7dfb8f50aee40347abd07e0c0dc
Opcode Fuzzy Hash: 3278d6193c5f11276af2cee3c96cc25a3209eff594d09876fa09c3814668d7ce
Instruction Fuzzy Hash: D411177A602209BBDB118F98ED49BDE7BA9EB49744F084015FA05A2160C775CEA0DB71

Function 00CD3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CD3379,00CD2FE5), ref: 00CD3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CD339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CD33B7
SetLastError.KERNEL32(00000000,?,00CD3379,00CD2FE5), ref: 00CD3409

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 437af8b7526a4b291f72123f938d93d4a7d640e692091714ed7089dbdd906ac1
Instruction ID: 8d3a92ea271d9c5e6681f8b4e95e0f19f01ed03890dc1c95d754375ad0a6b01c
Opcode Fuzzy Hash: 437af8b7526a4b291f72123f938d93d4a7d640e692091714ed7089dbdd906ac1
Instruction Fuzzy Hash: F9012832219351BFA6142B757C8562A2A94FB05376320022FF720C03F0FF118E03A1A5

Function 00CE2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CE5686,00CF3CD6,?,00000000,?,00CE5B6A,?,?,?,?,?,00CDE6D1,?,00D78A48), ref: 00CE2D78
_free.LIBCMT ref: 00CE2DAB
_free.LIBCMT ref: 00CE2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00CDE6D1,?,00D78A48,00000010,00CB4F4A,?,?,00000000,00CF3CD6), ref: 00CE2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00CDE6D1,?,00D78A48,00000010,00CB4F4A,?,?,00000000,00CF3CD6), ref: 00CE2DEC
_abort.LIBCMT ref: 00CE2DF2

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: b1deb984f377aa4cd86f18d99af0d3b94f4f12c54df0b6943d63971670f88538
Instruction ID: d52e45368a0f9661030907c9ac33d86fdc64f8794eefa97392ed084a033f4ffc
Opcode Fuzzy Hash: b1deb984f377aa4cd86f18d99af0d3b94f4f12c54df0b6943d63971670f88538
Instruction Fuzzy Hash: DEF0A9365057802BC6522B37AC0AB1A165DABC27A1F254519FA35D22D3EE249A01A170

Function 00D48A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00CC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CC9693
Part of subcall function 00CC9639: SelectObject.GDI32(?,00000000), ref: 00CC96A2
Part of subcall function 00CC9639: BeginPath.GDI32(?), ref: 00CC96B9
Part of subcall function 00CC9639: SelectObject.GDI32(?,00000000), ref: 00CC96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00D48A4E
LineTo.GDI32(?,00000003,00000000), ref: 00D48A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00D48A70
LineTo.GDI32(?,00000000,00000003), ref: 00D48A80
EndPath.GDI32(?), ref: 00D48A90
StrokePath.GDI32(?), ref: 00D48AA0

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5904e5c5770c510efcb8c937e9e8dc486247d0b4fc95843be1b1df6196a5e5de
Instruction ID: ac11f925d7585c5fd4cc22fb6946690b07915b962766820c377d2caef86cc81e
Opcode Fuzzy Hash: 5904e5c5770c510efcb8c937e9e8dc486247d0b4fc95843be1b1df6196a5e5de
Instruction Fuzzy Hash: 6711C97A001249FFDB129F94DC88EAA7F6DEB09394F048012FA199A2A1C7719D55DFB0

Function 00D151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D15218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00D15229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D15230
ReleaseDC.USER32(00000000,00000000), ref: 00D15238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00D1524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00D15261

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0ce376826d1d7fb6e02e2c4bfd06c0a13a106dafa11fe73f4e4488130b4d8316
Instruction ID: 555bc87f26ddd3ae879c4ebe018542d8efeb17e2650bc9c214855e4a566bebe2
Opcode Fuzzy Hash: 0ce376826d1d7fb6e02e2c4bfd06c0a13a106dafa11fe73f4e4488130b4d8316
Instruction Fuzzy Hash: F1014F75A01719BBEB109FA59C49A5EBFB8EF49751F144065FA04E7391DA709800CBB0

Function 00CB1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CB1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00CB1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CB1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CB1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00CB1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CB1C22

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: aa31ecf07909b204b08f46b85f79a2f88520a620d32257f7f7fe86b6be7caa47
Instruction ID: ea3eb1033ea78f8f62e6d6b4cc448e0abd6248ad507e95eb4fa14c01700ac2da
Opcode Fuzzy Hash: aa31ecf07909b204b08f46b85f79a2f88520a620d32257f7f7fe86b6be7caa47
Instruction Fuzzy Hash: BD016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CFE5

Function 00D1EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D1EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00D1EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00D1EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D1EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D1EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D1EB75

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 9b93c4b50bb2edb175c93fef7fee4ea6c3028e9e4879a7b856be9ad941eb4ea7
Instruction ID: a8d8ba782baab223095cd337eef35022690577fa817bead8111bb1e8c3502b44
Opcode Fuzzy Hash: 9b93c4b50bb2edb175c93fef7fee4ea6c3028e9e4879a7b856be9ad941eb4ea7
Instruction Fuzzy Hash: 61F09076212258BBE7205F529C0DEEF3A7CEFCBB11F005158F601D1290D7A01A01C6B4

Function 00D07439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00D07452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00D07469
GetWindowDC.USER32(?), ref: 00D07475
GetPixel.GDI32(00000000,?,?), ref: 00D07484
ReleaseDC.USER32(?,00000000), ref: 00D07496
GetSysColor.USER32(00000005), ref: 00D074B0

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 38c194543eed299a248fddeeea081ee523c94292a621a45283de61ce21a6fb61
Instruction ID: db1ac704a84fe00c5e306f21230f368be70dd00bc36247e5a86530a2aaa0dd0d
Opcode Fuzzy Hash: 38c194543eed299a248fddeeea081ee523c94292a621a45283de61ce21a6fb61
Instruction Fuzzy Hash: A0017435811205EFEB905FA4DC08BAA7BB5FB06321F255064F91AE22B1CB312E41AB20

Function 00D11874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D1187F
UnloadUserProfile.USERENV(?,?), ref: 00D1188B
CloseHandle.KERNEL32(?), ref: 00D11894
CloseHandle.KERNEL32(?), ref: 00D1189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D118A5
HeapFree.KERNEL32(00000000), ref: 00D118AC

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 33825dbd507421d754f6f2c0d6b2becdd2f5c7294341e6dda37e369accc4d0a7
Instruction ID: fc7bdd3225be6b257a41395b350208d5f844a2acdd1586eb18d430e540311c13
Opcode Fuzzy Hash: 33825dbd507421d754f6f2c0d6b2becdd2f5c7294341e6dda37e369accc4d0a7
Instruction Fuzzy Hash: 7CE0E53A216301BBDB415FA1ED0C90ABF39FF5AB22B149220F225C1270CB329420DF60

Function 00D1C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB7620: _wcslen.LIBCMT ref: 00CB7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D1C6EE
_wcslen.LIBCMT ref: 00D1C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D1C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00D1C7CA

Strings

0, xrefs: 00D1C6AF

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 4dd24545990d468e077a3939ff55e60fc690646b0ab3b7429020026c55b95943
Instruction ID: 38168a2e66cd20646166b7515ac432e7f98dc0a445f71e0f4719f977745bab60
Opcode Fuzzy Hash: 4dd24545990d468e077a3939ff55e60fc690646b0ab3b7429020026c55b95943
Instruction Fuzzy Hash: 6E51D3716A4300ABD7149F28E885BEA77E8AF45310F08292DF595D21E0DFB0D889DB72

Function 00D3AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00D3AEA3

Part of subcall function 00CB7620: _wcslen.LIBCMT ref: 00CB7625

GetProcessId.KERNEL32(00000000), ref: 00D3AF38
CloseHandle.KERNEL32(00000000), ref: 00D3AF67

Strings

<, xrefs: 00D3AE6B
@, xrefs: 00D3AE72

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ba12b1633884c0168524d18a88d190aae1b85c4bdecb473ecead65ea96c49036
Instruction ID: 99783781a96098a462ddca15be231a2347b2e690a177ce6d71719fcd4b0bcce0
Opcode Fuzzy Hash: ba12b1633884c0168524d18a88d190aae1b85c4bdecb473ecead65ea96c49036
Instruction Fuzzy Hash: 47716871A00215DFCB14DF58C485A9EBBF0FF08310F048499E856AB3A2CB74ED45DBA1

Function 00D1719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D17206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D1723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D1724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D172CF

Strings

DllGetClassObject, xrefs: 00D17242

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: e565a34e14335dbf7897fb84319e1e84ac3541303bbed879b4c3119110e7407e
Instruction ID: 9eda9195a0feeb90aff78225db3f35847332fc9a659ace904ea79742293f9758
Opcode Fuzzy Hash: e565a34e14335dbf7897fb84319e1e84ac3541303bbed879b4c3119110e7407e
Instruction Fuzzy Hash: 6D417C71A05204EFDB15CF54D884ADA7BB9EF49310F1480A9BD09DF22ADBB1D985CBB0

Function 00D43D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D43E35
IsMenu.USER32(?), ref: 00D43E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D43E92
DrawMenuBar.USER32 ref: 00D43EA5

Strings

0, xrefs: 00D43D89

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 6eba401465b928f374e4c3d8b23224da1c6a6b040321e0ecd491fe2164ec87ed
Instruction ID: cbee48872ffda7931742c28dd8884310c14ffe2a7608bc8243d56ac3766a9c04
Opcode Fuzzy Hash: 6eba401465b928f374e4c3d8b23224da1c6a6b040321e0ecd491fe2164ec87ed
Instruction Fuzzy Hash: 5E414CB5A12249AFDB10EF58D884A9AB7B9FF49350F084229F91597350D730EE45CF60

Function 00D11DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D13CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00D11E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00D11E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00D11EA9

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

Strings

ListBox, xrefs: 00D11E25
ComboBox, xrefs: 00D11DF0

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 4eb911b56f754d35a2af0e0164ff602922c584b41a690773bdc418bf5307d4dc
Instruction ID: 9d84655e9e55f656f756429011ea5511dd46e9dd9efd444d0beb9a71beae6090
Opcode Fuzzy Hash: 4eb911b56f754d35a2af0e0164ff602922c584b41a690773bdc418bf5307d4dc
Instruction Fuzzy Hash: 3B210575A00104BFDB14ABA4EC45DFFB7B9DF46350F148119F926A72E1DF34494AAA30

Function 00D42F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D42F8D
LoadLibraryW.KERNEL32(?), ref: 00D42F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D42FA9
DestroyWindow.USER32(?), ref: 00D42FB1

Strings

SysAnimate32, xrefs: 00D42F68

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: eaa3db5ff2a7428d11394167e99b8fd412b7fca00ca053df6a42c18cc580d071
Instruction ID: 035c911516d358d5e56531720d011b8dc3f335796490623dd00414f12616717c
Opcode Fuzzy Hash: eaa3db5ff2a7428d11394167e99b8fd412b7fca00ca053df6a42c18cc580d071
Instruction Fuzzy Hash: 7021AC71210209ABEB104F66DC80EBB37BDEF59364F944618FA50D21A0D771DC959B70

Function 00CD4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00CD4D1E,00CE28E9,?,00CD4CBE,00CE28E9,00D788B8,0000000C,00CD4E15,00CE28E9,00000002), ref: 00CD4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CD4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00CD4D1E,00CE28E9,?,00CD4CBE,00CE28E9,00D788B8,0000000C,00CD4E15,00CE28E9,00000002,00000000), ref: 00CD4DC3

Strings

mscoree.dll, xrefs: 00CD4D86
CorExitProcess, xrefs: 00CD4D98

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 69d0f9e26e285e2de0f69f6ba9e17d25b14701e26d5a1f088aac634a82f42af3
Instruction ID: 85f126a30920b271f54bd852b373f3783fe667dd7a0a28005b1dceaf49c097d9
Opcode Fuzzy Hash: 69d0f9e26e285e2de0f69f6ba9e17d25b14701e26d5a1f088aac634a82f42af3
Instruction Fuzzy Hash: 43F03C35A51308ABDB559F94DC49BADBFB5EB48752F0000A9AA09E2360DB315A44DAA0

Function 00D0D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00D0D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00D0D3BF
FreeLibrary.KERNEL32(00000000), ref: 00D0D3E5

Strings

X64, xrefs: 00D0D2A8
GetSystemWow64DirectoryW, xrefs: 00D0D3B9

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 0fce355a4cee2dfd57530be26665ce2fcce06bbaf8fb83805379998df8df9965
Instruction ID: 6ab3e510ade7384883871ea958919817b63ae3a21a1662e9b2ec3ed995d7c50b
Opcode Fuzzy Hash: 0fce355a4cee2dfd57530be26665ce2fcce06bbaf8fb83805379998df8df9965
Instruction Fuzzy Hash: 12F05C79406B10EBD7B01FA08C58B6D77165F01701B58911BF44EE1284D760CD44C7BA

Function 00CB4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CB4EDD,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CB4EAE
FreeLibrary.KERNEL32(00000000,?,?,00CB4EDD,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00CB4EA8
kernel32.dll, xrefs: 00CB4E94

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 201ec6bafa3f2bfe11f9babc05010f30af70aad50214c5debe739eef5b771aea
Instruction ID: ad8ec9f6ecca1f8db3bf91f1c74b15742185bb2ddfd817a908e582d279d1fe74
Opcode Fuzzy Hash: 201ec6bafa3f2bfe11f9babc05010f30af70aad50214c5debe739eef5b771aea
Instruction Fuzzy Hash: 84E0CD39A177225FD3711F296C18B9FA554AF82F62F050115FC04D2342DB60CE0585B1

Function 00CB4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CF3CDE,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CB4E74
FreeLibrary.KERNEL32(00000000,?,?,00CF3CDE,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00CB4E6E
kernel32.dll, xrefs: 00CB4E5B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: f58c9a578de30be6a22215a23d79254c95bfa3be2375b164958eef03275355b4
Instruction ID: 16dc2b49f74db0d72751a4a2cef70fb55cc669f0dfe265b5717cc3352cee1772
Opcode Fuzzy Hash: f58c9a578de30be6a22215a23d79254c95bfa3be2375b164958eef03275355b4
Instruction Fuzzy Hash: 34D0C239517B615B46621F246C08DCBAB18AF82B123050110B804E2211CF20CE01C5F1

Function 00D22947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D22C05
DeleteFileW.KERNEL32(?), ref: 00D22C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D22C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D22CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D22CC0

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: b4fc8b5ec9c369500a517f49ac85b6e7e80baa8bef1aaa953b9ce9b6551c9699
Instruction ID: d5bf89979cb22656e0f3b30b314352ae4685968dc7335afdf0125cba23362230
Opcode Fuzzy Hash: b4fc8b5ec9c369500a517f49ac85b6e7e80baa8bef1aaa953b9ce9b6551c9699
Instruction Fuzzy Hash: DBB16F71D00229ABDF21EFA4DC85EEEB77DEF59314F0040A6F609E6241EA319A449F71

Function 00D3A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00D3A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D3A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D3A468
CloseHandle.KERNEL32(?), ref: 00D3A63D

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 80c1f18d04226b4756e05f2566df64582998f1e675b40b6712a02718ed1a6032
Instruction ID: c1b935d5996e34d8a1872fa35b3511eaaee773e11262e09a3e5387f13e62232b
Opcode Fuzzy Hash: 80c1f18d04226b4756e05f2566df64582998f1e675b40b6712a02718ed1a6032
Instruction Fuzzy Hash: 8DA181716047019FD724DF28C886F2AB7E5AF84714F14885DF59A9B3D2DBB0EC418B92

Function 00CEBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00D53700), ref: 00CEBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D8121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00CEBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D81270,000000FF,?,0000003F,00000000,?), ref: 00CEBC36
_free.LIBCMT ref: 00CEBB7F

Part of subcall function 00CE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000), ref: 00CE29DE
Part of subcall function 00CE29C8: GetLastError.KERNEL32(00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000,00000000), ref: 00CE29F0

_free.LIBCMT ref: 00CEBD4B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 67ac4a136bb39b40dca759e29a1945d0f109d359abebb5651884a17dfff11142
Instruction ID: d8b8799fe64e2ec96034b13714187d0b40fd87495c7df56b6f6fe98424e53038
Opcode Fuzzy Hash: 67ac4a136bb39b40dca759e29a1945d0f109d359abebb5651884a17dfff11142
Instruction Fuzzy Hash: 0A51FB75904389AFCB10EF669C42ABFB7BCEF44310F20026AE564D72A1EB305E459B60

Function 00D1E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D1DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D1CF22,?), ref: 00D1DDFD

Part of subcall function 00D1DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D1CF22,?), ref: 00D1DE16

Part of subcall function 00D1E199: GetFileAttributesW.KERNEL32(?,00D1CF95), ref: 00D1E19A

lstrcmpiW.KERNEL32(?,?), ref: 00D1E473
MoveFileW.KERNEL32(?,?), ref: 00D1E4AC
_wcslen.LIBCMT ref: 00D1E5EB
_wcslen.LIBCMT ref: 00D1E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00D1E650

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 10b2e37e36ba1b4f8cae6e6e631ee057d46822545f996ba39a0d654dacc34e5f
Instruction ID: e0360736202a062cfd858bd81906bcb80df9e0854c549f37d93014cefd91f5a8
Opcode Fuzzy Hash: 10b2e37e36ba1b4f8cae6e6e631ee057d46822545f996ba39a0d654dacc34e5f
Instruction Fuzzy Hash: 1B5140B2508345ABD724DB90E8819DBB3ECEF85340F04491EFA89D3191EF75A6888776

Function 00D3B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D3B6AE,?,?), ref: 00D3C9B5
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3C9F1
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA68
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D3BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D3BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D3BB63
RegCloseKey.ADVAPI32(?,?), ref: 00D3BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00D3BBB3

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 426395cd083805861da394d3080f302603ac55da2ee18572325875ae03c826a9
Instruction ID: 3a88bf9dcd25dcd7a21c46a851c1b70dd5b18781257c735af2c85a4da59c01c9
Opcode Fuzzy Hash: 426395cd083805861da394d3080f302603ac55da2ee18572325875ae03c826a9
Instruction Fuzzy Hash: CD61C331208241EFD314DF14C491E6ABBE5FF84318F18855DF5998B2A2DB31ED45DBA2

Function 00D18BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D18BCD
VariantClear.OLEAUT32 ref: 00D18C3E
VariantClear.OLEAUT32 ref: 00D18C9D
VariantClear.OLEAUT32(?), ref: 00D18D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D18D3B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 8cf506022d99440185049848ed12ba769e3eb272f69b4c28c8aa98110401df67
Instruction ID: ce19c4f9d4178330131c5577c6191e6d6a8ec584129d18275a829029d919da86
Opcode Fuzzy Hash: 8cf506022d99440185049848ed12ba769e3eb272f69b4c28c8aa98110401df67
Instruction Fuzzy Hash: 3C516AB5A00219EFCB10CF68D884AAAB7F5FF89310B158559F909DB350EB30E911CFA0

Function 00D28AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00D28BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00D28BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00D28C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00D28C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00D28C5F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: c21f8b2ab863c642a2ab99948d0fc9f848e4d7ee9ab6c587102e8e9766cf2265
Instruction ID: 200804c7998d609a3c39f72b490bae06f22800b7f6a877db5f8c1111a6f86074
Opcode Fuzzy Hash: c21f8b2ab863c642a2ab99948d0fc9f848e4d7ee9ab6c587102e8e9766cf2265
Instruction Fuzzy Hash: 78514B35A002159FCB15DF64C881EADBBF5FF49314F088498E849AB362DB31ED51EBA0

Function 00D38EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00D38F40
GetProcAddress.KERNEL32(00000000,?), ref: 00D38FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00D38FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00D39032
FreeLibrary.KERNEL32(00000000), ref: 00D39052

Part of subcall function 00CCF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00D21043,?,7529E610), ref: 00CCF6E6
Part of subcall function 00CCF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00D0FA64,00000000,00000000,?,?,00D21043,?,7529E610,?,00D0FA64), ref: 00CCF70D

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: e7078fc5bcb1a6806fd74e6a5da74b746120fef350b7617d603e2ab1ea92e395
Instruction ID: 9c75067600df9dc37f5b39fbcebc5ac2409a2c081d983d9df025db257836b3f9
Opcode Fuzzy Hash: e7078fc5bcb1a6806fd74e6a5da74b746120fef350b7617d603e2ab1ea92e395
Instruction Fuzzy Hash: 0D512835605205DFCB15DF68C4948ADBBB1FF49314F0880A8E80A9B362DB71ED86DBA1

Function 00D46B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00D46C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00D46C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00D46C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00D2AB79,00000000,00000000), ref: 00D46C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00D46CC7

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 8f18db4f6c4030c1ef67bb59553a5dd8d68f87e1c16522b7849a97b86d524b69
Instruction ID: 281b07a4f72c29c206a4489e2f5317d0401d2037e5c95396893f4a3a3a78305a
Opcode Fuzzy Hash: 8f18db4f6c4030c1ef67bb59553a5dd8d68f87e1c16522b7849a97b86d524b69
Instruction Fuzzy Hash: 40419235A04204AFDB24DF68CC94FA97FA5EB0B350F190268F896E73A0C771ED41DA61

Function 00CE2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CE20C3
_free.LIBCMT ref: 00CE20E3

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5615e28dc761099249cc05cda3bdbb2bfa68a90dbab15e9acda9c0c58d3f4269
Instruction ID: 91f4cf92146f116f2bfbf5837cfd6a128105a1bb8ba3254fce78dfe8fe2020ee
Opcode Fuzzy Hash: 5615e28dc761099249cc05cda3bdbb2bfa68a90dbab15e9acda9c0c58d3f4269
Instruction Fuzzy Hash: 4741E232A002409FCB24DF79C881B5DB3A9EF89310F15456DE616EB392E731AE01DB80

Function 00CC912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CC9141
ScreenToClient.USER32(00000000,?), ref: 00CC915E
GetAsyncKeyState.USER32(00000001), ref: 00CC9183
GetAsyncKeyState.USER32(00000002), ref: 00CC919D

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: a5a12b924aa8272b330a9959346b76d43d50bd2e4f130edc47a8a9c62d10a3e0
Instruction ID: 23fa35ffcafd873e70cb569cb2aac3119063843b87243354f6c55b57864aa7db
Opcode Fuzzy Hash: a5a12b924aa8272b330a9959346b76d43d50bd2e4f130edc47a8a9c62d10a3e0
Instruction Fuzzy Hash: 3F415E31A0861AFBDF159F64C849BEEB775FF05320F248219E429A72E0C7746A50DBA1

Function 00D23874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00D238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00D23922
TranslateMessage.USER32(?), ref: 00D2394B
DispatchMessageW.USER32(?), ref: 00D23955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D23966

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: e7ef7ab6dadc728298a93f17192dd0b1c4089b1590763ca8e4afb47a10a37b2f
Instruction ID: 1fc40a61d2616e7941ab24269b3aacbf4816abeeab07b1da9ec1c29bc8215f1d
Opcode Fuzzy Hash: e7ef7ab6dadc728298a93f17192dd0b1c4089b1590763ca8e4afb47a10a37b2f
Instruction Fuzzy Hash: 6B31D9745143519FEB35CB34E849BB677ACEB26308F08055DE4A2C6290D3B996C9CF31

Function 00D2CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00D2C21E,00000000), ref: 00D2CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00D2CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00D2C21E,00000000), ref: 00D2CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D2C21E,00000000), ref: 00D2CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D2C21E,00000000), ref: 00D2CFF2

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 29110cb61d7f9b0a7bdde88664d9b95c7676d04478cc9bb8a50a6d66113d029f
Instruction ID: 4acfabed2ca1348788bca2d9d668de276387f7edcdc93314e63062f7fac5e16f
Opcode Fuzzy Hash: 29110cb61d7f9b0a7bdde88664d9b95c7676d04478cc9bb8a50a6d66113d029f
Instruction Fuzzy Hash: CC31AB71511315EFDB20CFA5E984AAEBBFAEF24308B14502EF106D2200EB30EE019B70

Function 00D11901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D11915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00D119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00D119C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00D119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00D119E2

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 6c732311bb188fb8e5c3135baff34e6f08f3a51e8e732f5870c691905557fdde
Instruction ID: 98a77cc5802c6d93dc7a18fd4e8dd75618fdc9264d82edc41bc331034e3bc102
Opcode Fuzzy Hash: 6c732311bb188fb8e5c3135baff34e6f08f3a51e8e732f5870c691905557fdde
Instruction Fuzzy Hash: 4031AF75A00219EFCB00CFA8D999ADE3BB5EB05315F148225FA71E72D1C7709984CFA0

Function 00D45706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D45745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00D4579D
_wcslen.LIBCMT ref: 00D457AF
_wcslen.LIBCMT ref: 00D457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D45816

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: c03a04db8e3e81901d78e7f48d9599b5858519889a19da9505b0b265452f68f8
Instruction ID: 8bd44de9366f75341a237ac44d4c68e19c03f367f79756726c8ddfc8e0544f93
Opcode Fuzzy Hash: c03a04db8e3e81901d78e7f48d9599b5858519889a19da9505b0b265452f68f8
Instruction Fuzzy Hash: DA21A575904618EBDB209F60DC85AED77BCFF05320F148216EA19EA285D770C985CF60

Function 00D30930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D30951
GetForegroundWindow.USER32 ref: 00D30968
GetDC.USER32(00000000), ref: 00D309A4
GetPixel.GDI32(00000000,?,00000003), ref: 00D309B0
ReleaseDC.USER32(00000000,00000003), ref: 00D309E8

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 9f5f78c10b586cfa8576ac328e80295ba77412d23cdba6c24269f55cbb00e1dc
Instruction ID: 33d06a0758820cf9e6f550756c962897b1e41b81643830cc9fd1f43310ebfc18
Opcode Fuzzy Hash: 9f5f78c10b586cfa8576ac328e80295ba77412d23cdba6c24269f55cbb00e1dc
Instruction Fuzzy Hash: D4218139600214AFD754EF69D894AAEBBF9EF45710F058068F84AE7362CB70AD04DB70

Function 00CECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00CECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CECDE9

Part of subcall function 00CE3820: RtlAllocateHeap.NTDLL(00000000,?,00D81444,?,00CCFDF5,?,?,00CBA976,00000010,00D81440,00CB13FC,?,00CB13C6,?,00CB1129), ref: 00CE3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CECE0F
_free.LIBCMT ref: 00CECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CECE31

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: bc639b658cada3d254ef2d6e0f73f786284f08889399edfe57da4fc5ffca3e08
Instruction ID: b5946188b8a5431c6b7b95eb452a83dea32f0f8b1ef8e5bd7451a762cad204fd
Opcode Fuzzy Hash: bc639b658cada3d254ef2d6e0f73f786284f08889399edfe57da4fc5ffca3e08
Instruction Fuzzy Hash: 2B01DF726023957F23211ABB6CCCD7B6A6DEEC7BA13150129F905D7201EA618E0291B0

Function 00CC9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CC9693
SelectObject.GDI32(?,00000000), ref: 00CC96A2
BeginPath.GDI32(?), ref: 00CC96B9
SelectObject.GDI32(?,00000000), ref: 00CC96E2

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 16da468717bd79f74d2b3ea2797889284b474433128d48623092b0af10bc2eec
Instruction ID: e5baae8b0143c3f2f46c9e97161e5d380f1186e91a1436d8acea05221d5396f6
Opcode Fuzzy Hash: 16da468717bd79f74d2b3ea2797889284b474433128d48623092b0af10bc2eec
Instruction Fuzzy Hash: 29218374822305EBDB51AF65EC08BA93B68FB01315F100219F430E62F0D370995ACFB4

Function 00D15711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00D15726
_memcmp.LIBVCRUNTIME ref: 00D15744
_memcmp.LIBVCRUNTIME ref: 00D15757
_memcmp.LIBVCRUNTIME ref: 00D1576F
_memcmp.LIBVCRUNTIME ref: 00D15787

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 111207279c382eb0327cce995124cac23879f3d22cdbf7a48a29e6453ac3c8dd
Instruction ID: 18c1728d6e09b6377dc3c26c16e1d5650be196a3e117dcfca4897204537765cb
Opcode Fuzzy Hash: 111207279c382eb0327cce995124cac23879f3d22cdbf7a48a29e6453ac3c8dd
Instruction Fuzzy Hash: 2801B5A5641609FFE2085610BD83FFB735C9BA13A4F184021FE049A2D6FB64ED54D6B0

Function 00CE2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00CDF2DE,00CE3863,00D81444,?,00CCFDF5,?,?,00CBA976,00000010,00D81440,00CB13FC,?,00CB13C6), ref: 00CE2DFD
_free.LIBCMT ref: 00CE2E32
_free.LIBCMT ref: 00CE2E59
SetLastError.KERNEL32(00000000,00CB1129), ref: 00CE2E66
SetLastError.KERNEL32(00000000,00CB1129), ref: 00CE2E6F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 4b33548016a7efdcb2cc768e96908074de37a7b373e709a5f52f7c27161fd522
Instruction ID: 36c65f7e7bba029e04d03902e22af05a23683eb60856383c585b9cd09d014436
Opcode Fuzzy Hash: 4b33548016a7efdcb2cc768e96908074de37a7b373e709a5f52f7c27161fd522
Instruction Fuzzy Hash: 0001F4362067D06BC6122B776C4AF2B265DABC27A6B214028F865E3393EB248D015130

Function 00D1000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?,?,?,00D1035E), ref: 00D1002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?,?), ref: 00D10046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?,?), ref: 00D10054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?), ref: 00D10064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?,?), ref: 00D10070

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: a26c4e72a87b9fad3eab7430717ed63d4db4326af390f1610bf1f0ea03160e91
Instruction ID: 76ac71e5e813aa24788a99398817e91351b808f1d138eae6100a9d990b327804
Opcode Fuzzy Hash: a26c4e72a87b9fad3eab7430717ed63d4db4326af390f1610bf1f0ea03160e91
Instruction Fuzzy Hash: 22018F7A611304BFDB505F68EC04BEA7EADEB48792F145124F905E2210EBB1DE808BB0

Function 00D1E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00D1E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00D1E9A5
Sleep.KERNEL32(00000000), ref: 00D1E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00D1E9B7
Sleep.KERNEL32 ref: 00D1E9F3

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 58ce4057d3a7321119c22b9e5b15c4fa301f35eaff20db540f0afabf6660f65d
Instruction ID: 650fc002972e55d354d01027d18281166f2adc2bd35cdfe258d4d5f78ce5ea9b
Opcode Fuzzy Hash: 58ce4057d3a7321119c22b9e5b15c4fa301f35eaff20db540f0afabf6660f65d
Instruction Fuzzy Hash: 84015735D0262DEBCF40AFE5E849AEDFB78BB09700F040546E902F2240DF3095908BB1

Function 00D110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D11114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D11120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D1112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D11136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D1114D

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 5090781f1db0453f46af78509e448a5349f61fa8fef8a56af256732b5bbeaf65
Instruction ID: 2f1b3c78fd61411cfdaabdf331b260882ddc4b1dbdb79da8a58c4010b284b6e0
Opcode Fuzzy Hash: 5090781f1db0453f46af78509e448a5349f61fa8fef8a56af256732b5bbeaf65
Instruction Fuzzy Hash: 1E016D79201305BFDB514FA5EC49AAA3B6EEF86364B140414FA45C3360DA31DC408A70

Function 00D10FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D10FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D10FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D10FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D10FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D11002

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d48f4ba0131a2c4fd544b9fa9833c07f452ad8fe2fc7af337ad82d5ec1d77451
Instruction ID: a0fe3ca2a649c0b4b29c8e51ef421886a84832cc4e70b2d4669b71e58db81273
Opcode Fuzzy Hash: d48f4ba0131a2c4fd544b9fa9833c07f452ad8fe2fc7af337ad82d5ec1d77451
Instruction Fuzzy Hash: C5F04F39612301BBDB214FA4AC4DF963B6DEF8A761F144414FA45C6351CA70DC808A70

Function 00D11014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D1102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D11036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D11045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D1104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D11062

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5d6cd300a4a94e6d9d49f04591f7aff6717c66b4e98493d3b4d5d78cd60168c9
Instruction ID: a0f11b7a7cae2b14cf04e34d733f5b88212b2c265378c9d7837668b1f66f9e51
Opcode Fuzzy Hash: 5d6cd300a4a94e6d9d49f04591f7aff6717c66b4e98493d3b4d5d78cd60168c9
Instruction Fuzzy Hash: 3FF04939612301BBDB215FA5EC4AF963BADEF8A761F140414FA45C6360CA70D880CA70

Function 00D2030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00D2017D,?,00D232FC,?,00000001,00CF2592,?), ref: 00D20324
CloseHandle.KERNEL32(?,?,?,?,00D2017D,?,00D232FC,?,00000001,00CF2592,?), ref: 00D20331
CloseHandle.KERNEL32(?,?,?,?,00D2017D,?,00D232FC,?,00000001,00CF2592,?), ref: 00D2033E
CloseHandle.KERNEL32(?,?,?,?,00D2017D,?,00D232FC,?,00000001,00CF2592,?), ref: 00D2034B
CloseHandle.KERNEL32(?,?,?,?,00D2017D,?,00D232FC,?,00000001,00CF2592,?), ref: 00D20358
CloseHandle.KERNEL32(?,?,?,?,00D2017D,?,00D232FC,?,00000001,00CF2592,?), ref: 00D20365

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 49e1b0a2e538a49e839d1ea9c3ccb9ec495e44c2df1a34faa2acd7ad97106e68
Instruction ID: 3f1d3457b8e3636c3a0ca90f0057496672c68b47f127a50549941d8d03048a1a
Opcode Fuzzy Hash: 49e1b0a2e538a49e839d1ea9c3ccb9ec495e44c2df1a34faa2acd7ad97106e68
Instruction Fuzzy Hash: B001A272801B259FC7309F66E880412FBF9BF603193198A3FD19652932C371A954CF90

Function 00CED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CED752

Part of subcall function 00CE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000), ref: 00CE29DE
Part of subcall function 00CE29C8: GetLastError.KERNEL32(00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000,00000000), ref: 00CE29F0

_free.LIBCMT ref: 00CED764
_free.LIBCMT ref: 00CED776
_free.LIBCMT ref: 00CED788
_free.LIBCMT ref: 00CED79A

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f8672baa51d8d5b5bc8a496a85e117e39f046ee731e4c524c27960f8a444208a
Instruction ID: 3d8731a1cf7a1376c06449ffde048933f13629d740d77a50e048071d4878e951
Opcode Fuzzy Hash: f8672baa51d8d5b5bc8a496a85e117e39f046ee731e4c524c27960f8a444208a
Instruction Fuzzy Hash: 43F09632510388AF8621EB66F9C2D1A77DDBB04310B952C09F06DE7606D734FCC08A70

Function 00D15C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00D15C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00D15C6F
MessageBeep.USER32(00000000), ref: 00D15C87
KillTimer.USER32(?,0000040A), ref: 00D15CA3
EndDialog.USER32(?,00000001), ref: 00D15CBD

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 4a9f91be781ef18fa2bb0b88029a428a53fa40c3934e8b968874cffe8827c769
Instruction ID: bae258d3575519fd7791b527ceb9c866a568b33c9052d00e70c4ad1e60c2c87e
Opcode Fuzzy Hash: 4a9f91be781ef18fa2bb0b88029a428a53fa40c3934e8b968874cffe8827c769
Instruction Fuzzy Hash: 6501D134601B04EBEB205F10FD4EFE677B9BB41B01F041159A683A11E0DFF8AA848AA0

Function 00CE22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CE22BE

Part of subcall function 00CE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000), ref: 00CE29DE
Part of subcall function 00CE29C8: GetLastError.KERNEL32(00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000,00000000), ref: 00CE29F0

_free.LIBCMT ref: 00CE22D0
_free.LIBCMT ref: 00CE22E3
_free.LIBCMT ref: 00CE22F4
_free.LIBCMT ref: 00CE2305

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 17e9e419ac0f5691e7b3247b8ff09a9a0f4e518e5edcda07bf932f363e074b2b
Instruction ID: 07727a9d92b8c0c0e5a5c3d6a846b962c72d6e8dc4f0ad2b837959d4958cfdbd
Opcode Fuzzy Hash: 17e9e419ac0f5691e7b3247b8ff09a9a0f4e518e5edcda07bf932f363e074b2b
Instruction Fuzzy Hash: 25F03A758203648B8622AF55BC03A083F6CFB18760702650EF624D63B2D7340956ABB9

Function 00CC95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00CC95D4
StrokeAndFillPath.GDI32(?,?,00D071F7,00000000,?,?,?), ref: 00CC95F0
SelectObject.GDI32(?,00000000), ref: 00CC9603
DeleteObject.GDI32 ref: 00CC9616
StrokePath.GDI32(?), ref: 00CC9631

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 86334fc3653239c89eb799b0652b109de37caf43bd66f875fbf8c11425de2115
Instruction ID: b0bb640952b28d637058ebc7dafefcc4cb0797a53a64e5eb79b4d4b7955576be
Opcode Fuzzy Hash: 86334fc3653239c89eb799b0652b109de37caf43bd66f875fbf8c11425de2115
Instruction Fuzzy Hash: 47F0C939026744EBDB666F65ED1CBA43B69EB01322F048218F475D52F0D7308A9ADF35

Function 00CE0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00CE10F9
__freea.LIBCMT ref: 00CE1117

Part of subcall function 00CE1537: _free.LIBCMT ref: 00CE154F

Strings

a/p, xrefs: 00CE11DE
am/pm, xrefs: 00CE117A

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 5e4805b465552792795b16e8b5285ea8e9d36e6ed0d905a08a83b46d89b26f4c
Instruction ID: c6b40113995fb332f3922d1a0c034bb9c390e9766bc127a2519b648d219314c7
Opcode Fuzzy Hash: 5e4805b465552792795b16e8b5285ea8e9d36e6ed0d905a08a83b46d89b26f4c
Instruction Fuzzy Hash: 4CD1E2719002C6CACB249F6AC845BFEB7B1FF05300F2C0159EE21AB665D3759EA0CB91

Function 00D37B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00CD0242: EnterCriticalSection.KERNEL32(00D8070C,00D81884,?,?,00CC198B,00D82518,?,?,?,00CB12F9,00000000), ref: 00CD024D
Part of subcall function 00CD0242: LeaveCriticalSection.KERNEL32(00D8070C,?,00CC198B,00D82518,?,?,?,00CB12F9,00000000), ref: 00CD028A

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00CD00A3: __onexit.LIBCMT ref: 00CD00A9

__Init_thread_footer.LIBCMT ref: 00D37BFB

Part of subcall function 00CD01F8: EnterCriticalSection.KERNEL32(00D8070C,?,?,00CC8747,00D82514), ref: 00CD0202
Part of subcall function 00CD01F8: LeaveCriticalSection.KERNEL32(00D8070C,?,00CC8747,00D82514), ref: 00CD0235

Strings

Variable must be of type 'Object'., xrefs: 00D37C3A
5, xrefs: 00D37C78
G, xrefs: 00D37C7F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 0d2a60e1045bdbd0552682ad83755c8b37fe00b3cb4c3369124f6714f7e8a6e1
Instruction ID: 9d83d1acd80e5977d50495b3119fb3d978705ab37c57cda4df2f9506be3770f1
Opcode Fuzzy Hash: 0d2a60e1045bdbd0552682ad83755c8b37fe00b3cb4c3369124f6714f7e8a6e1
Instruction Fuzzy Hash: 88918CB0A04609EFCB24EF94E891DBDB7B1FF45300F148059F846AB292DB71AE45DB61

Function 00D12716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D1B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D121D0,?,?,00000034,00000800,?,00000034), ref: 00D1B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00D12760

Part of subcall function 00D1B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00D1B3F8

Part of subcall function 00D1B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00D1B355
Part of subcall function 00D1B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D12194,00000034,?,?,00001004,00000000,00000000), ref: 00D1B365
Part of subcall function 00D1B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D12194,00000034,?,?,00001004,00000000,00000000), ref: 00D1B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D1281A

Strings

@, xrefs: 00D12832

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c654106363771f916e30377719df5fe494c1a7da7f6c08c84eb0a7408209a79a
Instruction ID: 8a5eb1277983b8d4b153a4edc358f95394602c0a0475422ead96723d83f4721a
Opcode Fuzzy Hash: c654106363771f916e30377719df5fe494c1a7da7f6c08c84eb0a7408209a79a
Instruction Fuzzy Hash: 60412976900218BFDB10DFA4D981AEEBBB8EB09310F048095EA55B7191DA716E85CBB0

Function 00CE172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00CE1769
_free.LIBCMT ref: 00CE1834
_free.LIBCMT ref: 00CE183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00CE1760, 00CE1767, 00CE1796, 00CE17CE

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: aea3a487360f2f077adbdb5393e396b81af5c0b4fb3470abe38269a25ebba00e
Instruction ID: dd6ffbf39f470d41dc4a71ae5ed13066f4d508bc19273a3afa460396280b40a2
Opcode Fuzzy Hash: aea3a487360f2f077adbdb5393e396b81af5c0b4fb3470abe38269a25ebba00e
Instruction Fuzzy Hash: 6F31CE75A00298EFCB21DF9ADC81E9EBBFCEB85710B18416AF804D7311D6708E51DBA0

Function 00D1C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00D1C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00D1C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D81990,016057D8), ref: 00D1C395

Strings

0, xrefs: 00D1C2DF

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 84b89a0e7f0ecec607dee56a4902509c307e5d43b333d18ac67f1af16ab88e79
Instruction ID: 836ee5749e5fa537374e6034ff289e707791e9a33f978eafb2efc7722fd8bed2
Opcode Fuzzy Hash: 84b89a0e7f0ecec607dee56a4902509c307e5d43b333d18ac67f1af16ab88e79
Instruction Fuzzy Hash: 6B41A031254301AFD724DF24E884B9ABBE4EF85320F04961EF9A597291DB30E945CB76

Function 00D44416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D4CC08,00000000,?,?,?,?), ref: 00D444AA
GetWindowLongW.USER32 ref: 00D444C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D444D7

Strings

SysTreeView32, xrefs: 00D4447C

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: fcbe9b17dd3d1232adba7bb0d24944cbd0e5257610e5652ada79da81bfcd7f84
Instruction ID: e411ea688e053d8dae7b386ff419b6dea07b999f96babee236186308a5c0b1ec
Opcode Fuzzy Hash: fcbe9b17dd3d1232adba7bb0d24944cbd0e5257610e5652ada79da81bfcd7f84
Instruction Fuzzy Hash: AE317C32210605AFDF209E78DC45BEA77A9EB09334F248715F979A22E0D770EC909B60

Function 00D3304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D3335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00D33077,?,?), ref: 00D33378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D3307A
_wcslen.LIBCMT ref: 00D3309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00D33106

Strings

255.255.255.255, xrefs: 00D33095, 00D3309A

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 73d2a26a35dd0b7c6b43d48b1c0c2f634edc26d857785f19dba74173fde2eb33
Instruction ID: a22a291b8b04b73a39569e8f36d6345ab4a61a34040a819c20027bb8b1cf0e14
Opcode Fuzzy Hash: 73d2a26a35dd0b7c6b43d48b1c0c2f634edc26d857785f19dba74173fde2eb33
Instruction Fuzzy Hash: 0831A1396043059FCB24CF68C685EAA77E0EF55358F288059E9158B3A2DB72EE45C770

Function 00D43EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00D43F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00D43F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D43F78

Strings

SysMonthCal32, xrefs: 00D43F0B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: c99e5be023a42b92bb87b6d441fc53f1730cf3c1cd7b6d6a1d3daeb60d137327
Instruction ID: bffe793848edda90f7cdb44319b4c336e5099da357f5e0ab2cd2c381c9447113
Opcode Fuzzy Hash: c99e5be023a42b92bb87b6d441fc53f1730cf3c1cd7b6d6a1d3daeb60d137327
Instruction Fuzzy Hash: 2F21BC32610219BFDF258F94DC46FEA3B79EF48724F150214FE55AB1D0D6B1A8548BA0

Function 00D44653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00D44705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00D44713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D4471A

Strings

msctls_updown32, xrefs: 00D44684

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 796d18a09842a9a0ed44c02cb405fe75c937e6a9b9482fea2fae75737a313910
Instruction ID: ac49cf6de2b78e66354a14478ae1fbf9b48ecab9079c9c4dea8c183d56612f45
Opcode Fuzzy Hash: 796d18a09842a9a0ed44c02cb405fe75c937e6a9b9482fea2fae75737a313910
Instruction Fuzzy Hash: 9C214AB5600209AFDB10DF64DC81EAA37ADEB5A3A4B050459FA14DB361CB30EC52DAB0

Function 00D195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D1961D

Strings

#notrayicon, xrefs: 00D195B7
#OnAutoItStartRegister, xrefs: 00D195F3
#requireadmin, xrefs: 00D195D9

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 3581f0dd90ae29ed904b616f698a93f28e29ca820b9da7b19fa11c57cc7289fb
Instruction ID: e06671c6f391cf589feaba9771259f4400223ef3e15d7320e34c7283a304cd22
Opcode Fuzzy Hash: 3581f0dd90ae29ed904b616f698a93f28e29ca820b9da7b19fa11c57cc7289fb
Instruction Fuzzy Hash: 6121F67210451176E331AB24A832FE7B3D9AF91310F58402AFA49A7541EF61AD86D2B5

Function 00D437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D43840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D43850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D43876

Strings

Listbox, xrefs: 00D4380F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: d070dd45d3ad66281f9d95b60528b0c27c7a4e4e62696db0d9715210d543787f
Instruction ID: d4768f21b03c2a110c7085efa47dda6f326e127165f7e7d31927379e1838b345
Opcode Fuzzy Hash: d070dd45d3ad66281f9d95b60528b0c27c7a4e4e62696db0d9715210d543787f
Instruction Fuzzy Hash: 2E21D172610218BBEF218F58CC81FBB7B6EEF89760F158124F9449B190C671DC528BB0

Function 00D249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D24A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00D24A5C
SetErrorMode.KERNEL32(00000000,?,?,00D4CC08), ref: 00D24AD0

Strings

%lu, xrefs: 00D24A6F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: ed7bbf96430312bed346353c558fb6665eb8634c050411de92000b8eb076f9d5
Instruction ID: 82f3ef1396a141a99fd6c514a34d8e17f70c56cf13d7054d4310c0260d64ab3d
Opcode Fuzzy Hash: ed7bbf96430312bed346353c558fb6665eb8634c050411de92000b8eb076f9d5
Instruction Fuzzy Hash: DA315E75A00218AFDB10DF54C985EAA7BF8EF09308F1480A9F909DB252D771ED45CB71

Function 00D441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D4424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D44264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D44271

Strings

msctls_trackbar32, xrefs: 00D44226

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: ef8b1a4c803455026666c96b4da73503cd61a6676c52c778ad509f4b11b9e384
Instruction ID: f58cd9d0142a1f92e5b4320bd2a0f1c400958125e4cb45a07aa5d1618e68bcf2
Opcode Fuzzy Hash: ef8b1a4c803455026666c96b4da73503cd61a6676c52c778ad509f4b11b9e384
Instruction Fuzzy Hash: 7411E031240208BFEF205F29CC46FAB3BACEF95B64F014624FA95E20A0D6B1D8519B34

Function 00D12F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

Part of subcall function 00D12DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D12DC5
Part of subcall function 00D12DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D12DD6
Part of subcall function 00D12DA7: GetCurrentThreadId.KERNEL32 ref: 00D12DDD
Part of subcall function 00D12DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D12DE4

GetFocus.USER32 ref: 00D12F78

Part of subcall function 00D12DEE: GetParent.USER32(00000000), ref: 00D12DF9

GetClassNameW.USER32(?,?,00000100), ref: 00D12FC3
EnumChildWindows.USER32(?,00D1303B), ref: 00D12FEB

Strings

%s%d, xrefs: 00D12FFF

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: ad44ff5974066b22d0131c99257c4209edd47d17b48cf9bdad5fc30b4249b902
Instruction ID: 7b60bda3733f4eafe1dc3901cdedce46d2ebe42e734e9ea1fee168e3acfc064f
Opcode Fuzzy Hash: ad44ff5974066b22d0131c99257c4209edd47d17b48cf9bdad5fc30b4249b902
Instruction Fuzzy Hash: 2D11DF75200205ABCF547F60EC95EEE37AAEF88304F048079F9099B292DE3199899B70

Function 00D45882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D458C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D458EE
DrawMenuBar.USER32(?), ref: 00D458FD

Strings

0, xrefs: 00D4588F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 327876be6683f2832116180d0406c07bd87dbdb7df26b8a9ada739e005437205
Instruction ID: 6278ac024420ca6776100f6ac9f69f12bb4e0d57c3d4ee1be92c391df4ebb969
Opcode Fuzzy Hash: 327876be6683f2832116180d0406c07bd87dbdb7df26b8a9ada739e005437205
Instruction Fuzzy Hash: 94016D35501218EFDB619F11EC44BAEBBB5FB46760F14809DE849DA252DB308A85EF31

Function 00D1007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debeab6062b2d81cc7bb249c8786d2252e84c52628e018cb11035927e718c9dc
Instruction ID: dae27ffe118a30679ff4c88ad373e0831daafc12486bacca9640c8cdcae7021c
Opcode Fuzzy Hash: debeab6062b2d81cc7bb249c8786d2252e84c52628e018cb11035927e718c9dc
Instruction Fuzzy Hash: D4C16D75A0020AEFCB14DF94D894AAEBBB5FF48304F148598E515EB251DB71EDC1CBA0

Function 00CE3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00CE3F0B
__alldvrm.LIBCMT ref: 00CE410C
__alldvrm.LIBCMT ref: 00CE412E

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 38bb549d81f13e2a520e032f5878339fc0e2644b931af169f277c127ec89dfe3
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 49A15771D003C69FDB2ACF5AC8917AEBBF4EF65350F1841ADE5959B281C2389E81C750

Function 00D3342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D33459
CoUninitialize.OLE32 ref: 00D33463
VariantInit.OLEAUT32(?), ref: 00D3346E
VariantClear.OLEAUT32(?), ref: 00D3371B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: dca26b48cef4d5bfa4011c66cbff7a4fa585bd887c1b7769bc3b8ad0e9fa39ba
Instruction ID: 59561b2e2879d33dc7ea96bb2d46d7631f4953f5373a771b0cf8eb20d2910346
Opcode Fuzzy Hash: dca26b48cef4d5bfa4011c66cbff7a4fa585bd887c1b7769bc3b8ad0e9fa39ba
Instruction Fuzzy Hash: 91A14D756043009FC710DF28C586A6AB7E5FF89714F08895DF98A9B362DB30EE05DBA1

Function 00D10436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D4FC08,?), ref: 00D105F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D4FC08,?), ref: 00D10608
CLSIDFromProgID.OLE32(?,?,00000000,00D4CC40,000000FF,?,00000000,00000800,00000000,?,00D4FC08,?), ref: 00D1062D
_memcmp.LIBVCRUNTIME ref: 00D1064E

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: b429d04338e1424f2be5f8b282a4db4f67cdd5d7217b34c9e60eb5c5b8175a56
Instruction ID: 59deaf641fa1856f1bda4bfceb1e02d5969def9b87452843f1fa55f1d6695d58
Opcode Fuzzy Hash: b429d04338e1424f2be5f8b282a4db4f67cdd5d7217b34c9e60eb5c5b8175a56
Instruction Fuzzy Hash: DE811B75A00109EFCB04DF94C984EEEBBB9FF89315F244558E506EB250DB71AE86CB60

Function 00D3A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D3A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00D3A6BA

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00D3A79C
CloseHandle.KERNEL32(00000000), ref: 00D3A7AB

Part of subcall function 00CCCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00CF3303,?), ref: 00CCCE8A

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e01fd6d34ed5b692461dd604e7dc1a7e9490e13d7c3e37fc372f6647686f8495
Instruction ID: 39174cc32a2c2ccba054fec66ca2677a89aea2b57d4182b551823811e7045c43
Opcode Fuzzy Hash: e01fd6d34ed5b692461dd604e7dc1a7e9490e13d7c3e37fc372f6647686f8495
Instruction Fuzzy Hash: B2512B71608300AFD710EF24C886E6BBBE8FF89754F44491DF985972A1EB31D904DBA2

Function 00CF1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CF14C0

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e5c5372fe0760290d1c140e54841ee0f21b089f6979d76547673b26c36c5f54d
Instruction ID: b46f0b7afbdabc0b1a9d41fd85b0b2c3a0fa7cc7c33c852a9b1f6490abb23ff8
Opcode Fuzzy Hash: e5c5372fe0760290d1c140e54841ee0f21b089f6979d76547673b26c36c5f54d
Instruction Fuzzy Hash: 9241213150014CDBDB656BBA9C457BE3EA4FF81370F1C4225FE29D6291E63489416673

Function 00D46278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D462E2
ScreenToClient.USER32(?,?), ref: 00D46315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00D46382

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 47f2d90e6b9217e4da75b0f656a900f69443c6ac06f0c18e4120d9681a1d748c
Instruction ID: 0ed89b138966b308df2d2cdf7d3d6c1b1de1e9d954fffdbfa39eac2810da2032
Opcode Fuzzy Hash: 47f2d90e6b9217e4da75b0f656a900f69443c6ac06f0c18e4120d9681a1d748c
Instruction Fuzzy Hash: 60512C74A00249EFCF14DF64D8849AE7BB5FB46364F188159F826D72A0D730ED41CB61

Function 00D31AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00D31AFD
WSAGetLastError.WSOCK32 ref: 00D31B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00D31B8A
WSAGetLastError.WSOCK32 ref: 00D31B94

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 69337827a9815065c8802d6fca85d7c4fa48bb09d7c5c966d835f60e881b6377
Instruction ID: 8682a00ccaf452c4131873803e4f9d51df0d2aeaed40fd42adb2d23a0fb8ced2
Opcode Fuzzy Hash: 69337827a9815065c8802d6fca85d7c4fa48bb09d7c5c966d835f60e881b6377
Instruction Fuzzy Hash: A741C338640201AFE720EF24C886F6A77E5AB45718F58848CF91A9F3D2D772DD41DBA0

Function 00CEB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47712061d16fc450b48f1672f0a02e4303c0f9f9800b09d8f0929ead5f8c048f
Instruction ID: 7e60ba86c470280bf0c7a0f27abaa61f262397bbe50dfa5fd60ddc84b20400f9
Opcode Fuzzy Hash: 47712061d16fc450b48f1672f0a02e4303c0f9f9800b09d8f0929ead5f8c048f
Instruction Fuzzy Hash: 2541C3B1A00684AFD7249F79CC45B7BBBE9EB88710F10452EF552DB2C2D771AA019B90

Function 00D256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00D25783
GetLastError.KERNEL32(?,00000000), ref: 00D257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00D257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00D257FA

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 2dfa4f2d5aff902cf1bd905ff2f564b0ff9a47a1a362437e8ef1efc5c23700de
Instruction ID: 9647a272a284594ef1f8c9433678c7a0313634e370e45f655c6df5b5eb1f2638
Opcode Fuzzy Hash: 2dfa4f2d5aff902cf1bd905ff2f564b0ff9a47a1a362437e8ef1efc5c23700de
Instruction Fuzzy Hash: 02413C39200610DFCB20DF15D485A59BBE2EF89324F188488EC4A9B362CB70FD44DBA1

Function 00CED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00CD6D71,00000000,00000000,00CD82D9,?,00CD82D9,?,00000001,00CD6D71,8BE85006,00000001,00CD82D9,00CD82D9), ref: 00CED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00CED9AB
__freea.LIBCMT ref: 00CED9B4

Part of subcall function 00CE3820: RtlAllocateHeap.NTDLL(00000000,?,00D81444,?,00CCFDF5,?,?,00CBA976,00000010,00D81440,00CB13FC,?,00CB13C6,?,00CB1129), ref: 00CE3852

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: d715e0e7bb785e527044acf4534e2bc7a372baf2a0e256dc2e965ab6a3a64da0
Instruction ID: 461c8a070cc3228f858f540c4414836e591b81bdaa900419db4a56769a1eb65f
Opcode Fuzzy Hash: d715e0e7bb785e527044acf4534e2bc7a372baf2a0e256dc2e965ab6a3a64da0
Instruction Fuzzy Hash: 76310F72A1034AABDF24CF66DC45EAE7BA5EB40310F050169FC15D7292EB35CE50CBA0

Function 00D452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00D45352
GetWindowLongW.USER32(?,000000F0), ref: 00D45375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D45382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D453A8

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f8facb0a53b958f94c9190a2ddf54c2421292b84c815c657f5127c759cdea917
Instruction ID: a1f5678ce72ed251cd0af775ff0b3fcfa53d819ef9df4ebfcdf493099b5f0dc4
Opcode Fuzzy Hash: f8facb0a53b958f94c9190a2ddf54c2421292b84c815c657f5127c759cdea917
Instruction Fuzzy Hash: 6F31E234A55A08EFEF309F14EC0DBE837A5AB05390F5C4141FA51962E6C7B1AD40DB71

Function 00D1AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00D1ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00D1AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00D1AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00D1ACC6

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7d00f5fbc356ebc06108c431ee94c0c3f5f36ccf4af0d11efdaf3e27bd57b2ea
Instruction ID: 3494b4944de7d8ddf3784728e009dac7be8eb46d0cad3e5e3a3dc5eb47758bef
Opcode Fuzzy Hash: 7d00f5fbc356ebc06108c431ee94c0c3f5f36ccf4af0d11efdaf3e27bd57b2ea
Instruction Fuzzy Hash: 3E310834A027187FEF35CB69AC147FA7BA7AB85310F08421AE485922D1DB7589C587F2

Function 00D47674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00D4769A
GetWindowRect.USER32(?,?), ref: 00D47710
PtInRect.USER32(?,?,00D48B89), ref: 00D47720
MessageBeep.USER32(00000000), ref: 00D4778C

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2cb874d508c3c918fedc3d5c16d5365f293712a029e9bfb4e981318b0dbffd2d
Instruction ID: b7a61487ea70a70e045fe07e76d5e2eaa3555ea0497d294ac26ae50e3ed14033
Opcode Fuzzy Hash: 2cb874d508c3c918fedc3d5c16d5365f293712a029e9bfb4e981318b0dbffd2d
Instruction Fuzzy Hash: 63415938A052149FCB11DF58C894EA9B7F9FB49314F5981A8E864DB361C731E946CFB0

Function 00D416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00D416EB

Part of subcall function 00D13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D13A57
Part of subcall function 00D13A3D: GetCurrentThreadId.KERNEL32 ref: 00D13A5E
Part of subcall function 00D13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D125B3), ref: 00D13A65

GetCaretPos.USER32(?), ref: 00D416FF
ClientToScreen.USER32(00000000,?), ref: 00D4174C
GetForegroundWindow.USER32 ref: 00D41752

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0341db2c213bea3180a9553f6fb6a842f1b822995d61ab1649d792e8b02e4755
Instruction ID: 3e978d5f54e1829e5e5e5be5d0f602de5283e1ca60707b22ba76a174fdc65a1b
Opcode Fuzzy Hash: 0341db2c213bea3180a9553f6fb6a842f1b822995d61ab1649d792e8b02e4755
Instruction Fuzzy Hash: EC311D75D00249AFCB04EFA9D8818EEBBF9EF49304B5480AAE415E7211DB35DE45CBA0

Function 00D1DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00CB7620: _wcslen.LIBCMT ref: 00CB7625

_wcslen.LIBCMT ref: 00D1DFCB
_wcslen.LIBCMT ref: 00D1DFE2
_wcslen.LIBCMT ref: 00D1E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00D1E018

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 4d06e83ad623ab9c1c064aa6b26da91275697e8a9d784087a30f86128ffb09c6
Instruction ID: 457db41ec9c5e36e7516ec23bb766ada09fe2b48bd86564b43cfef7392fa9a99
Opcode Fuzzy Hash: 4d06e83ad623ab9c1c064aa6b26da91275697e8a9d784087a30f86128ffb09c6
Instruction Fuzzy Hash: 99219F75D00214AFCB209FA8D982BAEB7F8EF49750F144069E905BB381DA709E418BB1

Function 00D48FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

GetCursorPos.USER32(?), ref: 00D49001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00D07711,?,?,?,?,?), ref: 00D49016
GetCursorPos.USER32(?), ref: 00D4905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D07711,?,?,?), ref: 00D49094

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 73611a08499ed90d83fe1472cbce6026ecf04c402cc517d7d9f736f4b4646650
Instruction ID: 46384bc6ba16a684e3bcabdd9a9493cd0505be9df8cee7bbe24f20039006a16d
Opcode Fuzzy Hash: 73611a08499ed90d83fe1472cbce6026ecf04c402cc517d7d9f736f4b4646650
Instruction Fuzzy Hash: D821BF35601118EFDB25CF95C868EEBBBB9EB4A350F044059F94587261C7319D90DF70

Function 00D1D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00D4CB68), ref: 00D1D2FB
GetLastError.KERNEL32 ref: 00D1D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D1D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00D4CB68), ref: 00D1D376

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: f71e6004b316e26808694b95e999704884a01b56d3164d405cd056c9b330e661
Instruction ID: 3bd5d36b79ac6b7404a324cbb6fc078c5f69307a217972b710075dedc24dbc61
Opcode Fuzzy Hash: f71e6004b316e26808694b95e999704884a01b56d3164d405cd056c9b330e661
Instruction Fuzzy Hash: 4121B274509301AF8710DF68D8818EE77E4EE56324F644A1DF4A9C32E1DB31D98ACBA3

Function 00D11571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D11014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D1102A
Part of subcall function 00D11014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D11036
Part of subcall function 00D11014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D11045
Part of subcall function 00D11014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D1104C
Part of subcall function 00D11014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D11062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D115BE
_memcmp.LIBVCRUNTIME ref: 00D115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D11617
HeapFree.KERNEL32(00000000), ref: 00D1161E

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2a6282067ec7836a4ff5ae337f82eff61f91ce9ea5ad470947dbf5a3bb0f0a0d
Instruction ID: 5353e0cc8c4d9d85770941cbc215eb10daeb4310dcfb830079764c426c70fafe
Opcode Fuzzy Hash: 2a6282067ec7836a4ff5ae337f82eff61f91ce9ea5ad470947dbf5a3bb0f0a0d
Instruction Fuzzy Hash: D8219A75E01208FFDF10DFA4D945BEEB7B9EF84344F084459E541AB241EB31AA85CBA0

Function 00D42782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00D4280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D42824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D42832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00D42840

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 699a40366eed7f014351595f009c1c2293cce2f1307bccce1e0fbe2d809316b8
Instruction ID: fc4b1e10195fc42fd4bc293595f6f3f9c34b9688de72a7e4d4b265a5d1979863
Opcode Fuzzy Hash: 699a40366eed7f014351595f009c1c2293cce2f1307bccce1e0fbe2d809316b8
Instruction Fuzzy Hash: 2D21A135205611AFD7149B24C845FBA7BA9EF46324F588158F426CB6E2CB71FC42CBB1

Function 00D178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D18D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00D1790A,?,000000FF,?,00D18754,00000000,?,0000001C,?,?), ref: 00D18D8C
Part of subcall function 00D18D7D: lstrcpyW.KERNEL32(00000000,?,?,00D1790A,?,000000FF,?,00D18754,00000000,?,0000001C,?,?,00000000), ref: 00D18DB2
Part of subcall function 00D18D7D: lstrcmpiW.KERNEL32(00000000,?,00D1790A,?,000000FF,?,00D18754,00000000,?,0000001C,?,?), ref: 00D18DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00D18754,00000000,?,0000001C,?,?,00000000), ref: 00D17923
lstrcpyW.KERNEL32(00000000,?,?,00D18754,00000000,?,0000001C,?,?,00000000), ref: 00D17949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00D18754,00000000,?,0000001C,?,?,00000000), ref: 00D17984

Strings

cdecl, xrefs: 00D1797B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: dc349afc5d9ccdfec358380a72b6c7579e0d834a693dd773a2a47ca27f98d234
Instruction ID: 8ee57907e6824d37e1f025634889dc0344eba8fb82e925dfd886ab4f3b626fbb
Opcode Fuzzy Hash: dc349afc5d9ccdfec358380a72b6c7579e0d834a693dd773a2a47ca27f98d234
Instruction Fuzzy Hash: 5811A23A201301BBCB159F34E845EBA77A5EF85350B50402AE946C72A4EF3198559BB1

Function 00D47CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00D47D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00D47D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D47D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00D2B7AD,00000000), ref: 00D47D6B

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 7c9918559c49f2942dbd6fd733fbeac00a83b2ea87101fee9d2dd7f6cc8f3db3
Instruction ID: 39699d87feb5360a011d0284971a808240d57e5d999999e0201229b3f5ad5c96
Opcode Fuzzy Hash: 7c9918559c49f2942dbd6fd733fbeac00a83b2ea87101fee9d2dd7f6cc8f3db3
Instruction Fuzzy Hash: F9117235625615EFCB109F68CC04AAA3BA9AF46360F198724F839D72F0D7309D52DB60

Function 00D45660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00D456BB
_wcslen.LIBCMT ref: 00D456CD
_wcslen.LIBCMT ref: 00D456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D45816

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: c4751db1afadf6688a3cd6ca1b74f0ef3a849d99ffa32405e1009917cbbdf04b
Instruction ID: 551661ff61d4b7a68a136427e789ed36c1ef9de77d03836528bbe326e5d2b2c7
Opcode Fuzzy Hash: c4751db1afadf6688a3cd6ca1b74f0ef3a849d99ffa32405e1009917cbbdf04b
Instruction Fuzzy Hash: FF11D375600608A7DF209F61EC85AEE77BCEF12760B144026FA15D6186EB70CA84CF70

Function 00CE1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39746697225b02cb6135e1380b80c6dcc15fef5cfd964b4fbaf2fcea8cb38f2
Instruction ID: a260b48b70f47173f5bf9cf5d709e7c17ac7dfc57dc63ddf20e77cdf7bdbe809
Opcode Fuzzy Hash: f39746697225b02cb6135e1380b80c6dcc15fef5cfd964b4fbaf2fcea8cb38f2
Instruction Fuzzy Hash: 8101D6B220579A3FF6121A7A6CC1F27661CDF813B8F391325F931912D2DB718E105170

Function 00D11A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D11A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D11A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D11A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D11A8A

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cde2e920835876c8c38ccf6c7f26eecaed88e526295203e512ffdccd98099627
Instruction ID: 50f4b0aa5d694c4871d823c6a285e03d0467a0464f8e33b66ee431d565f7c9d8
Opcode Fuzzy Hash: cde2e920835876c8c38ccf6c7f26eecaed88e526295203e512ffdccd98099627
Instruction Fuzzy Hash: 8511FA3A901219FFEB119BA5D985FEDBB78EF04750F200091EA04B7290DA716E51DBA4

Function 00D1E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D1E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00D1E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D1E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00D1E24D

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 3b2a89197ee9bfa475bc07518403af23b4a7db70453a36b8d93b4c0de14193c8
Instruction ID: 6675ac1a0a2694dc30e9ecba95024d689c787bb25db4da81868eae66296c4c96
Opcode Fuzzy Hash: 3b2a89197ee9bfa475bc07518403af23b4a7db70453a36b8d93b4c0de14193c8
Instruction Fuzzy Hash: 3111C47AA14354BBC7119FA8AC09AEE7FACAB46320F144255FD25E3391D6B0CD4487B0

Function 00CDD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00CDCFF9,00000000,00000004,00000000), ref: 00CDD218
GetLastError.KERNEL32 ref: 00CDD224
__dosmaperr.LIBCMT ref: 00CDD22B
ResumeThread.KERNEL32(00000000), ref: 00CDD249

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: ee19c5340905403d55a26ab584ffb0cc09b08098c4dd660d56b5303569e9249b
Instruction ID: 6072616b102b6ab2146c6758a68c02541a9803189d7014268a0fb2937f4f8056
Opcode Fuzzy Hash: ee19c5340905403d55a26ab584ffb0cc09b08098c4dd660d56b5303569e9249b
Instruction Fuzzy Hash: 2701D676C052047BC7115FA5DC09BAE7A6DEF82331F10021EFA26923D0CB71CD41D6A0

Function 00D49EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

GetClientRect.USER32(?,?), ref: 00D49F31
GetCursorPos.USER32(?), ref: 00D49F3B
ScreenToClient.USER32(?,?), ref: 00D49F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00D49F7A

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 20f22448db1385d792c2d615b72ca1155ebac2c87ac8790c3f623cead431fa06
Instruction ID: 1f109ec7c708650b5ae4ccf37792f21d15fd0e5995e2838559ace8c9fe52ef7e
Opcode Fuzzy Hash: 20f22448db1385d792c2d615b72ca1155ebac2c87ac8790c3f623cead431fa06
Instruction Fuzzy Hash: 5311483690121AABDB10EF69D8599EEB7B8FF46311F040455F911E3250D730BE8ACBB1

Function 00CB600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CB604C
GetStockObject.GDI32(00000011), ref: 00CB6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CB606A

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 27c3f39f37abd8d17e432ad87c37161fde3cdccde012c34373141e8014864fb5
Instruction ID: 8c34ffd9b07626a507a2f7f2f5bc753d84144df11916610fdbee34bdee500482
Opcode Fuzzy Hash: 27c3f39f37abd8d17e432ad87c37161fde3cdccde012c34373141e8014864fb5
Instruction Fuzzy Hash: E111A172102608BFEF125F95DC44EFABF6DEF19364F000105FA1492120D7369D60DBA0

Function 00CD3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00CD3B56

Part of subcall function 00CD3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00CD3AD2
Part of subcall function 00CD3AA3: ___AdjustPointer.LIBCMT ref: 00CD3AED

_UnwindNestedFrames.LIBCMT ref: 00CD3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00CD3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00CD3BA4

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 4439fa5f67b8c4ef7c6d062301ac5f6c96cf94c9de516a5628bd9bd6abe9ae2d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 0501E932100189BBDF125F95CC46EEB7B6AEF58794F04401AFF5896221C732E961EBA1

Function 00CE3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00CB13C6,00000000,00000000,?,00CE301A,00CB13C6,00000000,00000000,00000000,?,00CE328B,00000006,FlsSetValue), ref: 00CE30A5
GetLastError.KERNEL32(?,00CE301A,00CB13C6,00000000,00000000,00000000,?,00CE328B,00000006,FlsSetValue,00D52290,FlsSetValue,00000000,00000364,?,00CE2E46), ref: 00CE30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CE301A,00CB13C6,00000000,00000000,00000000,?,00CE328B,00000006,FlsSetValue,00D52290,FlsSetValue,00000000), ref: 00CE30BF

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1e9637159678f9dc55ed59c67ca5a8482ce1f19e931b205b6a6fec631aaf2a8b
Instruction ID: 3a4324eb115ca6ea6a07fd59131dea43ccaf2866aa55ea8a12e4dbc749d54acf
Opcode Fuzzy Hash: 1e9637159678f9dc55ed59c67ca5a8482ce1f19e931b205b6a6fec631aaf2a8b
Instruction Fuzzy Hash: EE01AC367123A2ABCB718F7B9C4C9677B989F45761B114620F915D7290D721EA01C6F0

Function 00D17464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00D1747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00D17497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00D174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00D174CA

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f0ee3dd28463d8d72560f7325b2f357ce9a79daa4c113ddff70662a198ed4df8
Instruction ID: f1e3f771b6c08f8e933562bbda819c07033d58980436cb50c5b0683aaba39d4c
Opcode Fuzzy Hash: f0ee3dd28463d8d72560f7325b2f357ce9a79daa4c113ddff70662a198ed4df8
Instruction Fuzzy Hash: 1011A1B5206314ABE7208F54ED08BD27BFCEB00B00F108569A656D6161DB70E984DB70

Function 00D1B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D1ACD3,?,00008000), ref: 00D1B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D1ACD3,?,00008000), ref: 00D1B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D1ACD3,?,00008000), ref: 00D1B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D1ACD3,?,00008000), ref: 00D1B126

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 7a3aee6cf2c2f673d8b9d08b14935cde320684299109309096eba264dc68cc11
Instruction ID: 6e32b50d42aa851975333f020639e75dae4d3ecde8ac74b6da616a934568c584
Opcode Fuzzy Hash: 7a3aee6cf2c2f673d8b9d08b14935cde320684299109309096eba264dc68cc11
Instruction Fuzzy Hash: 15113C31D01718F7CF009FE4E9586EEBB78FF0A721F114086D951B2241CF3095908B61

Function 00D47E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D47E33
ScreenToClient.USER32(?,?), ref: 00D47E4B
ScreenToClient.USER32(?,?), ref: 00D47E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D47E8A

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 0918453c4386436ef23e3a290f72e5686d1c47ddc7e7ec81fac69c1464a67f6d
Instruction ID: e501bc3bc3d3b8f36ce9caf79520eb4d1b9aaa193db6a7ef2638eb0cfa285f44
Opcode Fuzzy Hash: 0918453c4386436ef23e3a290f72e5686d1c47ddc7e7ec81fac69c1464a67f6d
Instruction Fuzzy Hash: A21143B9D0020AAFDB41CF98C8849EEBBF5FB09310F509166E915E2210D735AA55CF60

Function 00D12DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D12DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D12DD6
GetCurrentThreadId.KERNEL32 ref: 00D12DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D12DE4

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: bbd6ef385cf912ee8a0ddd6a64c3dd4d7d8c28510bc4157664e0d10992c7255f
Instruction ID: d7429e8bf823fc81d9b192f918f1948abe16bb3f2282aa096f176b4977211624
Opcode Fuzzy Hash: bbd6ef385cf912ee8a0ddd6a64c3dd4d7d8c28510bc4157664e0d10992c7255f
Instruction Fuzzy Hash: 75E06D752123287BDB201BA2EC0DEFB3E6CEB43BA1F055015B105D11909AA5C880C6F0

Function 00D48863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00CC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CC9693
Part of subcall function 00CC9639: SelectObject.GDI32(?,00000000), ref: 00CC96A2
Part of subcall function 00CC9639: BeginPath.GDI32(?), ref: 00CC96B9
Part of subcall function 00CC9639: SelectObject.GDI32(?,00000000), ref: 00CC96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00D48887
LineTo.GDI32(?,?,?), ref: 00D48894
EndPath.GDI32(?), ref: 00D488A4
StrokePath.GDI32(?), ref: 00D488B2

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a3823977ce82ccde06183541cf6b385ce08fafec15aeae96e28da35f65cbec05
Instruction ID: edb4c88fc3cf5044a2497aef38a3e304cba574f86b26cd4ed25a14bc7ca4f341
Opcode Fuzzy Hash: a3823977ce82ccde06183541cf6b385ce08fafec15aeae96e28da35f65cbec05
Instruction Fuzzy Hash: D3F03A3A052358BBDB126F94AC09FCE3A59AF06350F048100FA11A52E2C7755511DFF9

Function 00CC98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00CC98CC
SetTextColor.GDI32(?,?), ref: 00CC98D6
SetBkMode.GDI32(?,00000001), ref: 00CC98E9
GetStockObject.GDI32(00000005), ref: 00CC98F1

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: e79b0a14a21df1df872e1daddbd7b39b1c199464ab4b204ebe585c347cfb3b3f
Instruction ID: e79f7855a489b8ee658dd672856e222fcf25e8789891277d6dfdd864487d8603
Opcode Fuzzy Hash: e79b0a14a21df1df872e1daddbd7b39b1c199464ab4b204ebe585c347cfb3b3f
Instruction Fuzzy Hash: 1EE06D35655780ABEB615F74EC0DBE83F20EB16336F089219F6FA981E1C77256409B30

Function 00D1162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00D11634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00D111D9), ref: 00D1163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D111D9), ref: 00D11648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00D111D9), ref: 00D1164F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 72cdea850210911a402c3ad7a7dc46920cb24a278410304e7093a7c8f31ed473
Instruction ID: f1b941e9226d4b3a0d11ab82050015027f96272225f34d38c8d4cad6b55079af
Opcode Fuzzy Hash: 72cdea850210911a402c3ad7a7dc46920cb24a278410304e7093a7c8f31ed473
Instruction Fuzzy Hash: 2EE0463A612311ABD7B01FA0AE0DB863BA8AF46792F188808F245C9090EA6484808B74

Function 00D0D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D0D858
GetDC.USER32(00000000), ref: 00D0D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D0D882
ReleaseDC.USER32(?), ref: 00D0D8A3

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9275ec6361972a863ea74511f644f6d2c27357cff63c8484f98caf1a777ad96c
Instruction ID: 6a064a32a0d18ec292eab6c6a24ba9183f87a584916d0f630cc8e118b1dc141c
Opcode Fuzzy Hash: 9275ec6361972a863ea74511f644f6d2c27357cff63c8484f98caf1a777ad96c
Instruction Fuzzy Hash: F8E01AB8811304DFCB819FE4D808A6DBBB2FB09310F11E059F846E7360C7388901AF60

Function 00D0D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D0D86C
GetDC.USER32(00000000), ref: 00D0D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D0D882
ReleaseDC.USER32(?), ref: 00D0D8A3

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 807a84c614857b88e6f93799d526cbe660ccb722930e498f2f4b618200cfe434
Instruction ID: b00a0da656a3d6cc484f3af0b72ec70ed2e2e895f80d48b1caa8930466c5143c
Opcode Fuzzy Hash: 807a84c614857b88e6f93799d526cbe660ccb722930e498f2f4b618200cfe434
Instruction Fuzzy Hash: 73E012B8811300EFCB90AFA4D808A6DBBB1BB08310F11A048F80AE7360CB385901AF60

Function 00D24D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB7620: _wcslen.LIBCMT ref: 00CB7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00D24ED4

Strings

*, xrefs: 00D24E10
LPT, xrefs: 00D24DFB

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: c679174902ffed2145d7db3383d8331ce605ec9c1be4710fee79989d6b4efabb
Instruction ID: 4f7da457c2b8ec2750c4249d0e0f6f314c30e6e5662f28ff1435ec12e92c93ce
Opcode Fuzzy Hash: c679174902ffed2145d7db3383d8331ce605ec9c1be4710fee79989d6b4efabb
Instruction Fuzzy Hash: C6918275A002149FDB14DF58D584EAABBF1BF94308F198099F84A9F362D731ED85CBA0

Function 00CDE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00CDE30D

Strings

pow, xrefs: 00CDE2E5, 00CDE302

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1577f7cfa55f03d081a76b0058d075e7f4208c1673107663aa75ea3a71035aae
Instruction ID: f5396079c769926e62dac47be844b2f7ab9ede2097d3e528b625dc158f1daccc
Opcode Fuzzy Hash: 1577f7cfa55f03d081a76b0058d075e7f4208c1673107663aa75ea3a71035aae
Instruction Fuzzy Hash: 75518F61A0C34296CB157716CD0137A3BA8DF40741F304B9AE5F58B3F8EB348E85AA46

Function 00CCE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00CCE1B1

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: dc3adf61ed61e318ef930bca995d6c7bb57047c7558a7a6accc2d1f53659710f
Instruction ID: 266eebd385c33b4ba1eae1cff37d489430c2e0e8076587d8008cf6f5e60ce40b
Opcode Fuzzy Hash: dc3adf61ed61e318ef930bca995d6c7bb57047c7558a7a6accc2d1f53659710f
Instruction Fuzzy Hash: FB514435A00346DFDB24DF68C081BFA7BA8EF96310F288419E8959B2D0D7349D42DBB0

Function 00CCF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00CCF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00CCF2BB

Strings

@, xrefs: 00CCF2AF

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: b2bb6e38c0e8f15a2d5a8e0133fcf2e98e83c49a632af28a7fdbc6ad8c533180
Instruction ID: 9cd5931bab5a97ad9ee40c52ae0853e136f04a36bc7e7eb736b8963efe11a0c1
Opcode Fuzzy Hash: b2bb6e38c0e8f15a2d5a8e0133fcf2e98e83c49a632af28a7fdbc6ad8c533180
Instruction Fuzzy Hash: C35145714087449BD320AF54EC86BABBBF8FB84300F81885DF5D9812A5EB708529CB66

Function 00D35745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00D357E0
_wcslen.LIBCMT ref: 00D357EC

Strings

CALLARGARRAY, xrefs: 00D357E6, 00D357EB

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 474a604728b6a9bbe9f109ba720b973ff62ab372548048ec72ab579e237d4752
Instruction ID: 948533c42db4b7258c38ae93744cfb54fad036a5ba1faf0608e8535d6011e2d3
Opcode Fuzzy Hash: 474a604728b6a9bbe9f109ba720b973ff62ab372548048ec72ab579e237d4752
Instruction Fuzzy Hash: 32418C71A002099FCB14DFA9D8829EEBBB5EF59320F244069E505A7295EB309D81DBB0

Function 00D2D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D2D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00D2D13A

Strings

|, xrefs: 00D2D10B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: abf7defbc0bf3b459fb2f70a81647a91c93856a9f74c9565c8a3b4ef857c606f
Instruction ID: 0f6b3e362e586ae798b657ea154405c32b3e646654751a99de5564b9a354e478
Opcode Fuzzy Hash: abf7defbc0bf3b459fb2f70a81647a91c93856a9f74c9565c8a3b4ef857c606f
Instruction Fuzzy Hash: FF313071D00219AFCF15EFA4DC85AEE7FBAFF14304F100019F915A61A5D735A916DB60

Function 00D4356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00D43621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D4365C

Strings

static, xrefs: 00D435BC

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 5e7483497555fff96a08fa9aa9ba47e187cb7145d90922024b941ce2317c3edd
Instruction ID: 813ce2e6d21081a52c9fccf4adb2f38dc36eca036919dddfb605c647672aed5e
Opcode Fuzzy Hash: 5e7483497555fff96a08fa9aa9ba47e187cb7145d90922024b941ce2317c3edd
Instruction Fuzzy Hash: 1E318971110204AFDB209F68DC81EFB73A9FF88760F159619F8A5D7290DA30AD91DB70

Function 00D44537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00D4461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D44634

Strings

', xrefs: 00D4458E

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 75db0521fc92b2380e871969b6214bd83669efce4d020124e253d38d9c190146
Instruction ID: a4afbb8708c9c620d9e312276a226ca6a8ce1364a2fa3a4bb6bf0b2fc6df4617
Opcode Fuzzy Hash: 75db0521fc92b2380e871969b6214bd83669efce4d020124e253d38d9c190146
Instruction Fuzzy Hash: 31310774A013099FDF14CFA9C991BDABBB5FF49300F15406AE905AB391D770A981CFA0

Function 00D431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D4327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D43287

Strings

Combobox, xrefs: 00D43249

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 968485c69f2600c15c8d6fbd0988793e79eb2382a4e3038c95c8c5cae97bc47d
Instruction ID: 97bf74bf76d78feaea2d3f3f31d7ce68af03c51874a7f62ecefdf4a7ec901222
Opcode Fuzzy Hash: 968485c69f2600c15c8d6fbd0988793e79eb2382a4e3038c95c8c5cae97bc47d
Instruction Fuzzy Hash: BE11B2713002087FFF259F58DCC1EBB376AEB943A4F144125F91897290D6B19D519774

Function 00D43710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00CB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CB604C
Part of subcall function 00CB600E: GetStockObject.GDI32(00000011), ref: 00CB6060
Part of subcall function 00CB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CB606A

GetWindowRect.USER32(00000000,?), ref: 00D4377A
GetSysColor.USER32(00000012), ref: 00D43794

Strings

static, xrefs: 00D43757

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 165208e8b2a60154eb4c6fbb81407ccf0c5a128b895ce378500d6ca540d6f1d1
Instruction ID: d287596be01973a9c310a0052b63e041672f8df1064a346f4de83ba35e8364d4
Opcode Fuzzy Hash: 165208e8b2a60154eb4c6fbb81407ccf0c5a128b895ce378500d6ca540d6f1d1
Instruction Fuzzy Hash: D21126B2620209AFDF00DFA8CC46AEA7BB8EB09354F015915F995E2250E775E8519B60

Function 00D2CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D2CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D2CDA6

Strings

<local>, xrefs: 00D2CD66

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 9ad9c21deba0db392846eb03088b6b40f347f6bf0b473f7dea134e8cdde723c1
Instruction ID: d3bfa8f0c0d9ab7512de17215fbb0138a194e4be3b4f60c06221050aac5f387f
Opcode Fuzzy Hash: 9ad9c21deba0db392846eb03088b6b40f347f6bf0b473f7dea134e8cdde723c1
Instruction Fuzzy Hash: 6711C6752256317AD7344B669C45EEBBE6CEF227A8F005226B14983180D7749C45D6F0

Function 00D43429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00D434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D434BA

Strings

edit, xrefs: 00D4348F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 86260e6553f8855a0e93f8b1f311763c6b801c568920f14f857ac1f93b4b25f1
Instruction ID: 4f654776bb96b31a533681a8012952a670391c8e43aa6a311345030b38ab07d6
Opcode Fuzzy Hash: 86260e6553f8855a0e93f8b1f311763c6b801c568920f14f857ac1f93b4b25f1
Instruction Fuzzy Hash: F3118C71210208AFEB129E68DC44AEB376AEB15374F544324F969E32E0C775DD519B70

Function 00D16C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00D16CB6
_wcslen.LIBCMT ref: 00D16CC2

Strings

STOP, xrefs: 00D16CBC, 00D16CC1

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 2d30db6b2fce71a4d493c8ad259079426910f50826690a04a2d9089bf238e02b
Instruction ID: 1fb2a4451a909df1ddbb2f96f2f0bb9299f7834de4b8b76349e526b8a4f59a68
Opcode Fuzzy Hash: 2d30db6b2fce71a4d493c8ad259079426910f50826690a04a2d9089bf238e02b
Instruction Fuzzy Hash: 5801C432610526ABCB209FFDFC809FF7BA5EB61710B540524E95296294EF31D980C6B0

Function 00D11CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D13CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D11D4C

Strings

ListBox, xrefs: 00D11D16
ComboBox, xrefs: 00D11CEB

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7a06b307e5cac6251cb2f8948bc440124a1e47365505ca0d8f2e2aeeaf0d0bb1
Instruction ID: 678c60f0401de7eef64c962fdca723caf30a801caab808fe062edfd4179945cc
Opcode Fuzzy Hash: 7a06b307e5cac6251cb2f8948bc440124a1e47365505ca0d8f2e2aeeaf0d0bb1
Instruction Fuzzy Hash: 98012479601218BB8B08EBA0EC51DFE77A8EB02350F140609F972673C1EE319948D670

Function 00D11BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D13CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00D11C46

Strings

ListBox, xrefs: 00D11C10
ComboBox, xrefs: 00D11BE5

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 532df29c936899d39b188cffae29729ae12433f4393114fe1f5bde968bb16856
Instruction ID: 833da89c424124d7c345f1ff55978d9669113c59f63a2a73a38f728153a4fe72
Opcode Fuzzy Hash: 532df29c936899d39b188cffae29729ae12433f4393114fe1f5bde968bb16856
Instruction Fuzzy Hash: 9501A7797811087BCB04EB90E951AFFB7A9DB12340F140019AA16672C1EE619E4C96F1

Function 00D11C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D13CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00D11CC8

Strings

ListBox, xrefs: 00D11C94
ComboBox, xrefs: 00D11C69

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 44e07ceea76de9e269092a186cffacf4ac374eacee9388144a64665b5f76b43e
Instruction ID: 7056a6c5b0d638b8ccf3c18ef3a250fdaa857335af324b464f422c88972ffd0d
Opcode Fuzzy Hash: 44e07ceea76de9e269092a186cffacf4ac374eacee9388144a64665b5f76b43e
Instruction Fuzzy Hash: E501A2797811187BCF04EBA1EA41AFEB7A9DB12340F140015BA0673281EE619F4896F2

Function 00D11D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D13CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00D11DD3

Strings

ListBox, xrefs: 00D11DA0
ComboBox, xrefs: 00D11D75

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e76d63bf31cb693284c6224f24982272499851795a71cd3f75757612e663fbee
Instruction ID: 2a411bcd7442ec67b1d65ff9bb5ffa92289ec8e1c36af2b83b243625be6d4d9f
Opcode Fuzzy Hash: e76d63bf31cb693284c6224f24982272499851795a71cd3f75757612e663fbee
Instruction Fuzzy Hash: 62F0A475B412187BDB04E7A4FC92BFE7768EB02350F140919BA66632C1EE71994C92B1

Function 00D3747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D37493
_wcslen.LIBCMT ref: 00D374B9

Strings

3, 3, 16, 1, xrefs: 00D37483

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 8423126a4ce7589ff821ea3ec449b42bee820964ca51f75f7ef07dae67cda4ea
Instruction ID: 353e0c658da55e1ec1c669aee4aa2bfddc66dbb6e0f5f9a71bb8818db494d3c3
Opcode Fuzzy Hash: 8423126a4ce7589ff821ea3ec449b42bee820964ca51f75f7ef07dae67cda4ea
Instruction Fuzzy Hash: 0EE02B42204B20219235137ADCC197F568DCFCA750B14182BFB85C2366FAE49D91A3B0

Function 00D10B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00D10B23

Strings

AutoIt, xrefs: 00D10B17
Error allocating memory., xrefs: 00D10B1C

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: ee118ffd568e4bae72198d48ce7593709921894a8216efc038be7c290eca3d95
Instruction ID: 64942364531b0a28f824635443bf7fedbee1f66eeb6ff6952e4428927f03172f
Opcode Fuzzy Hash: ee118ffd568e4bae72198d48ce7593709921894a8216efc038be7c290eca3d95
Instruction Fuzzy Hash: A7E0D8312853183BD2143B94BC03FC97B848F05B11F10442EF748955C38EE124901AF9

Function 00CD0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CCF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00CD0D71,?,?,?,00CB100A), ref: 00CCF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00CB100A), ref: 00CD0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00CB100A), ref: 00CD0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00CD0D7F

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2b927400aadb4e8672b1585c4c9349d14184623f58b6ed971e3424d4d1c73b51
Instruction ID: 8909aa543e51bf730e9f62e47b94b77e3ada25af9c1ae0d8b77b202b0e599384
Opcode Fuzzy Hash: 2b927400aadb4e8672b1585c4c9349d14184623f58b6ed971e3424d4d1c73b51
Instruction Fuzzy Hash: E3E06D742007118BD3609FBCE4487427BE5AB04741F10492EE482C6761DBF0E4488BB1

Function 00D23017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00D2302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00D23044

Strings

aut, xrefs: 00D23038

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 72cfdcb96fcbca9ec8269996ab71a0d24addea9f3454d61e762e975bf6a028a8
Instruction ID: ab1089aee7aa44566b02459618f8f3a9e73a5b3523dd383210196c2c014743c3
Opcode Fuzzy Hash: 72cfdcb96fcbca9ec8269996ab71a0d24addea9f3454d61e762e975bf6a028a8
Instruction Fuzzy Hash: 17D05B7550132467DA6097949C4DFC73A6CD706750F0001517655E2191EAF0D544CAE4

Function 00D0D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D0D220

Strings

X64, xrefs: 00D0D2A8
%.3d, xrefs: 00D0D22B

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 3624a9aafb9cbe915bee6789eaa209bd41f6e1fc37696e1a49b913a1d62d2e25
Instruction ID: 11f8dc4a15803fc06d1a83173669f395aa5c1660544d126933924caf094cee91
Opcode Fuzzy Hash: 3624a9aafb9cbe915bee6789eaa209bd41f6e1fc37696e1a49b913a1d62d2e25
Instruction Fuzzy Hash: D9D01261809218FACB909BF0CC85EB9B37DAB09301F508467F84ED1080E774C5086B79

Function 00D42356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D4236C
PostMessageW.USER32(00000000), ref: 00D42373

Part of subcall function 00D1E97B: Sleep.KERNEL32 ref: 00D1E9F3

Strings

Shell_TrayWnd, xrefs: 00D42365

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c9a84c936c4148b0a4c2737105fc7d7e4b5b73d6fb57031d5fc7d7fc9f9d07c0
Instruction ID: 5eff1c076a2dbe578206acf238a8fb92f1e67249da7c3d4e8270689db0951973
Opcode Fuzzy Hash: c9a84c936c4148b0a4c2737105fc7d7e4b5b73d6fb57031d5fc7d7fc9f9d07c0
Instruction Fuzzy Hash: 68D0A9363923107BE2A8AB30AC0FFCA66149B01B00F0089027706EA2E0D8A0A8048A34

Function 00D42322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D4232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D4233F

Part of subcall function 00D1E97B: Sleep.KERNEL32 ref: 00D1E9F3

Strings

Shell_TrayWnd, xrefs: 00D42325

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0f91155498deec0016825f7aed03b0d0d15268c57fe54cd2e9d514d492386556
Instruction ID: b22c4d66bced1f7d3091b3f818b6e9dd9d4d1cf72ef2b18dd339a92be8bbdb9f
Opcode Fuzzy Hash: 0f91155498deec0016825f7aed03b0d0d15268c57fe54cd2e9d514d492386556
Instruction Fuzzy Hash: 76D0233539131077D1A4B730DC0FFC676149B00B00F0045017705D51D0D8F0A404CE30

Function 00CEBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00CEBE93
GetLastError.KERNEL32 ref: 00CEBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CEBEFC

Memory Dump Source

Source File: 00000000.00000002.2066898876.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2066868766.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067021841.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067131996.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067159422.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 22cd09d92aaaf64c8e58c3491b1639e1a638e1c44b0c2f4ab7477d4b8fc40564
Instruction ID: 48806315450142e08e35c75ac8ce49c00fbf5af61138339919172172b49cb30a
Opcode Fuzzy Hash: 22cd09d92aaaf64c8e58c3491b1639e1a638e1c44b0c2f4ab7477d4b8fc40564
Instruction Fuzzy Hash: EF41EA39605286AFCF21CFE6CD54BBB7BA5EF41310F144169F969972A1DB308E01DB60

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49736
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:61977
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:61987

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2231300998.000001EC21FD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2146413757.000001EC2D3B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2218714212.000001EC2D3C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2181842432.000001EC2C0EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080245081.000001EC2BD7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2079487571.000001EC2C0EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2181842432.000001EC2C0EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080245081.000001EC2BD7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177211412.000001EC2CF36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2234157474.000001EC21276000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2146413757.000001EC2D3B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2218714212.000001EC2D3C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2072819051.000001EC25467000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: FirefoxSpecificPropertiesmain/nimbus-desktop-experimentsUpdateSessionStoreForStorage1tog0cdkasggly29o8xqc6p37https://www.facebook.com/getFailedCertSecurityInfohttps://www.aliexpress.com/https://www.amazon.co.uk/main/nimbus-desktop-experimentsSSF_updateSessionStoreForStorage equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2230774870.000001EC238BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2230774870.000001EC238BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2072819051.000001EC25467000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181842432.000001EC2C0EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080245081.000001EC2BD7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2181842432.000001EC2C0EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080245081.000001EC2BD7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177211412.000001EC2CF36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2208650773.000001EC268E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194108870.000001EC268E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2208650773.000001EC268E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194108870.000001EC268E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2208650773.000001EC268E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194108870.000001EC268E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2209236942.000001EC2659D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2249926233.000001EC2E385000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251502686.000001EC2E387000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2218346290.000001EC2E373000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2146413757.000001EC2D3B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2218714212.000001EC2D3C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214643404.000001EC256F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2249926233.000001EC2E385000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251502686.000001EC2E387000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2218346290.000001EC2E373000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2225668828.000001EC2CE1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2204648877.000001EC2CE1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177706531.000001EC2CE1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:61989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.5:61991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:61990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:61998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:62000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:61999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:62003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:62149 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:62150 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:62202 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:62203 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:62204 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61989
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62079
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 62203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61998
Source: unknown	Network traffic detected: HTTP traffic on port 62149 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61990
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62200
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62201
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62202
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 62202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 62003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62150
Source: unknown	Network traffic detected: HTTP traffic on port 61999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62149
Source: unknown	Network traffic detected: HTTP traffic on port 62204 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ffa8f561-18f3-44bd-a9af-c40ba0c5e726.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ffa8f561-18f3-44bd-a9af-c40ba0c5e726.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IOBQC65LJTGZRLJO4IY1.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KLZ5OF36MC0P5JN95I8D.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre