Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1560590
MD5:	6b3d1eb532fa79ec626ec1ad68c41252
SHA1:	bec92edb036c8c9988509ae24bded9f4c81d07e9
SHA256:	f64770795eee93eab120ba022b91b720afc576b9de57c42068525ce2a42f3560
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 5332 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6B3D1EB532FA79EC626EC1AD68C41252)

taskkill.exe (PID: 6092 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6692 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6612 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4760 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 940 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 5492 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3340 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4524 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3200 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2100 -prefMapHandle 2084 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89e5bb71-6041-43a7-abb5-053bc12383cc} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" 27862b6ff10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7652 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -parentBuildID 20230927232528 -prefsHandle 4128 -prefMapHandle 4124 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fef102d-ba7c-4de9-9a94-ab3664557bbb} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" 27873747e10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8116 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5084 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5052 -prefMapHandle 5004 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb23677d-f1f7-486e-8b2a-11b76b8bf989} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" 278748d9710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 5332	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0076EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0076EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0076ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0076ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0076EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0075AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00789576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00789576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2130676846.00000000007B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a327cb51-a
Source: file.exe, 00000000.00000000.2130676846.00000000007B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6f815ac1-a
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c59a277c-e
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d09b7d3f-9

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000020656D48437 NtQuerySystemInformation,		17_2_0000020656D48437
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000020656D676B2 NtQuerySystemInformation,		17_2_0000020656D676B2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0075D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00751201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00751201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0075E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FBF40	0_2_006FBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F8060	0_2_006F8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00762046	0_2_00762046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00758298	0_2_00758298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072E4FF	0_2_0072E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072676B	0_2_0072676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00784873	0_2_00784873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FCAF0	0_2_006FCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071CAA0	0_2_0071CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070CC39	0_2_0070CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00726DD9	0_2_00726DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070B119	0_2_0070B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F91C0	0_2_006F91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00711394	0_2_00711394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00711706	0_2_00711706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071781B	0_2_0071781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070997D	0_2_0070997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F7920	0_2_006F7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007119B0	0_2_007119B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00717A4A	0_2_00717A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00711C77	0_2_00711C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00717CA7	0_2_00717CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077BE44	0_2_0077BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00729EEE	0_2_00729EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00711F32	0_2_00711F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000020656D48437	17_2_0000020656D48437
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000020656D676B2	17_2_0000020656D676B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000020656D67DDC	17_2_0000020656D67DDC
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000020656D676F2	17_2_0000020656D676F2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00710A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006F9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0070F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/36@66/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007637B5 GetLastError,FormatMessageW,

0_2_007637B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007510BF AdjustTokenPrivileges,CloseHandle,		0_2_007510BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007516C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007651CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0075D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0076648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0076648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006F42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2314928871.000002787DF94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314332299.000002787E5F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362351390.000002787DFD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324748395.000002787DF94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2314928871.000002787DF94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362351390.000002787DFD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324748395.000002787DF94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2314928871.000002787DF94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362351390.000002787DFD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324748395.000002787DF94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2314928871.000002787DF94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362351390.000002787DFD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324748395.000002787DF94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2316045909.000002787A997000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2314928871.000002787DF94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362351390.000002787DFD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324748395.000002787DF94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2314928871.000002787DF94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362351390.000002787DFD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324748395.000002787DF94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2314928871.000002787DF94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362351390.000002787DFD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324748395.000002787DF94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2314928871.000002787DF94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362351390.000002787DFD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324748395.000002787DF94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2314928871.000002787DF94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362351390.000002787DFD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324748395.000002787DF94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

Virustotal: Detection: 33%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2100 -prefMapHandle 2084 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89e5bb71-6041-43a7-abb5-053bc12383cc} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" 27862b6ff10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -parentBuildID 20230927232528 -prefsHandle 4128 -prefMapHandle 4124 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fef102d-ba7c-4de9-9a94-ab3664557bbb} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" 27873747e10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5084 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5052 -prefMapHandle 5004 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb23677d-f1f7-486e-8b2a-11b76b8bf989} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" 278748d9710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2100 -prefMapHandle 2084 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89e5bb71-6041-43a7-abb5-053bc12383cc} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" 27862b6ff10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -parentBuildID 20230927232528 -prefsHandle 4128 -prefMapHandle 4124 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fef102d-ba7c-4de9-9a94-ab3664557bbb} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" 27873747e10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5084 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5052 -prefMapHandle 5004 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb23677d-f1f7-486e-8b2a-11b76b8bf989} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" 278748d9710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2234817055.000002787EFA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2271320237.00000278728C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2270555515.00000278728BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2271320237.00000278728C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2271015553.00000278728BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2270555515.00000278728BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2234817055.000002787EFA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2271015553.00000278728BD000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006F42DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00710A76 push ecx; ret

0_2_00710A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0070F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00781C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00781C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96149

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000020656D48437 rdtsc

17_2_0000020656D48437

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0075DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072C2A2 FindFirstFileExW,	0_2_0072C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007668EE FindFirstFileW,FindClose,	0_2_007668EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0076698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0075D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0075D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00769642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00769642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0076979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00769B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00769B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00765C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00765C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006F42DE

Source: firefox.exe, 00000010.00000002.3389431883.0000021931C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: firefox.exe, 00000011.00000002.3387185234.0000020656AA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: firefox.exe, 00000011.00000002.3387185234.0000020656AA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: firefox.exe, 00000011.00000002.3383458668.00000206563AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpd
Source: firefox.exe, 00000010.00000002.3383816648.000002193157A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp%
Source: firefox.exe, 00000010.00000002.3389431883.0000021931C00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3387185234.0000020656AA0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3388104749.000001E4BB900000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3388651825.0000021931B1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000012.00000002.3383624474.000001E4BB58A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`M
Source: firefox.exe, 00000010.00000002.3389431883.0000021931C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: firefox.exe, 00000010.00000002.3389431883.0000021931C00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3387185234.0000020656AA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000020656D48437 rdtsc

17_2_0000020656D48437

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0076EAA2 BlockInput,

0_2_0076EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00722622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00722622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006F42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00714CE8 mov eax, dword ptr fs:[00000030h]

0_2_00714CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00750B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00750B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00722622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00722622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0071083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007109D5 SetUnhandledExceptionFilter,	0_2_007109D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00710C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00710C21

Source: C:\Users\user\Desktop\file.exe

0_2_00751201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00732BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00732BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075B226 SendInput,keybd_event,

0_2_0075B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007722DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00750B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00751663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00751663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2247931153.000002787EFA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00710698 cpuid

0_2_00710698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00768195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00768195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0074D27A GetUserNameW,

0_2_0074D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0072B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006F42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5332, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5332, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00771204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00771204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00771806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00771806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	33%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://crl3.digiS	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.195.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.1	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.65.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.142	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	216.58.208.238	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.129.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3385096888.000001E4BB8C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2233067443.000002787EC1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2344905770.00000278758A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2334969837.00000278750FD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2198612268.000002787AA39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2200062930.000002787AA39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293367906.000002787AA39000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3385315829.00000219319EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3383977149.00000206565E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3388315118.000001E4BBA03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3383977149.0000020656586000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3385096888.000001E4BB88F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2348684631.00000278743ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203383418.0000027874167000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2354706265.00000278743ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2335229273.00000278750C9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2315748321.000002787A9F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2356525957.00000278726AE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2315158478.000002787AB73000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2393473782.0000027873870000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2352256814.0000027873859000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2349090459.00000278740D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341424905.0000027874C96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358346579.0000027873859000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2314928871.000002787DF94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362387599.000002787DFAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324748395.000002787DF94000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2203383418.0000027874167000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316045909.000002787A997000.00000004.00000800.00020000.00000000.sdmp	false		high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2353603605.000002787344F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2180441977.000002787006F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2179614786.000002787001D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2179421725.0000027872A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296460675.0000027874AFE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180559871.000002787008A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2179827877.0000027870038000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180088017.0000027870053000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.firefox.com/	firefox.exe, 0000000E.00000003.2356803364.0000027872674000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com	firefox.exe, 0000000E.00000003.2325771665.0000027876489000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2180441977.000002787006F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2179614786.000002787001D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2179421725.0000027872A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2179827877.0000027870038000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180088017.0000027870053000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 0000000E.00000003.2205802209.00000278747EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/	firefox.exe, 0000000E.00000003.2386361787.000002787CF98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2356968967.00000278725CC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2386778162.000002787A957000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2201660008.000002787AB8F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://fpn.firefox.com	firefox.exe, 0000000E.00000003.2356525957.00000278726EE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2353603605.000002787344F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2401943305.000002786EA7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2201660008.000002787AB8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3383977149.0000020656503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3385096888.000001E4BB80C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2219936817.0000027873E67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2390796495.000002787442C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl3.digiS	firefox.exe, 0000000E.00000003.2238441779.000002787288D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2348684631.00000278743ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2354706265.00000278743ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2362509064.000002787DF39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324748395.000002787DF38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3385096888.000001E4BB8C4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2325477088.00000278776A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2344419011.00000278776B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2219936817.0000027873E67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2284393981.0000027874990000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2364724874.00000278758D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2208490594.00000278744F3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2349090459.00000278740D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341424905.0000027874C96000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2344861868.00000278758AD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3385315829.00000219319EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3383977149.00000206565E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3388315118.000001E4BBA03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3385315829.00000219319EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3383977149.00000206565E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3388315118.000001E4BBA03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2353603605.000002787344F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2335229273.00000278750C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2387001378.0000027877680000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3383977149.0000020656512000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3385096888.000001E4BB813000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2348684631.00000278743ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2354706265.00000278743ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3384502263.000001E4BB760000.00000004.00000020.00020000.00000000.sdmp	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2316045909.000002787A997000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2363890472.000002787AB7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315158478.000002787AB7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000E.00000003.2356525957.00000278726C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2401801985.000002786E3D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343191522.00000278730DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284393981.0000027874997000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2188410427.00000278730D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2307207522.0000027874E82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2344071142.000002787A9D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2319176745.0000027870061000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203877517.00000278723E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287315818.0000027874DD0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331008604.0000027876441000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2201975588.0000027875531000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297604147.0000027873EBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343473857.00000278730D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2394112608.00000278737B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2355607378.0000027873146000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331332509.0000027876418000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315681370.000002787AB19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2323335929.0000027874A9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324298657.000002787EA95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311818792.0000027874DEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2393793656.00000278737F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2325771665.0000027876489000.00000004.00000800.00020000.00000000.sdmp	false		high
http://youtube.com/	firefox.exe, 0000000E.00000003.2315158478.000002787AB77000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2325771665.0000027876489000.00000004.00000800.00020000.00000000.sdmp	false		high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false		high
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 0000000E.00000003.2205802209.00000278747EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2386700677.000002787A9AE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2315681370.000002787AB19000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2315681370.000002787AB19000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2363890472.000002787AB7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315158478.000002787AB7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2198612268.000002787AA39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2200062930.000002787AA39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293367906.000002787AA39000.00000004.00000800.00020000.00000000.sdmp	false		high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2203383418.0000027874167000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2393473782.0000027873877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2352256814.0000027873877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358346579.0000027873877000.00000004.00000800.00020000.00000000.sdmp	false		high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2353603605.000002787344F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2356525957.00000278726C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2219936817.0000027873E67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2387710679.0000027875134000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2334441959.0000027875130000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3384939098.0000021931710000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3387658602.0000020656BC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384833868.000001E4BB770000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2365371276.00000278755D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2204924488.00000278755CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2201975588.00000278755CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2332640429.00000278755CF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2219936817.0000027873E67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219851905.0000027873E79000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2401943305.000002786EA7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2356525957.00000278726C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2362509064.000002787DF39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324748395.000002787DF38000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.142	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560590
Start date and time:	2024-11-22 01:01:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/36@66/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.80.238.59, 35.164.125.63, 52.12.64.98, 172.217.17.78, 88.221.134.209, 88.221.134.155, 172.217.17.74, 172.217.17.42
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 4524 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:02:18	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
34.149.100.209	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.121.53
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	Invoice_Billing_carolinadunesbh.com_6995261057.html	Get hash	malicious	Unknown	Browse	151.101.2.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	http://t.ly/YSjhI	Get hash	malicious	Unknown	Browse	151.101.0.176
	https://app.smartsheet.com/b/form/9141bdd4d7da45789170a7064a677627	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	[EXTERNAL] Oakville shared ''o_akville_853473074_21.11.2024''.eml	Get hash	malicious	Unknown	Browse	199.232.210.172
ATGS-MMD-ASUS	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.22.186.122
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_62509f46-f36d-43f4-b484-92eecbcf07b2.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1757814651972565
Encrypted:	false
SSDEEP:	192:NKMXScHcbhbVbTbfbRbObtbyEl7nwrqJA6wnSrDtTkd/SrS:NP7cNhnzFSJQr5jnSrDhkd/v
MD5:	52C2FE093DE9111061B3F3ADBBE4AF53
SHA1:	4264DCA2D6862F01486ED603A9A58065291C7DE7
SHA-256:	F42371E57D7CE65484FC5A633FE2C2DEA8447A5F11E4F5F8BCBB1E221F42BB2F
SHA-512:	C7945A81699EC20941CE49271B8625C9BBAC48CF7C4EF64EB65E778AEDA08EE22D424E481B646D6E8DD604153A7F66CDC8FB09BE396DD309E0D7C958EFE593C7
Malicious:	false
Preview:	{"type":"uninstall","id":"62509f46-f36d-43f4-b484-92eecbcf07b2","creationDate":"2024-11-22T01:44:46.717Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_62509f46-f36d-43f4-b484-92eecbcf07b2.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1757814651972565
Encrypted:	false
SSDEEP:	192:NKMXScHcbhbVbTbfbRbObtbyEl7nwrqJA6wnSrDtTkd/SrS:NP7cNhnzFSJQr5jnSrDhkd/v
MD5:	52C2FE093DE9111061B3F3ADBBE4AF53
SHA1:	4264DCA2D6862F01486ED603A9A58065291C7DE7
SHA-256:	F42371E57D7CE65484FC5A633FE2C2DEA8447A5F11E4F5F8BCBB1E221F42BB2F
SHA-512:	C7945A81699EC20941CE49271B8625C9BBAC48CF7C4EF64EB65E778AEDA08EE22D424E481B646D6E8DD604153A7F66CDC8FB09BE396DD309E0D7C958EFE593C7
Malicious:	false
Preview:	{"type":"uninstall","id":"62509f46-f36d-43f4-b484-92eecbcf07b2","creationDate":"2024-11-22T01:44:46.717Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.926781851111989
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakN/c9E3xE:8S+OVPUFRbOdwNIOdYpjvY1Q6LUci38P
MD5:	367EFB446209EA40C6FC8E7D443EF39B
SHA1:	57308D57B037C69C38F50B43AA1EFA2D610962FE
SHA-256:	A9E5C5816A7314CB172954B56562973419D653BB3C7C0B52EBB1085CAC64E70E
SHA-512:	3EAD37139617F704E7FE4B8FCB5EE9F6083018D5862C6F6734A39C7EA20DA41B66047472092AEE0D9F87839F350C2D6CDA6724B6741E3D864AE767817CCE5B8A
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.926781851111989
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakN/c9E3xE:8S+OVPUFRbOdwNIOdYpjvY1Q6LUci38P
MD5:	367EFB446209EA40C6FC8E7D443EF39B
SHA1:	57308D57B037C69C38F50B43AA1EFA2D610962FE
SHA-256:	A9E5C5816A7314CB172954B56562973419D653BB3C7C0B52EBB1085CAC64E70E
SHA-512:	3EAD37139617F704E7FE4B8FCB5EE9F6083018D5862C6F6734A39C7EA20DA41B66047472092AEE0D9F87839F350C2D6CDA6724B6741E3D864AE767817CCE5B8A
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07329687659153097
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiW:DLhesh7Owd4+jiW
MD5:	A0BAE5F77426C6A56F44DF5FD3503C31
SHA1:	5B35D207DD78F87C6D17A1A7AC776056F872DB64
SHA-256:	E40C9660E0377DFC6CDA62E496F8362C5CDC19BF1049B0CD7236187D6126946A
SHA-512:	2E6185557CCCAF4448F6F288A88EA133C6FE96D6832D7D287D9CCA7EA350EDC9E9D9A582D627A48898133DB20F66BA409F52E627569B909EFE43A434F36E507B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035577876577226504
Encrypted:	false
SSDEEP:	3:GtlstF5Jb1vAAJPoI/ltlstF5Jb1vAAJPilx89//alEl:GtWt9aA+IltWt9aAElx89XuM
MD5:	47BC279CDFD82B7FE415378CCAB00BB8
SHA1:	9155D588CD2071DC2F528C80C9B1AFC57E356CEA
SHA-256:	08923F0F09D6E6317444BE36F22584A466685AE9881F7C3BC6BA7FD61239DBE7
SHA-512:	5BBBAE14F1555E54F176158F614F8B57EEA62A3E7B6BFCE791D7D28FC25E9CBE3617345DB427D6A8B6B147C980EA3E55BA5EFAAB0ACEB3AF88B4D033295D89B5
Malicious:	false
Preview:	..-.......................F+.l.=..-Jw.g.....S,...-.......................F+.l.=..-Jw.g.....S,.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03985125915697673
Encrypted:	false
SSDEEP:	3:Ol1WsRyg7lyFOKNr5Jniwl8rEXsxdwhml8XW3R2:KAsRyqWOKJ5Mwl8dMhm93w
MD5:	C6D2C0DAF5F98741DFD31ADD078B40AF
SHA1:	071F495DA338D87942ECAC0DAF4640B1FAB04C80
SHA-256:	804174B1940DBA30A59C9CFDF4190D7D2F3270651CB828FC48E920B264512CC3
SHA-512:	877B91C65DDC8F10F6AED35A3399A6FA2CC4736D353BD2A53339379EECD3C58766E6654B5580CA54375E77AF5B67A29B106B635CA71FC6F5AFEAEAD72313CBAF
Malicious:	false
Preview:	7....-............-Jw.g.......W...........-Jw.g.+F..=.l.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477991345645358
Encrypted:	false
SSDEEP:	192:unPOeRnLYbBp6OJ0aX+96SEXK1xNUMT5RHWNBw8dYSl:EDeXJUk87fHEwL0
MD5:	908A14DC6F78636884312C6D9FF61E51
SHA1:	E188D056FC7A01F45C2DEFAD7A22F4855980625D
SHA-256:	ACB73F58865529F5A8CFEA41CCCD344C0F436C3B2BB30D2E4140D7EE7D00BE1E
SHA-512:	37878A7B578499066D70D98031A2BF5FE7009249449EDBFEFCED9AE807C8452907064CEC8EF39F9343330BFEA38578652F20C3A5765DFC30409BD92FA7650E53
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732239856);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732239856);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732239856);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173223

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477991345645358
Encrypted:	false
SSDEEP:	192:unPOeRnLYbBp6OJ0aX+96SEXK1xNUMT5RHWNBw8dYSl:EDeXJUk87fHEwL0
MD5:	908A14DC6F78636884312C6D9FF61E51
SHA1:	E188D056FC7A01F45C2DEFAD7A22F4855980625D
SHA-256:	ACB73F58865529F5A8CFEA41CCCD344C0F436C3B2BB30D2E4140D7EE7D00BE1E
SHA-512:	37878A7B578499066D70D98031A2BF5FE7009249449EDBFEFCED9AE807C8452907064CEC8EF39F9343330BFEA38578652F20C3A5765DFC30409BD92FA7650E53
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732239856);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732239856);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732239856);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173223

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\e0ee2e79-1980-416d-9b92-1fbde7f4b565 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.952028483166179
Encrypted:	false
SSDEEP:	12:YZFgtfi01IVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YwbSlCOlZGV1AQIWZcy6ZXvx
MD5:	6CA87D959D20F3EC2CF014FE54D8439B
SHA1:	2E4C4AAF204CED3EA17F4A58CBAD3F2802A15C07
SHA-256:	0B271A0BB7554715194C87D3D2A00CE5F87CEF4C492914CAFE8855B355C57CCF
SHA-512:	BF904599EB9E499F3428E0FCAE748BA85BA1C554F2ED3FCE404EF030992ADA4B441DF3113C62F03AE0664F277A5F3AF5FB21D298CEEDECE49C4096355E28C553
Malicious:	false
Preview:	{"type":"health","id":"e0ee2e79-1980-416d-9b92-1fbde7f4b565","creationDate":"2024-11-22T01:44:47.986Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\e0ee2e79-1980-416d-9b92-1fbde7f4b565.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.952028483166179
Encrypted:	false
SSDEEP:	12:YZFgtfi01IVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YwbSlCOlZGV1AQIWZcy6ZXvx
MD5:	6CA87D959D20F3EC2CF014FE54D8439B
SHA1:	2E4C4AAF204CED3EA17F4A58CBAD3F2802A15C07
SHA-256:	0B271A0BB7554715194C87D3D2A00CE5F87CEF4C492914CAFE8855B355C57CCF
SHA-512:	BF904599EB9E499F3428E0FCAE748BA85BA1C554F2ED3FCE404EF030992ADA4B441DF3113C62F03AE0664F277A5F3AF5FB21D298CEEDECE49C4096355E28C553
Malicious:	false
Preview:	{"type":"health","id":"e0ee2e79-1980-416d-9b92-1fbde7f4b565","creationDate":"2024-11-22T01:44:47.986Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.342822639600122
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSiLXnIrKI/pnxQwRcrT5sKmgbB3eHVpjO+xamhujJwO2c0TiVm0BtC:GUpOxL2nRchegl3erjxx4Jwc3zBtC
MD5:	DC1AD651FC8DC8AB009626A37BBA4190
SHA1:	3519BAF9F701E035B632B2B0603BFE6FACCC607A
SHA-256:	F60F02022914C43DBF6F7561F6B4516D286977E90BBE69CE753E8E3E9185C3FE
SHA-512:	C202D110D5730A821EB2E6A80A08499441BC3DE0C34744DA993D7A2EA4109650731B52097F04F778614D36007F7DC4CBB1ABD70BB5B8C2FB443BEEEDFB532692
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{e4e697ec-9336-494c-a71f-9c1135bbb03d}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732239861024,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..A2638...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...30613,"originA...."firstP

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.342822639600122
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSiLXnIrKI/pnxQwRcrT5sKmgbB3eHVpjO+xamhujJwO2c0TiVm0BtC:GUpOxL2nRchegl3erjxx4Jwc3zBtC
MD5:	DC1AD651FC8DC8AB009626A37BBA4190
SHA1:	3519BAF9F701E035B632B2B0603BFE6FACCC607A
SHA-256:	F60F02022914C43DBF6F7561F6B4516D286977E90BBE69CE753E8E3E9185C3FE
SHA-512:	C202D110D5730A821EB2E6A80A08499441BC3DE0C34744DA993D7A2EA4109650731B52097F04F778614D36007F7DC4CBB1ABD70BB5B8C2FB443BEEEDFB532692
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{e4e697ec-9336-494c-a71f-9c1135bbb03d}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732239861024,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..A2638...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...30613,"originA...."firstP

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.342822639600122
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSiLXnIrKI/pnxQwRcrT5sKmgbB3eHVpjO+xamhujJwO2c0TiVm0BtC:GUpOxL2nRchegl3erjxx4Jwc3zBtC
MD5:	DC1AD651FC8DC8AB009626A37BBA4190
SHA1:	3519BAF9F701E035B632B2B0603BFE6FACCC607A
SHA-256:	F60F02022914C43DBF6F7561F6B4516D286977E90BBE69CE753E8E3E9185C3FE
SHA-512:	C202D110D5730A821EB2E6A80A08499441BC3DE0C34744DA993D7A2EA4109650731B52097F04F778614D36007F7DC4CBB1ABD70BB5B8C2FB443BEEEDFB532692
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{e4e697ec-9336-494c-a71f-9c1135bbb03d}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732239861024,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..A2638...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...30613,"originA...."firstP

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.028279667839608
Encrypted:	false
SSDEEP:	96:ycnMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:WTEr5NX0z3DhRe
MD5:	74AC2B9E64A9E8A18D67E4D619FF9F63
SHA1:	21E00E6B65B90C795E1B20F25E00C2CB63D35C71
SHA-256:	19A6846FE19F9EAF4FD37B51B99DD8861C21243CAD5D9C303F4E23F495A3D3DA
SHA-512:	7487699E13B875B535B24DD8217B71737703900B71422552A6C3EA61F1AC0FCEAE7B0663D8A544B27187F8DDA4A42E3AEFAD4962F13D082716AE5C0344546F21
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-22T01:44:00.342Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.028279667839608
Encrypted:	false
SSDEEP:	96:ycnMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:WTEr5NX0z3DhRe
MD5:	74AC2B9E64A9E8A18D67E4D619FF9F63
SHA1:	21E00E6B65B90C795E1B20F25E00C2CB63D35C71
SHA-256:	19A6846FE19F9EAF4FD37B51B99DD8861C21243CAD5D9C303F4E23F495A3D3DA
SHA-512:	7487699E13B875B535B24DD8217B71737703900B71422552A6C3EA61F1AC0FCEAE7B0663D8A544B27187F8DDA4A42E3AEFAD4962F13D082716AE5C0344546F21
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-22T01:44:00.342Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.590163468834998
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	921'600 bytes
MD5:	6b3d1eb532fa79ec626ec1ad68c41252
SHA1:	bec92edb036c8c9988509ae24bded9f4c81d07e9
SHA256:	f64770795eee93eab120ba022b91b720afc576b9de57c42068525ce2a42f3560
SHA512:	8af6ee295372e2c91409afc5ed85024762280af52e921f4eaf520927d7f0b481e8b60ef9597139afc40bc45dfb89760708e8f103f51b6ce6f9d389ce85d4377e
SSDEEP:	12288:6qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgavTs:6qDEvCTbMWu7rQYlBQcBiT6rprG8aLs
TLSH:	53159E0273D1C062FF9B92334B5AF6515BBC69260123E61F13A81DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673FC8A6 [Thu Nov 21 23:56:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FD970D3BBC3h
jmp 00007FD970D3B4CFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD970D3B6ADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD970D3B67Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FD970D3E26Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FD970D3E2B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FD970D3E2A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa550	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa550	0xa600	bc63bc370da23969795bb71553caaa5b	False	0.358386671686747	data	5.569808850691617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1816	data			1.0017839766461238
RT_GROUP_ICON	0xddfd0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde048	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde05c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde070	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde084	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde160	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 01:02:16.986531973 CET	49710	443	192.168.2.5	35.190.72.216
Nov 22, 2024 01:02:16.986569881 CET	443	49710	35.190.72.216	192.168.2.5
Nov 22, 2024 01:02:16.986895084 CET	49710	443	192.168.2.5	35.190.72.216
Nov 22, 2024 01:02:16.991502047 CET	49710	443	192.168.2.5	35.190.72.216
Nov 22, 2024 01:02:16.991522074 CET	443	49710	35.190.72.216	192.168.2.5
Nov 22, 2024 01:02:17.768261909 CET	49711	443	192.168.2.5	142.250.181.142
Nov 22, 2024 01:02:17.768301010 CET	443	49711	142.250.181.142	192.168.2.5
Nov 22, 2024 01:02:17.768373013 CET	49712	443	192.168.2.5	142.250.181.142
Nov 22, 2024 01:02:17.768409014 CET	49711	443	192.168.2.5	142.250.181.142
Nov 22, 2024 01:02:17.768419981 CET	443	49712	142.250.181.142	192.168.2.5
Nov 22, 2024 01:02:17.769541979 CET	49712	443	192.168.2.5	142.250.181.142
Nov 22, 2024 01:02:17.769738913 CET	49711	443	192.168.2.5	142.250.181.142
Nov 22, 2024 01:02:17.769757032 CET	443	49711	142.250.181.142	192.168.2.5
Nov 22, 2024 01:02:17.771226883 CET	49712	443	192.168.2.5	142.250.181.142
Nov 22, 2024 01:02:17.771239996 CET	443	49712	142.250.181.142	192.168.2.5
Nov 22, 2024 01:02:17.773005009 CET	49713	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:17.892445087 CET	80	49713	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:17.893604040 CET	49713	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:17.910031080 CET	49713	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:18.029515028 CET	80	49713	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:18.107017994 CET	49714	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:18.107060909 CET	443	49714	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:18.115176916 CET	49714	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:18.116385937 CET	49714	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:18.116398096 CET	443	49714	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:18.253048897 CET	49715	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:18.253159046 CET	443	49715	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:18.254023075 CET	49715	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:18.255400896 CET	49715	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:18.255439997 CET	443	49715	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:18.262164116 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:18.262187004 CET	443	49716	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:18.262681007 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:18.262825966 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:18.262840986 CET	443	49716	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:18.271766901 CET	443	49710	35.190.72.216	192.168.2.5
Nov 22, 2024 01:02:18.282804012 CET	49710	443	192.168.2.5	35.190.72.216
Nov 22, 2024 01:02:18.295030117 CET	49710	443	192.168.2.5	35.190.72.216
Nov 22, 2024 01:02:18.295044899 CET	443	49710	35.190.72.216	192.168.2.5
Nov 22, 2024 01:02:18.295072079 CET	49710	443	192.168.2.5	35.190.72.216
Nov 22, 2024 01:02:18.295614004 CET	443	49710	35.190.72.216	192.168.2.5
Nov 22, 2024 01:02:18.295751095 CET	49710	443	192.168.2.5	35.190.72.216
Nov 22, 2024 01:02:18.696125031 CET	49717	443	192.168.2.5	34.160.144.191
Nov 22, 2024 01:02:18.696204901 CET	443	49717	34.160.144.191	192.168.2.5
Nov 22, 2024 01:02:18.701024055 CET	49717	443	192.168.2.5	34.160.144.191
Nov 22, 2024 01:02:18.704915047 CET	49717	443	192.168.2.5	34.160.144.191
Nov 22, 2024 01:02:18.704957008 CET	443	49717	34.160.144.191	192.168.2.5
Nov 22, 2024 01:02:19.029303074 CET	80	49713	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:19.098000050 CET	49713	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:19.297470093 CET	49719	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:19.417054892 CET	80	49719	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:19.417139053 CET	49719	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:19.417408943 CET	49719	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:19.436769962 CET	443	49714	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:19.436779976 CET	443	49714	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:19.436853886 CET	49714	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:19.443262100 CET	49714	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:19.443298101 CET	443	49714	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:19.443381071 CET	49714	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:19.443468094 CET	443	49714	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:19.443523884 CET	49714	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:19.489159107 CET	443	49715	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:19.489228964 CET	49715	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:19.495767117 CET	49715	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:19.495781898 CET	443	49715	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:19.495853901 CET	49715	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:19.496076107 CET	443	49715	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:19.496294975 CET	49715	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:19.547683001 CET	49713	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:19.573211908 CET	49720	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:19.573259115 CET	443	49720	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:19.573400974 CET	49720	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:19.574857950 CET	49720	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:19.574876070 CET	443	49720	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:19.828170061 CET	80	49719	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:19.828613043 CET	80	49713	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:19.836663008 CET	443	49716	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:19.836793900 CET	443	49711	142.250.181.142	192.168.2.5
Nov 22, 2024 01:02:19.837516069 CET	443	49711	142.250.181.142	192.168.2.5
Nov 22, 2024 01:02:19.839510918 CET	443	49712	142.250.181.142	192.168.2.5
Nov 22, 2024 01:02:19.840167999 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:19.840168953 CET	49711	443	192.168.2.5	142.250.181.142
Nov 22, 2024 01:02:19.840178013 CET	443	49711	142.250.181.142	192.168.2.5
Nov 22, 2024 01:02:19.840573072 CET	443	49712	142.250.181.142	192.168.2.5
Nov 22, 2024 01:02:19.843609095 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:19.843614101 CET	443	49716	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:19.843877077 CET	443	49716	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:19.846952915 CET	49712	443	192.168.2.5	142.250.181.142
Nov 22, 2024 01:02:19.846985102 CET	443	49712	142.250.181.142	192.168.2.5
Nov 22, 2024 01:02:19.849270105 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:19.849366903 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:19.849446058 CET	443	49716	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:19.851712942 CET	49711	443	192.168.2.5	142.250.181.142
Nov 22, 2024 01:02:19.851730108 CET	443	49711	142.250.181.142	192.168.2.5
Nov 22, 2024 01:02:19.851787090 CET	49711	443	192.168.2.5	142.250.181.142
Nov 22, 2024 01:02:19.851954937 CET	443	49711	142.250.181.142	192.168.2.5
Nov 22, 2024 01:02:19.855003119 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:19.855010986 CET	49711	443	192.168.2.5	142.250.181.142
Nov 22, 2024 01:02:19.861259937 CET	49712	443	192.168.2.5	142.250.181.142
Nov 22, 2024 01:02:19.861278057 CET	443	49712	142.250.181.142	192.168.2.5
Nov 22, 2024 01:02:19.861375093 CET	49712	443	192.168.2.5	142.250.181.142
Nov 22, 2024 01:02:19.861502886 CET	443	49712	142.250.181.142	192.168.2.5
Nov 22, 2024 01:02:19.862603903 CET	49712	443	192.168.2.5	142.250.181.142
Nov 22, 2024 01:02:19.870878935 CET	80	49713	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:19.920866013 CET	443	49717	34.160.144.191	192.168.2.5
Nov 22, 2024 01:02:19.923156977 CET	49717	443	192.168.2.5	34.160.144.191
Nov 22, 2024 01:02:19.926321030 CET	49717	443	192.168.2.5	34.160.144.191
Nov 22, 2024 01:02:19.926326036 CET	443	49717	34.160.144.191	192.168.2.5
Nov 22, 2024 01:02:19.926671028 CET	443	49717	34.160.144.191	192.168.2.5
Nov 22, 2024 01:02:19.929919958 CET	49717	443	192.168.2.5	34.160.144.191
Nov 22, 2024 01:02:19.930028915 CET	49717	443	192.168.2.5	34.160.144.191
Nov 22, 2024 01:02:19.930186987 CET	443	49717	34.160.144.191	192.168.2.5
Nov 22, 2024 01:02:19.931600094 CET	49717	443	192.168.2.5	34.160.144.191
Nov 22, 2024 01:02:20.000668049 CET	49713	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:20.237514019 CET	49713	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:20.240142107 CET	49719	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:20.357353926 CET	80	49713	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:20.357477903 CET	49713	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:20.359864950 CET	80	49719	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:20.363632917 CET	49719	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:20.400106907 CET	49723	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:20.400242090 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:20.401240110 CET	49725	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:20.401256084 CET	443	49725	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:20.401985884 CET	49725	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:20.404074907 CET	49725	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:20.404088974 CET	443	49725	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:20.519608974 CET	80	49723	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:20.519707918 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:20.520709038 CET	49723	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:20.521332026 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:20.523765087 CET	49723	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:20.523977041 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:20.538321018 CET	49726	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:20.538336992 CET	443	49726	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:20.539385080 CET	49726	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:20.541476011 CET	49726	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:20.541491985 CET	443	49726	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:20.599946976 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:20.599987984 CET	443	49727	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:20.618880987 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:20.619144917 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:20.619159937 CET	443	49727	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:20.643228054 CET	80	49723	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:20.643371105 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:20.666419029 CET	49728	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:20.666445971 CET	443	49728	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:20.666683912 CET	49728	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:20.671999931 CET	49728	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:20.672014952 CET	443	49728	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:20.927294016 CET	443	49720	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:20.929934978 CET	49720	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:20.939188957 CET	49720	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:20.939217091 CET	443	49720	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:20.939399004 CET	49720	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:20.939534903 CET	443	49720	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:20.939992905 CET	49729	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:20.940030098 CET	443	49729	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:20.942938089 CET	49720	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:20.943017006 CET	49729	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:20.945651054 CET	49729	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:20.945662975 CET	443	49729	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:21.652792931 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:21.667573929 CET	443	49725	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:21.670499086 CET	49725	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:21.685030937 CET	49725	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:21.685060978 CET	443	49725	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:21.685126066 CET	49725	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:21.685275078 CET	443	49725	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:21.685590982 CET	49725	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:21.693756104 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:21.698904037 CET	80	49723	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:21.754379034 CET	49723	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:21.810914993 CET	443	49726	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:21.811815977 CET	49726	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:21.824426889 CET	49726	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:21.824457884 CET	443	49726	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:21.824554920 CET	49726	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:21.825083017 CET	443	49726	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:21.825169086 CET	49726	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:21.932347059 CET	443	49727	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:21.932387114 CET	443	49727	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:21.937088966 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:21.938050985 CET	443	49728	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:21.940890074 CET	49728	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:22.007323980 CET	49728	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:22.007426023 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:22.080890894 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:22.080904007 CET	443	49727	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:22.081873894 CET	443	49727	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:22.086924076 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:22.087001085 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:22.087333918 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:22.163115025 CET	443	49729	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:22.163192034 CET	49729	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:22.202089071 CET	49728	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:22.202125072 CET	443	49728	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:22.202183008 CET	49728	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:22.202419996 CET	443	49728	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:22.202914000 CET	49728	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:22.203398943 CET	49729	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:22.203417063 CET	443	49729	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:22.203505039 CET	49729	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:22.203644991 CET	443	49729	34.117.188.166	192.168.2.5
Nov 22, 2024 01:02:22.203773022 CET	49729	443	192.168.2.5	34.117.188.166
Nov 22, 2024 01:02:24.377986908 CET	49723	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:24.378612995 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:24.409231901 CET	49737	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:24.409255981 CET	443	49737	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:24.411247969 CET	49738	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:24.411293030 CET	443	49738	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:24.411640882 CET	49737	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:24.411736965 CET	49738	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:24.411835909 CET	49737	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:24.411847115 CET	443	49737	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:24.412028074 CET	49738	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:24.412039995 CET	443	49738	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:24.497471094 CET	80	49723	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:24.498425007 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:24.518131971 CET	49739	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:24.518147945 CET	443	49739	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:24.518264055 CET	49739	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:24.519731998 CET	49739	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:24.519746065 CET	443	49739	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:24.703089952 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:24.704183102 CET	49723	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:24.710731030 CET	80	49723	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:24.710844040 CET	49723	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:24.719628096 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:24.763385057 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:24.824065924 CET	80	49723	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:24.824321985 CET	49723	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:24.839154005 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:24.839299917 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:24.839488029 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:24.958900928 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:25.679296017 CET	443	49737	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:25.679409027 CET	49737	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:25.682672977 CET	49737	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:25.682681084 CET	443	49737	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:25.682926893 CET	443	49737	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:25.685885906 CET	49737	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:25.685929060 CET	49737	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:25.686084986 CET	443	49737	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:25.686278105 CET	49737	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:25.726667881 CET	443	49738	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:25.726866961 CET	49738	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:25.729792118 CET	49738	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:25.729808092 CET	443	49738	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:25.729944944 CET	443	49739	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:25.730045080 CET	443	49738	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:25.730082035 CET	49739	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:25.733716965 CET	49738	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:25.733858109 CET	443	49738	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:25.733869076 CET	49738	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:25.733876944 CET	443	49738	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:25.734723091 CET	49739	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:25.734729052 CET	443	49739	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:25.734780073 CET	49739	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:25.734884977 CET	443	49739	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:25.735093117 CET	49739	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:25.939373970 CET	443	49738	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:25.939567089 CET	49738	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:26.017258883 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:26.071512938 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:29.519452095 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:29.524055004 CET	49754	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:29.524122000 CET	443	49754	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:29.525947094 CET	49754	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:29.527379990 CET	49754	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:29.527429104 CET	443	49754	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:29.639039040 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:29.844504118 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:29.896476984 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:30.165432930 CET	49760	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:30.165477991 CET	443	49760	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:30.166126966 CET	49760	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:30.167618036 CET	49760	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:30.167629957 CET	443	49760	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:30.784347057 CET	443	49754	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:30.797931910 CET	49754	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:31.400840044 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:31.402730942 CET	49754	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:31.402731895 CET	49754	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:31.402781963 CET	443	49754	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:31.403023005 CET	443	49754	34.120.208.123	192.168.2.5
Nov 22, 2024 01:02:31.404123068 CET	49754	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:02:31.431262970 CET	443	49760	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:31.435333967 CET	443	49760	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:31.437638998 CET	49760	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:31.442688942 CET	49760	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:31.442697048 CET	443	49760	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:31.442765951 CET	49760	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:31.442872047 CET	443	49760	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:31.453128099 CET	49760	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:31.520347118 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:31.733411074 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:31.776060104 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:31.818996906 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:31.938570023 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:32.143345118 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:32.166018963 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:32.192893028 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:32.286079884 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:32.498939991 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:32.540776014 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:41.756990910 CET	49784	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:41.757011890 CET	443	49784	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:41.757896900 CET	49784	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:41.759408951 CET	49784	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:41.759421110 CET	443	49784	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:42.153790951 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:42.273313999 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:42.508074999 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:42.627584934 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:43.075715065 CET	443	49784	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:43.076248884 CET	49784	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:43.080578089 CET	49784	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:43.080591917 CET	443	49784	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:43.080714941 CET	49784	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:43.080847979 CET	443	49784	34.107.243.93	192.168.2.5
Nov 22, 2024 01:02:43.084472895 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:43.084773064 CET	49784	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:02:43.204025030 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:43.410154104 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:43.414252043 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:43.457613945 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:43.533947945 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:43.752163887 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:43.805066109 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:45.671807051 CET	49794	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:45.671849012 CET	443	49794	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:45.672092915 CET	49794	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:45.672264099 CET	49794	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:45.672276974 CET	443	49794	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:45.894227982 CET	49796	443	192.168.2.5	151.101.65.91
Nov 22, 2024 01:02:45.894318104 CET	443	49796	151.101.65.91	192.168.2.5
Nov 22, 2024 01:02:45.894862890 CET	49796	443	192.168.2.5	151.101.65.91
Nov 22, 2024 01:02:45.894983053 CET	49796	443	192.168.2.5	151.101.65.91
Nov 22, 2024 01:02:45.895008087 CET	443	49796	151.101.65.91	192.168.2.5
Nov 22, 2024 01:02:45.937212944 CET	49797	443	192.168.2.5	35.190.72.216
Nov 22, 2024 01:02:45.937268972 CET	443	49797	35.190.72.216	192.168.2.5
Nov 22, 2024 01:02:45.941677094 CET	49797	443	192.168.2.5	35.190.72.216
Nov 22, 2024 01:02:45.943213940 CET	49797	443	192.168.2.5	35.190.72.216
Nov 22, 2024 01:02:45.943236113 CET	443	49797	35.190.72.216	192.168.2.5
Nov 22, 2024 01:02:46.142592907 CET	49798	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:46.142644882 CET	443	49798	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:46.143042088 CET	49798	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:46.143199921 CET	49798	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:46.143209934 CET	443	49798	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:46.257882118 CET	49799	443	192.168.2.5	35.201.103.21
Nov 22, 2024 01:02:46.257947922 CET	443	49799	35.201.103.21	192.168.2.5
Nov 22, 2024 01:02:46.258335114 CET	49799	443	192.168.2.5	35.201.103.21
Nov 22, 2024 01:02:46.259799004 CET	49799	443	192.168.2.5	35.201.103.21
Nov 22, 2024 01:02:46.259831905 CET	443	49799	35.201.103.21	192.168.2.5
Nov 22, 2024 01:02:46.883352995 CET	443	49794	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:46.883550882 CET	49794	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:46.886681080 CET	49794	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:46.886691093 CET	443	49794	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:46.887018919 CET	443	49794	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:46.888592005 CET	49794	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:46.888700008 CET	49794	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:46.888876915 CET	443	49794	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:46.892208099 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:46.893774986 CET	49794	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:46.893811941 CET	49794	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:47.011631012 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:47.160887003 CET	443	49796	151.101.65.91	192.168.2.5
Nov 22, 2024 01:02:47.161022902 CET	49796	443	192.168.2.5	151.101.65.91
Nov 22, 2024 01:02:47.164243937 CET	49796	443	192.168.2.5	151.101.65.91
Nov 22, 2024 01:02:47.164254904 CET	443	49796	151.101.65.91	192.168.2.5
Nov 22, 2024 01:02:47.164592028 CET	443	49796	151.101.65.91	192.168.2.5
Nov 22, 2024 01:02:47.166672945 CET	49796	443	192.168.2.5	151.101.65.91
Nov 22, 2024 01:02:47.166789055 CET	49796	443	192.168.2.5	151.101.65.91
Nov 22, 2024 01:02:47.166858912 CET	443	49796	151.101.65.91	192.168.2.5
Nov 22, 2024 01:02:47.168499947 CET	49796	443	192.168.2.5	151.101.65.91
Nov 22, 2024 01:02:47.175937891 CET	49801	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:47.175981045 CET	443	49801	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:47.176424980 CET	49801	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:47.176537991 CET	49801	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:47.176544905 CET	443	49801	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:47.177925110 CET	49802	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:47.177969933 CET	443	49802	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:47.178205013 CET	49802	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:47.178482056 CET	49802	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:47.178493977 CET	443	49802	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:47.180445910 CET	49803	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:47.180460930 CET	443	49803	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:47.180699110 CET	49803	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:47.180819035 CET	49803	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:47.180830956 CET	443	49803	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:47.222676992 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:47.228511095 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:47.247181892 CET	443	49797	35.190.72.216	192.168.2.5
Nov 22, 2024 01:02:47.252542019 CET	49797	443	192.168.2.5	35.190.72.216
Nov 22, 2024 01:02:47.262315989 CET	49797	443	192.168.2.5	35.190.72.216
Nov 22, 2024 01:02:47.262330055 CET	443	49797	35.190.72.216	192.168.2.5
Nov 22, 2024 01:02:47.262422085 CET	49797	443	192.168.2.5	35.190.72.216
Nov 22, 2024 01:02:47.262628078 CET	443	49797	35.190.72.216	192.168.2.5
Nov 22, 2024 01:02:47.265407085 CET	49797	443	192.168.2.5	35.190.72.216
Nov 22, 2024 01:02:47.265986919 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:47.347981930 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:47.385467052 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:47.402734995 CET	443	49798	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:47.402932882 CET	49798	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:47.406363964 CET	49798	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:47.406392097 CET	443	49798	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:47.406666994 CET	443	49798	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:47.409482956 CET	49798	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:47.409607887 CET	49798	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:47.409648895 CET	443	49798	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:47.410507917 CET	49798	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:47.521009922 CET	443	49799	35.201.103.21	192.168.2.5
Nov 22, 2024 01:02:47.521116018 CET	49799	443	192.168.2.5	35.201.103.21
Nov 22, 2024 01:02:47.525680065 CET	49799	443	192.168.2.5	35.201.103.21
Nov 22, 2024 01:02:47.525712967 CET	443	49799	35.201.103.21	192.168.2.5
Nov 22, 2024 01:02:47.525808096 CET	49799	443	192.168.2.5	35.201.103.21
Nov 22, 2024 01:02:47.525917053 CET	443	49799	35.201.103.21	192.168.2.5
Nov 22, 2024 01:02:47.527262926 CET	49799	443	192.168.2.5	35.201.103.21
Nov 22, 2024 01:02:47.540220976 CET	49804	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:47.540267944 CET	443	49804	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:47.540344000 CET	49804	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:47.540468931 CET	49804	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:47.540487051 CET	443	49804	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:47.561392069 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:47.600919008 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:47.616231918 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:47.629429102 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:47.669969082 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:47.848575115 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:48.089524031 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:48.140242100 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:48.445960045 CET	443	49801	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:48.446055889 CET	49801	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:48.449120045 CET	443	49802	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:48.449197054 CET	49802	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:48.449249983 CET	49801	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:48.449259996 CET	443	49801	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:48.449589014 CET	443	49801	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:48.451720953 CET	49802	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:48.451735973 CET	443	49802	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:48.452083111 CET	443	49802	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:48.455107927 CET	49801	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:48.455224991 CET	49801	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:48.455545902 CET	443	49801	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:48.455570936 CET	49802	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:48.455676079 CET	49802	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:48.455750942 CET	443	49802	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:48.456752062 CET	49801	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:48.456757069 CET	49802	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:48.462654114 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:48.484488010 CET	443	49803	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:48.484603882 CET	49803	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:48.487730980 CET	49803	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:48.487735033 CET	443	49803	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:48.487938881 CET	443	49803	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:48.490561008 CET	49803	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:48.490660906 CET	49803	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:48.490667105 CET	443	49803	35.244.181.201	192.168.2.5
Nov 22, 2024 01:02:48.491705894 CET	49803	443	192.168.2.5	35.244.181.201
Nov 22, 2024 01:02:48.585120916 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:48.772182941 CET	443	49804	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:48.772272110 CET	49804	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:48.775825977 CET	49804	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:48.775846004 CET	443	49804	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:48.776078939 CET	443	49804	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:48.778727055 CET	49804	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:48.778834105 CET	49804	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:48.778882027 CET	443	49804	34.149.100.209	192.168.2.5
Nov 22, 2024 01:02:48.779880047 CET	49804	443	192.168.2.5	34.149.100.209
Nov 22, 2024 01:02:48.786364079 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:48.789921045 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:48.826651096 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:48.909409046 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:49.123125076 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:49.174454927 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:58.796423912 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:58.915891886 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:02:59.128515959 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:02:59.247915983 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:03.469621897 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:03.589127064 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:03.794559002 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:03.798697948 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:03.841744900 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:03.918209076 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:04.031814098 CET	49846	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:03:04.031835079 CET	443	49846	34.107.243.93	192.168.2.5
Nov 22, 2024 01:03:04.032262087 CET	49846	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:03:04.033679962 CET	49846	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:03:04.033693075 CET	443	49846	34.107.243.93	192.168.2.5
Nov 22, 2024 01:03:04.157061100 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:04.211654902 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:05.294811010 CET	443	49846	34.107.243.93	192.168.2.5
Nov 22, 2024 01:03:05.294975042 CET	49846	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:03:05.298554897 CET	49846	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:03:05.298562050 CET	443	49846	34.107.243.93	192.168.2.5
Nov 22, 2024 01:03:05.298719883 CET	443	49846	34.107.243.93	192.168.2.5
Nov 22, 2024 01:03:05.298733950 CET	49846	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:03:05.298743963 CET	443	49846	34.107.243.93	192.168.2.5
Nov 22, 2024 01:03:05.301408052 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:05.420855045 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:05.507342100 CET	443	49846	34.107.243.93	192.168.2.5
Nov 22, 2024 01:03:05.515516996 CET	49846	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:03:05.625523090 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:05.630167007 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:05.678328037 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:05.749629974 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:05.962798119 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:06.017030001 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:15.644669056 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:15.764169931 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:15.884687901 CET	49874	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:15.884733915 CET	443	49874	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:15.884825945 CET	49875	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:15.884862900 CET	443	49875	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:15.886151075 CET	49874	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:15.886337042 CET	49875	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:15.886339903 CET	49874	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:15.886354923 CET	443	49874	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:15.886456013 CET	49875	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:15.886472940 CET	443	49875	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:15.976794958 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:16.096223116 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:17.144123077 CET	443	49874	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:17.144144058 CET	443	49875	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:17.144253016 CET	49874	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.147631884 CET	49875	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.147690058 CET	49874	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.147697926 CET	443	49874	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:17.147970915 CET	443	49874	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:17.150372982 CET	49875	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.150389910 CET	443	49875	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:17.150644064 CET	443	49875	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:17.153964043 CET	49874	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.154016018 CET	49874	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.154093027 CET	49875	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.154112101 CET	443	49874	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:17.154175043 CET	49875	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.154267073 CET	443	49875	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:17.154356956 CET	49874	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.154378891 CET	49875	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.158668995 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:17.162265062 CET	49879	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.162293911 CET	443	49879	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:17.162775040 CET	49879	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.162878990 CET	49879	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.162890911 CET	443	49879	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:17.172038078 CET	49880	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.172075033 CET	443	49880	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:17.172439098 CET	49880	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.172585011 CET	49880	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.172596931 CET	443	49880	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:17.174406052 CET	49881	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.174453020 CET	443	49881	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:17.174540043 CET	49881	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.174659967 CET	49881	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:17.174674034 CET	443	49881	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:17.280201912 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:17.483059883 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:17.486884117 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:17.528012991 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:17.606367111 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:17.825723886 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:17.866645098 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:18.332968950 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:18.333154917 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:18.373140097 CET	443	49879	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:18.373224020 CET	49879	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:18.376810074 CET	49879	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:18.376828909 CET	443	49879	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:18.377155066 CET	443	49879	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:18.379981995 CET	49879	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:18.380112886 CET	49879	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:18.380182028 CET	443	49879	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:18.380331993 CET	49879	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:18.382469893 CET	443	49880	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:18.382606030 CET	49880	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:18.385746956 CET	49880	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:18.385756016 CET	443	49880	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:18.386049032 CET	443	49880	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:18.386328936 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:18.389059067 CET	49880	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:18.389164925 CET	49880	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:18.389240980 CET	443	49880	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:18.389771938 CET	49880	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:18.432780981 CET	443	49881	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:18.432890892 CET	49881	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:18.436465025 CET	49881	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:18.436496019 CET	443	49881	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:18.436770916 CET	443	49881	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:18.439465046 CET	49881	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:18.439594984 CET	49881	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:18.439763069 CET	443	49881	34.120.208.123	192.168.2.5
Nov 22, 2024 01:03:18.439850092 CET	49881	443	192.168.2.5	34.120.208.123
Nov 22, 2024 01:03:18.505861998 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:18.711774111 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:18.715460062 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:18.753664017 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:18.835014105 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:19.048086882 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:19.101548910 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:28.713973999 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:28.895548105 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:29.061419964 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:29.181051016 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:38.911659002 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:39.031156063 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:39.190248013 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:39.309741974 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:45.514132977 CET	49943	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:03:45.514162064 CET	443	49943	34.107.243.93	192.168.2.5
Nov 22, 2024 01:03:45.516058922 CET	49943	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:03:45.517616034 CET	49943	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:03:45.517627954 CET	443	49943	34.107.243.93	192.168.2.5
Nov 22, 2024 01:03:46.874411106 CET	443	49943	34.107.243.93	192.168.2.5
Nov 22, 2024 01:03:46.874502897 CET	49943	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:03:46.881236076 CET	49943	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:03:46.881251097 CET	443	49943	34.107.243.93	192.168.2.5
Nov 22, 2024 01:03:46.881346941 CET	49943	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:03:46.881433964 CET	443	49943	34.107.243.93	192.168.2.5
Nov 22, 2024 01:03:46.883415937 CET	49943	443	192.168.2.5	34.107.243.93
Nov 22, 2024 01:03:46.885202885 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:47.004762888 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:47.219997883 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:47.225214005 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:47.265991926 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:47.344724894 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:47.558954000 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:47.613559008 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:57.228470087 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:57.348033905 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:03:57.579659939 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:03:57.699161053 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:04:07.358223915 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:04:07.477778912 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:04:07.712513924 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:04:07.832145929 CET	80	49740	34.107.221.82	192.168.2.5
Nov 22, 2024 01:04:17.484514952 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:04:17.604094028 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 01:04:17.838896990 CET	49740	80	192.168.2.5	34.107.221.82
Nov 22, 2024 01:04:17.958372116 CET	80	49740	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 01:02:16.986814976 CET	53226	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:17.128864050 CET	53	53226	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:17.157233953 CET	53379	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:17.295244932 CET	53	53379	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:17.630361080 CET	52268	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:17.630702019 CET	50733	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:17.767383099 CET	53	52268	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:17.773294926 CET	53090	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:17.773606062 CET	65121	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:17.910237074 CET	53	53090	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:17.910706997 CET	53	65121	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:17.911489010 CET	65151	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:17.911849022 CET	63621	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:17.928610086 CET	64947	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:18.048583984 CET	53	65151	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:18.049130917 CET	53	63621	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:18.066728115 CET	53	64947	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:18.107402086 CET	58594	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:18.114834070 CET	54403	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:18.244518042 CET	53	58594	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:18.245320082 CET	60599	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:18.251903057 CET	53	54403	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:18.253758907 CET	49971	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:18.262511969 CET	62598	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:18.270422935 CET	63368	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:18.382826090 CET	53	60599	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:18.394659996 CET	53	49971	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:18.395689011 CET	63270	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:18.401803017 CET	53	62598	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:18.403876066 CET	60645	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:18.407433033 CET	53	63368	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:18.533510923 CET	53	63270	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:18.542474031 CET	53	60645	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:18.720542908 CET	54894	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:18.857762098 CET	53	54894	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:18.862268925 CET	64548	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:19.000257015 CET	53	64548	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:19.050782919 CET	60956	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:19.054269075 CET	49266	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:19.146359921 CET	53655	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:19.188066006 CET	53	60956	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:19.190871000 CET	53	49266	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:19.812333107 CET	58086	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:19.821443081 CET	52414	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:19.958961010 CET	53	52414	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:19.964742899 CET	57465	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:20.102150917 CET	53	57465	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:20.103148937 CET	62127	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:20.240084887 CET	53	62127	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:20.462066889 CET	56818	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:20.538966894 CET	65259	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:20.599673986 CET	53	56818	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:20.677396059 CET	53	65259	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:20.746067047 CET	51385	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:20.754997969 CET	64938	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:20.883112907 CET	53	51385	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:20.884856939 CET	49991	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:20.892545938 CET	53	64938	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:21.002625942 CET	53	50042	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:21.021954060 CET	53	49991	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:24.330794096 CET	53243	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:24.467751026 CET	53	53243	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:24.476125002 CET	52260	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:24.814430952 CET	53	52260	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:24.816448927 CET	60066	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:25.038538933 CET	53	60066	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:29.492752075 CET	62587	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:29.493067980 CET	60293	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:29.493311882 CET	57995	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:29.629849911 CET	53	62587	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:29.630253077 CET	53	60293	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:29.630803108 CET	53	57995	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:29.631257057 CET	58557	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:29.631257057 CET	55484	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:29.632009983 CET	54516	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:29.768444061 CET	53	58557	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:29.769263983 CET	63501	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:29.770107985 CET	53	55484	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:29.770243883 CET	53	54516	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:29.770678043 CET	62687	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:29.770838976 CET	55126	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:29.906445026 CET	53	63501	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:29.907694101 CET	55309	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:29.992897034 CET	53	62687	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:29.993968010 CET	59468	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:30.046077967 CET	53	55309	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:30.047075987 CET	50687	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:30.077207088 CET	53	55126	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:30.079037905 CET	60324	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:30.130976915 CET	53	59468	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:30.131989002 CET	63269	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:30.216465950 CET	53	60324	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:30.261831999 CET	53	50687	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:30.262788057 CET	61120	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:30.269269943 CET	53	63269	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:30.269804955 CET	54241	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:30.406845093 CET	53	54241	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:30.468380928 CET	53	61120	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:31.398021936 CET	64845	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:31.535063028 CET	53	64845	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:41.757278919 CET	57132	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:41.894612074 CET	53	57132	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:43.084338903 CET	53408	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:45.669990063 CET	50592	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:45.892826080 CET	53	50592	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:45.894787073 CET	60923	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:45.945511103 CET	50814	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:46.032536983 CET	53	60923	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:46.033447027 CET	63365	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:46.142977953 CET	62084	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:46.256571054 CET	53	50814	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:46.258270979 CET	50771	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:46.267537117 CET	53	63365	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:46.281254053 CET	53	62084	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:46.396234989 CET	53	50771	1.1.1.1	192.168.2.5
Nov 22, 2024 01:02:46.397191048 CET	65420	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:02:46.644665003 CET	53	65420	1.1.1.1	192.168.2.5
Nov 22, 2024 01:03:03.813200951 CET	52487	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:03:04.029731989 CET	53	52487	1.1.1.1	192.168.2.5
Nov 22, 2024 01:03:04.032200098 CET	56738	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:03:04.268678904 CET	53	56738	1.1.1.1	192.168.2.5
Nov 22, 2024 01:03:15.883131981 CET	63439	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:03:16.020344019 CET	53	63439	1.1.1.1	192.168.2.5
Nov 22, 2024 01:03:45.514513969 CET	64261	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:03:45.685827017 CET	53	64261	1.1.1.1	192.168.2.5
Nov 22, 2024 01:03:46.886096954 CET	50181	53	192.168.2.5	1.1.1.1
Nov 22, 2024 01:03:47.134525061 CET	50181	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 22, 2024 01:02:16.986814976 CET	192.168.2.5	1.1.1.1	0x6f17	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:17.157233953 CET	192.168.2.5	1.1.1.1	0xc5f0	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 01:02:17.630361080 CET	192.168.2.5	1.1.1.1	0xfd2b	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:17.630702019 CET	192.168.2.5	1.1.1.1	0x2b88	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:17.773294926 CET	192.168.2.5	1.1.1.1	0x9e01	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:17.773606062 CET	192.168.2.5	1.1.1.1	0x52dd	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:17.911489010 CET	192.168.2.5	1.1.1.1	0x61ba	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 01:02:17.911849022 CET	192.168.2.5	1.1.1.1	0x8d78	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 22, 2024 01:02:17.928610086 CET	192.168.2.5	1.1.1.1	0x4a55	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:18.107402086 CET	192.168.2.5	1.1.1.1	0xa3cf	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:18.114834070 CET	192.168.2.5	1.1.1.1	0x426	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:18.245320082 CET	192.168.2.5	1.1.1.1	0xf20	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 01:02:18.253758907 CET	192.168.2.5	1.1.1.1	0xd512	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:18.262511969 CET	192.168.2.5	1.1.1.1	0xbe9f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:18.270422935 CET	192.168.2.5	1.1.1.1	0x649a	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:18.395689011 CET	192.168.2.5	1.1.1.1	0x1749	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 01:02:18.403876066 CET	192.168.2.5	1.1.1.1	0x4023	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 01:02:18.720542908 CET	192.168.2.5	1.1.1.1	0xd403	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:18.862268925 CET	192.168.2.5	1.1.1.1	0x3bb9	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 01:02:19.050782919 CET	192.168.2.5	1.1.1.1	0xb836	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:19.054269075 CET	192.168.2.5	1.1.1.1	0xa662	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:19.146359921 CET	192.168.2.5	1.1.1.1	0x486d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:19.812333107 CET	192.168.2.5	1.1.1.1	0xaa81	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:19.821443081 CET	192.168.2.5	1.1.1.1	0x75a7	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:19.964742899 CET	192.168.2.5	1.1.1.1	0xba01	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:20.103148937 CET	192.168.2.5	1.1.1.1	0xe9d0	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 01:02:20.462066889 CET	192.168.2.5	1.1.1.1	0xeb58	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:20.538966894 CET	192.168.2.5	1.1.1.1	0x8731	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:20.746067047 CET	192.168.2.5	1.1.1.1	0xc4f9	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:20.754997969 CET	192.168.2.5	1.1.1.1	0x5d32	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 01:02:20.884856939 CET	192.168.2.5	1.1.1.1	0xd247	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 01:02:24.330794096 CET	192.168.2.5	1.1.1.1	0xef26	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:24.476125002 CET	192.168.2.5	1.1.1.1	0xda4e	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:24.816448927 CET	192.168.2.5	1.1.1.1	0x35ba	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 01:02:29.492752075 CET	192.168.2.5	1.1.1.1	0x8723	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.493067980 CET	192.168.2.5	1.1.1.1	0xf8b3	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.493311882 CET	192.168.2.5	1.1.1.1	0x76d7	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.631257057 CET	192.168.2.5	1.1.1.1	0x9ebb	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.631257057 CET	192.168.2.5	1.1.1.1	0xcaf6	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.632009983 CET	192.168.2.5	1.1.1.1	0xdeae	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.769263983 CET	192.168.2.5	1.1.1.1	0x92bc	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 22, 2024 01:02:29.770678043 CET	192.168.2.5	1.1.1.1	0x9ad3	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 22, 2024 01:02:29.770838976 CET	192.168.2.5	1.1.1.1	0x2a3d	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 22, 2024 01:02:29.907694101 CET	192.168.2.5	1.1.1.1	0xc1f7	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.993968010 CET	192.168.2.5	1.1.1.1	0x4c9b	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:30.047075987 CET	192.168.2.5	1.1.1.1	0x896a	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:30.079037905 CET	192.168.2.5	1.1.1.1	0xeaac	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 01:02:30.131989002 CET	192.168.2.5	1.1.1.1	0x2c76	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:30.262788057 CET	192.168.2.5	1.1.1.1	0x940b	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 22, 2024 01:02:30.269804955 CET	192.168.2.5	1.1.1.1	0x3b3e	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 22, 2024 01:02:31.398021936 CET	192.168.2.5	1.1.1.1	0x536c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 01:02:41.757278919 CET	192.168.2.5	1.1.1.1	0xe402	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 01:02:43.084338903 CET	192.168.2.5	1.1.1.1	0xba36	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:45.669990063 CET	192.168.2.5	1.1.1.1	0xce49	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:45.894787073 CET	192.168.2.5	1.1.1.1	0xb454	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:45.945511103 CET	192.168.2.5	1.1.1.1	0xf2f5	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:46.033447027 CET	192.168.2.5	1.1.1.1	0x79d6	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 22, 2024 01:02:46.142977953 CET	192.168.2.5	1.1.1.1	0x7376	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 01:02:46.258270979 CET	192.168.2.5	1.1.1.1	0x9a66	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:46.397191048 CET	192.168.2.5	1.1.1.1	0x358d	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 01:03:03.813200951 CET	192.168.2.5	1.1.1.1	0xf369	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:03:04.032200098 CET	192.168.2.5	1.1.1.1	0xedfb	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 01:03:15.883131981 CET	192.168.2.5	1.1.1.1	0xbcb	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 01:03:45.514513969 CET	192.168.2.5	1.1.1.1	0xe5af	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 01:03:46.886096954 CET	192.168.2.5	1.1.1.1	0xaad6	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:03:47.134525061 CET	192.168.2.5	1.1.1.1	0xaad6	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 22, 2024 01:02:16.981467009 CET	1.1.1.1	192.168.2.5	0x6c73	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:17.128864050 CET	1.1.1.1	192.168.2.5	0x6f17	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:17.767383099 CET	1.1.1.1	192.168.2.5	0xfd2b	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:17.769927979 CET	1.1.1.1	192.168.2.5	0x2b88	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:17.769927979 CET	1.1.1.1	192.168.2.5	0x2b88	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:17.910237074 CET	1.1.1.1	192.168.2.5	0x9e01	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:17.910706997 CET	1.1.1.1	192.168.2.5	0x52dd	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:18.048583984 CET	1.1.1.1	192.168.2.5	0x61ba	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 22, 2024 01:02:18.049130917 CET	1.1.1.1	192.168.2.5	0x8d78	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 22, 2024 01:02:18.066728115 CET	1.1.1.1	192.168.2.5	0x4a55	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:18.244518042 CET	1.1.1.1	192.168.2.5	0xa3cf	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:18.251903057 CET	1.1.1.1	192.168.2.5	0x426	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:18.251903057 CET	1.1.1.1	192.168.2.5	0x426	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:18.260417938 CET	1.1.1.1	192.168.2.5	0x9543	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:18.260417938 CET	1.1.1.1	192.168.2.5	0x9543	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:18.394659996 CET	1.1.1.1	192.168.2.5	0xd512	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:18.401803017 CET	1.1.1.1	192.168.2.5	0xbe9f	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:18.407433033 CET	1.1.1.1	192.168.2.5	0x649a	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:18.407433033 CET	1.1.1.1	192.168.2.5	0x649a	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:18.407433033 CET	1.1.1.1	192.168.2.5	0x649a	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:18.857762098 CET	1.1.1.1	192.168.2.5	0xd403	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:19.000257015 CET	1.1.1.1	192.168.2.5	0x3bb9	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 22, 2024 01:02:19.188066006 CET	1.1.1.1	192.168.2.5	0xb836	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:19.190871000 CET	1.1.1.1	192.168.2.5	0xa662	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:19.190871000 CET	1.1.1.1	192.168.2.5	0xa662	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:19.283730984 CET	1.1.1.1	192.168.2.5	0x486d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:19.283730984 CET	1.1.1.1	192.168.2.5	0x486d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:19.958961010 CET	1.1.1.1	192.168.2.5	0x75a7	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:20.102150917 CET	1.1.1.1	192.168.2.5	0xba01	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:20.242573023 CET	1.1.1.1	192.168.2.5	0xaa81	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:20.536156893 CET	1.1.1.1	192.168.2.5	0xae50	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:20.581315041 CET	1.1.1.1	192.168.2.5	0xdc01	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:20.581315041 CET	1.1.1.1	192.168.2.5	0xdc01	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:20.599673986 CET	1.1.1.1	192.168.2.5	0xeb58	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:20.599673986 CET	1.1.1.1	192.168.2.5	0xeb58	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:20.677396059 CET	1.1.1.1	192.168.2.5	0x8731	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:20.883112907 CET	1.1.1.1	192.168.2.5	0xc4f9	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:24.467751026 CET	1.1.1.1	192.168.2.5	0xef26	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:24.467751026 CET	1.1.1.1	192.168.2.5	0xef26	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:24.467751026 CET	1.1.1.1	192.168.2.5	0xef26	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:24.516128063 CET	1.1.1.1	192.168.2.5	0xe900	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:24.814430952 CET	1.1.1.1	192.168.2.5	0xda4e	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.629849911 CET	1.1.1.1	192.168.2.5	0x8723	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:29.629849911 CET	1.1.1.1	192.168.2.5	0x8723	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.629849911 CET	1.1.1.1	192.168.2.5	0x8723	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.629849911 CET	1.1.1.1	192.168.2.5	0x8723	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.629849911 CET	1.1.1.1	192.168.2.5	0x8723	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.629849911 CET	1.1.1.1	192.168.2.5	0x8723	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.629849911 CET	1.1.1.1	192.168.2.5	0x8723	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.629849911 CET	1.1.1.1	192.168.2.5	0x8723	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.629849911 CET	1.1.1.1	192.168.2.5	0x8723	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.629849911 CET	1.1.1.1	192.168.2.5	0x8723	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.629849911 CET	1.1.1.1	192.168.2.5	0x8723	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.630253077 CET	1.1.1.1	192.168.2.5	0xf8b3	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:29.630253077 CET	1.1.1.1	192.168.2.5	0xf8b3	No error (0)	star-mini.c10r.facebook.com		157.240.195.35	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.630803108 CET	1.1.1.1	192.168.2.5	0x76d7	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:29.630803108 CET	1.1.1.1	192.168.2.5	0x76d7	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.768444061 CET	1.1.1.1	192.168.2.5	0x9ebb	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.768444061 CET	1.1.1.1	192.168.2.5	0x9ebb	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.768444061 CET	1.1.1.1	192.168.2.5	0x9ebb	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.768444061 CET	1.1.1.1	192.168.2.5	0x9ebb	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.768444061 CET	1.1.1.1	192.168.2.5	0x9ebb	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.768444061 CET	1.1.1.1	192.168.2.5	0x9ebb	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.768444061 CET	1.1.1.1	192.168.2.5	0x9ebb	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.768444061 CET	1.1.1.1	192.168.2.5	0x9ebb	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.768444061 CET	1.1.1.1	192.168.2.5	0x9ebb	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.768444061 CET	1.1.1.1	192.168.2.5	0x9ebb	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.770107985 CET	1.1.1.1	192.168.2.5	0xcaf6	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.770243883 CET	1.1.1.1	192.168.2.5	0xdeae	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:29.906445026 CET	1.1.1.1	192.168.2.5	0x92bc	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 22, 2024 01:02:29.906445026 CET	1.1.1.1	192.168.2.5	0x92bc	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 22, 2024 01:02:29.906445026 CET	1.1.1.1	192.168.2.5	0x92bc	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 22, 2024 01:02:29.906445026 CET	1.1.1.1	192.168.2.5	0x92bc	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 22, 2024 01:02:29.992897034 CET	1.1.1.1	192.168.2.5	0x9ad3	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 22, 2024 01:02:30.046077967 CET	1.1.1.1	192.168.2.5	0xc1f7	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:30.046077967 CET	1.1.1.1	192.168.2.5	0xc1f7	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:30.046077967 CET	1.1.1.1	192.168.2.5	0xc1f7	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:30.046077967 CET	1.1.1.1	192.168.2.5	0xc1f7	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:30.046077967 CET	1.1.1.1	192.168.2.5	0xc1f7	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:30.077207088 CET	1.1.1.1	192.168.2.5	0x2a3d	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 22, 2024 01:02:30.130976915 CET	1.1.1.1	192.168.2.5	0x4c9b	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:30.261831999 CET	1.1.1.1	192.168.2.5	0x896a	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:30.261831999 CET	1.1.1.1	192.168.2.5	0x896a	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:30.261831999 CET	1.1.1.1	192.168.2.5	0x896a	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:30.261831999 CET	1.1.1.1	192.168.2.5	0x896a	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:30.269269943 CET	1.1.1.1	192.168.2.5	0x2c76	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:43.221937895 CET	1.1.1.1	192.168.2.5	0xba36	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:43.221937895 CET	1.1.1.1	192.168.2.5	0xba36	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:45.892826080 CET	1.1.1.1	192.168.2.5	0xce49	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:45.892826080 CET	1.1.1.1	192.168.2.5	0xce49	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:45.892826080 CET	1.1.1.1	192.168.2.5	0xce49	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:45.892826080 CET	1.1.1.1	192.168.2.5	0xce49	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:46.032536983 CET	1.1.1.1	192.168.2.5	0xb454	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:46.032536983 CET	1.1.1.1	192.168.2.5	0xb454	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:46.032536983 CET	1.1.1.1	192.168.2.5	0xb454	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:46.032536983 CET	1.1.1.1	192.168.2.5	0xb454	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:46.141294003 CET	1.1.1.1	192.168.2.5	0x7470	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:46.141294003 CET	1.1.1.1	192.168.2.5	0x7470	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:46.256571054 CET	1.1.1.1	192.168.2.5	0xf2f5	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:46.256571054 CET	1.1.1.1	192.168.2.5	0xf2f5	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:46.267537117 CET	1.1.1.1	192.168.2.5	0x79d6	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 22, 2024 01:02:46.267537117 CET	1.1.1.1	192.168.2.5	0x79d6	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 22, 2024 01:02:46.267537117 CET	1.1.1.1	192.168.2.5	0x79d6	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 22, 2024 01:02:46.267537117 CET	1.1.1.1	192.168.2.5	0x79d6	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 22, 2024 01:02:46.396234989 CET	1.1.1.1	192.168.2.5	0x9a66	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:02:49.063668966 CET	1.1.1.1	192.168.2.5	0xc5cc	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:02:49.063668966 CET	1.1.1.1	192.168.2.5	0xc5cc	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:03:04.029731989 CET	1.1.1.1	192.168.2.5	0xf369	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:03:15.871228933 CET	1.1.1.1	192.168.2.5	0x3583	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:03:47.276670933 CET	1.1.1.1	192.168.2.5	0xaad6	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:03:47.276670933 CET	1.1.1.1	192.168.2.5	0xaad6	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 22, 2024 01:03:47.277357101 CET	1.1.1.1	192.168.2.5	0xaad6	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 01:03:47.277357101 CET	1.1.1.1	192.168.2.5	0xaad6	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	4524	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 01:02:17.910031080 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 01:02:19.029303074 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 62640 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 01:02:19.547683001 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 01:02:19.870878935 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 62641 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49719	34.107.221.82	80	4524	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 01:02:19.417408943 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49723	34.107.221.82	80	4524	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 01:02:20.523765087 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 01:02:21.698904037 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 60267 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 01:02:24.377986908 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 01:02:24.710731030 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 60270 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49724	34.107.221.82	80	4524	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 01:02:20.523977041 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 01:02:21.652792931 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 62643 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 01:02:24.378612995 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 01:02:24.703089952 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 62646 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 01:02:29.519452095 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 01:02:29.844504118 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 62651 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 01:02:31.818996906 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 01:02:32.143345118 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 62653 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 01:02:42.153790951 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 01:02:43.084472895 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 01:02:43.410154104 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 62665 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 01:02:46.892208099 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 01:02:47.222676992 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 62669 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 01:02:47.265986919 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 01:02:47.616231918 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 62669 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 01:02:48.462654114 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 01:02:48.786364079 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 62670 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 01:02:58.796423912 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 01:03:03.469621897 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 01:03:03.794559002 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 62685 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 01:03:05.301408052 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 01:03:05.625523090 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 62687 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 01:03:15.644669056 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 01:03:17.158668995 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 01:03:17.483059883 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 62699 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 01:03:18.386328936 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 01:03:18.711774111 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 62700 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 01:03:28.713973999 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 01:03:38.911659002 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 01:03:46.885202885 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 01:03:47.219997883 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 62729 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 01:03:57.228470087 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 01:04:07.358223915 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 01:04:17.484514952 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49740	34.107.221.82	80	4524	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 01:02:24.839488029 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 01:02:26.017258883 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 60271 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 01:02:31.400840044 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 01:02:31.733411074 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 60277 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 01:02:32.166018963 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 01:02:32.498939991 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 60278 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 01:02:42.508074999 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 01:02:43.414252043 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 01:02:43.752163887 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 60289 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 01:02:47.228511095 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 01:02:47.561392069 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 60293 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 01:02:47.629429102 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 01:02:48.089524031 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 60293 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 01:02:48.789921045 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 01:02:49.123125076 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 60294 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 01:02:59.128515959 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 01:03:03.798697948 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 01:03:04.157061100 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 60309 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 01:03:05.630167007 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 01:03:05.962798119 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 60311 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 01:03:15.976794958 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 01:03:17.486884117 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 01:03:17.825723886 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 60323 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 01:03:18.332968950 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 60323 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 01:03:18.715460062 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 01:03:19.048086882 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 60324 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 01:03:29.061419964 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 01:03:39.190248013 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 01:03:47.225214005 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 01:03:47.558954000 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 60353 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 01:03:57.579659939 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 01:04:07.712513924 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 01:04:17.838896990 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	19:02:09
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x6f0000
File size:	921'600 bytes
MD5 hash:	6B3D1EB532FA79EC626EC1AD68C41252
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:02:09
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x9b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:02:09
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:02:12
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x9b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:02:12
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:02:12
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x9b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:02:12
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:02:12
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x9b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:02:12
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	19:02:13
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x9b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:02:13
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:02:13
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:02:13
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	19:02:13
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	19:02:14
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2100 -prefMapHandle 2084 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89e5bb71-6041-43a7-abb5-053bc12383cc} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" 27862b6ff10 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	19:02:15
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -parentBuildID 20230927232528 -prefsHandle 4128 -prefMapHandle 4124 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fef102d-ba7c-4de9-9a94-ab3664557bbb} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" 27873747e10 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	19:02:19
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5084 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5052 -prefMapHandle 5004 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb23677d-f1f7-486e-8b2a-11b76b8bf989} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" 278748d9710 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	1526
Total number of Limit Nodes:	59

Executed Functions

Function 006F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006F430D

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

GetCurrentProcess.KERNEL32(?,0078CB64,00000000,?,?), ref: 006F4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 006F4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006F4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006F4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006F4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 006F447B
GetSystemInfo.KERNEL32(?,?,?), ref: 006F44A0

Strings

|O, xrefs: 007336F8
kernel32.dll, xrefs: 006F444F
GetNativeSystemInfo, xrefs: 006F4460

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: d3eb0e19b6ded4871dfdadbf5ed48db3b9bc16b4ab4e35b9114f177fc5573d1e
Instruction ID: bfb33f692eb5ddec5effe2fa464038af20d54a5839bb4057c4e65ddd3cce24ea
Opcode Fuzzy Hash: d3eb0e19b6ded4871dfdadbf5ed48db3b9bc16b4ab4e35b9114f177fc5573d1e
Instruction Fuzzy Hash: 08A1D27291A2C4CFD722D7697C819A53FE5AB67308B88D5BCD441A3E23D63C4509CB2D

Function 006F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006F50AA,?,?,00000000,00000000), ref: 006F42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006F50AA,?,?,00000000,00000000), ref: 006F42C9
LoadResource.KERNEL32(?,00000000,?,?,006F50AA,?,?,00000000,00000000,?,?,?,?,?,?,006F4F20), ref: 007335BE
SizeofResource.KERNEL32(?,00000000,?,?,006F50AA,?,?,00000000,00000000,?,?,?,?,?,?,006F4F20), ref: 007335D3
LockResource.KERNEL32(006F50AA,?,?,006F50AA,?,?,00000000,00000000,?,?,?,?,?,?,006F4F20,?), ref: 007335E6

Strings

SCRIPT, xrefs: 006F42BF

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8c9eb8e5dda3171f46bb3c9db251046699a43b1cb8552f3a2a42e2e5fefd57a9
Instruction ID: 6ae619d4c4a7bddbe49379928d1abe8708617eb6bf3251e74d3be33d64e7f559
Opcode Fuzzy Hash: 8c9eb8e5dda3171f46bb3c9db251046699a43b1cb8552f3a2a42e2e5fefd57a9
Instruction Fuzzy Hash: 0B117970240704BFEB228BA5DC49F677BBAEFC5B51F208169F50296AA0DB71D9008B30

Function 00732BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 006F2B6B

Part of subcall function 006F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007C1418,?,006F2E7F,?,?,?,00000000), ref: 006F3A78

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,007B2224), ref: 00732C10
ShellExecuteW.SHELL32(00000000,?,?,007B2224), ref: 00732C17

Strings

runas, xrefs: 00732C0B

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: ea07eb2544b9e9917baf421bb46a8415cb7cb844d13380eeb2bb517a647beffe
Instruction ID: 810fe24c9158d9b237f9410603c16c03b0685cb8b0898ba4a9563d6a1054aa05
Opcode Fuzzy Hash: ea07eb2544b9e9917baf421bb46a8415cb7cb844d13380eeb2bb517a647beffe
Instruction Fuzzy Hash: 4D110A3110835E6AC745FF24D852EBD77A69F91340F44542DF742021A3DF38960A871A

Function 0075D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0075D501
Process32FirstW.KERNEL32(00000000,?), ref: 0075D50F
Process32NextW.KERNEL32(00000000,?), ref: 0075D52F
CloseHandle.KERNELBASE(00000000), ref: 0075D5DC

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 7e35d506056e9c8903c5d4d283166490505b2f59fbd046265e858adf4b366906
Instruction ID: 5f375bf7525dc27c593a1e2038a3a8b6de1e234d43fe69811230efc22501d680
Opcode Fuzzy Hash: 7e35d506056e9c8903c5d4d283166490505b2f59fbd046265e858adf4b366906
Instruction Fuzzy Hash: D731C2710083049FD315EF54C885ABFBBF8EF99344F10092DF685821A1EBB19A49CBA2

Function 0075DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00735222), ref: 0075DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0075DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0075DBEE
FindClose.KERNEL32(00000000), ref: 0075DBFA

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 42c521a66fef9db12bc306570d10d546a65c99ed7971b04a38641253756ce76a
Instruction ID: 4d1624d1ad3212269bec84c3e52e9e8bf17e427575339129a798f9070ab2d7ea
Opcode Fuzzy Hash: 42c521a66fef9db12bc306570d10d546a65c99ed7971b04a38641253756ce76a
Instruction Fuzzy Hash: 50F0A0308509149B92316B78AC0D8AE37ACAE01336F208702F836C20E0EBF85D5886B9

Function 00714CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007228E9,?,00714CBE,007228E9,007B88B8,0000000C,00714E15,007228E9,00000002,00000000,?,007228E9), ref: 00714D09
TerminateProcess.KERNEL32(00000000,?,00714CBE,007228E9,007B88B8,0000000C,00714E15,007228E9,00000002,00000000,?,007228E9), ref: 00714D10
ExitProcess.KERNEL32 ref: 00714D22

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9d5f12ca2c66172c14a2fda7e6b5a2e12c2b13bd9c8a428957e4b127a8756132
Instruction ID: ab36784b0e7721a6d028d3618f5912b28790d166e4a13e305f65210a32da91ed
Opcode Fuzzy Hash: 9d5f12ca2c66172c14a2fda7e6b5a2e12c2b13bd9c8a428957e4b127a8756132
Instruction Fuzzy Hash: 04E0B631540548ABCF12AF68ED0DA983B69FB41B81B208014FD498A562CB3DDD82DB94

Function 006FBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#|, xrefs: 007407CE

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#|
API String ID: 3964851224-1286273844
Opcode ID: 33c3220ea8275357ba32f827ba38b8e6c47d892d28b732fa21ad758784cd2df8
Instruction ID: 50371d7846ab44650b63ae75ea0d22a347d10d277bdd53a1d17fa52179b19ac5
Opcode Fuzzy Hash: 33c3220ea8275357ba32f827ba38b8e6c47d892d28b732fa21ad758784cd2df8
Instruction Fuzzy Hash: 6BA27C70608345CFC714DF28C580B6ABBE2BF89314F14896DEA9A8B352D775EC45CB92

Function 0077AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0077B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0077B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0077B1D4
_wcslen.LIBCMT ref: 0077B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0077B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0077B236
_wcslen.LIBCMT ref: 0077B332

Part of subcall function 007605A7: GetStdHandle.KERNEL32(000000F6), ref: 007605C6

_wcslen.LIBCMT ref: 0077B34B
_wcslen.LIBCMT ref: 0077B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0077B3B6
GetLastError.KERNEL32(00000000), ref: 0077B407
CloseHandle.KERNEL32(?), ref: 0077B439
CloseHandle.KERNEL32(00000000), ref: 0077B44A
CloseHandle.KERNEL32(00000000), ref: 0077B45C
CloseHandle.KERNEL32(00000000), ref: 0077B46E
CloseHandle.KERNEL32(?), ref: 0077B4E3

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: a0aaa1930d9a24f91074caadc4295f4943a4f57e2615314147dca297352f7c7f
Instruction ID: f7755ea78470aaa072517814cd61e2719ea4f2cd06ce6fb7eddaf6d3308722c3
Opcode Fuzzy Hash: a0aaa1930d9a24f91074caadc4295f4943a4f57e2615314147dca297352f7c7f
Instruction Fuzzy Hash: C5F19931608344DFCB24EF24C895B6EBBE1AF85354F14855DF9998B2A2CB39EC44CB52

Function 006FD730 Relevance: 21.6, APIs: 14, Instructions: 626timeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006FD807
timeGetTime.WINMM ref: 006FDA07

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: InputStateTimetime
String ID:
API String ID: 2164325655-0
Opcode ID: 31db6eb9d22a9177926a2437b985c3a0a15b9c47027ba9bcd92b828e1f172f41
Instruction ID: 6f826fa52db7b91bec1bb6d2feaa53c9aee87b6d8604f52d27b3a165c456432d
Opcode Fuzzy Hash: 31db6eb9d22a9177926a2437b985c3a0a15b9c47027ba9bcd92b828e1f172f41
Instruction Fuzzy Hash: 79420F70608246DFD728CF24C888BBAB7E2BF41304F54861DFA6587292D778F855CB92

Function 006F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006F2D07
RegisterClassExW.USER32(00000030), ref: 006F2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006F2D42
InitCommonControlsEx.COMCTL32(?), ref: 006F2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006F2D6F
LoadIconW.USER32(000000A9), ref: 006F2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006F2D94

Strings

AutoIt v3 GUI, xrefs: 006F2D23
TaskbarCreated, xrefs: 006F2D37
+, xrefs: 006F2CF0
0, xrefs: 006F2CE9

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 261b4aa453543745a4393cf2f89ac3ee93f52e93fb760a2885c7f90bfe40ffb7
Instruction ID: 10b8735791ca88a5889bbce3309e6fe9bae6b82ff4509761922e93c747601159
Opcode Fuzzy Hash: 261b4aa453543745a4393cf2f89ac3ee93f52e93fb760a2885c7f90bfe40ffb7
Instruction Fuzzy Hash: E021F4B1941348EFDB01DFA4EC49BDDBBB4FB09700F50812AF611A62A0D7B95540CFA9

Function 0073065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0073039A: CreateFileW.KERNELBASE(00000000,00000000,?,00730704,?,?,00000000,?,00730704,00000000,0000000C), ref: 007303B7

GetLastError.KERNEL32 ref: 0073076F
__dosmaperr.LIBCMT ref: 00730776
GetFileType.KERNELBASE(00000000), ref: 00730782
GetLastError.KERNEL32 ref: 0073078C
__dosmaperr.LIBCMT ref: 00730795
CloseHandle.KERNEL32(00000000), ref: 007307B5
CloseHandle.KERNEL32(?), ref: 007308FF
GetLastError.KERNEL32 ref: 00730931
__dosmaperr.LIBCMT ref: 00730938

Strings

H, xrefs: 007308BD

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ee884e5262730f706690a50c5ced9f7385f672eb177cc19d42a39166bd58ca92
Instruction ID: 814cf7f12f1c01291aa563d9c599fc718ebc3d5a71c66a92a44ce126a0baa576
Opcode Fuzzy Hash: ee884e5262730f706690a50c5ced9f7385f672eb177cc19d42a39166bd58ca92
Instruction Fuzzy Hash: 99A12632A00118CFEF19EF68DC66BAE7BA0AB06320F14415DF8159B2D2D7399D52CBD5

Function 006F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007C1418,?,006F2E7F,?,?,?,00000000), ref: 006F3A78

Part of subcall function 006F3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006F3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006F356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0073318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007331CE
RegCloseKey.ADVAPI32(?), ref: 00733210
_wcslen.LIBCMT ref: 00733277
_wcslen.LIBCMT ref: 00733286

Strings

\, xrefs: 0073328C
Software\AutoIt v3\AutoIt, xrefs: 006F3560
Include, xrefs: 00733184, 007331C5
\Include\, xrefs: 006F3527

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: a56649c5acc13e582227ad90f6cedc6fd050b8763466a484d9414d0ddea8f59e
Instruction ID: eaaa0b604b170fc6a89f2b8c26f1ca75f029a5a878cac33c59359c84becc9441
Opcode Fuzzy Hash: a56649c5acc13e582227ad90f6cedc6fd050b8763466a484d9414d0ddea8f59e
Instruction Fuzzy Hash: 1F71C2714043459EC314EF69DC81DABBBE8FF85340F40852EF545832A2EB7C9A49CB6A

Function 006F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006F2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 006F2B9D
LoadIconW.USER32(00000063), ref: 006F2BB3
LoadIconW.USER32(000000A4), ref: 006F2BC5
LoadIconW.USER32(000000A2), ref: 006F2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006F2BEF
RegisterClassExW.USER32(?), ref: 006F2C40

Part of subcall function 006F2CD4: GetSysColorBrush.USER32(0000000F), ref: 006F2D07
Part of subcall function 006F2CD4: RegisterClassExW.USER32(00000030), ref: 006F2D31
Part of subcall function 006F2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006F2D42
Part of subcall function 006F2CD4: InitCommonControlsEx.COMCTL32(?), ref: 006F2D5F
Part of subcall function 006F2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006F2D6F
Part of subcall function 006F2CD4: LoadIconW.USER32(000000A9), ref: 006F2D85
Part of subcall function 006F2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006F2D94

Strings

#, xrefs: 006F2C16
AutoIt v3, xrefs: 006F2C2F
0, xrefs: 006F2C0F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1c09b66398ca25a6e477380d5259a60204576c0167f158afb6fd9853d64fa475
Instruction ID: 619bda8e1e5dd58b0a3c9750131b52716f3031ba6e666ca34e3cd5ecac6e8477
Opcode Fuzzy Hash: 1c09b66398ca25a6e477380d5259a60204576c0167f158afb6fd9853d64fa475
Instruction Fuzzy Hash: E9217C70E40358ABDB119FA5EC54EA97FB4FB09B54F90802EE600A26A1D3B94510CF98

Function 006F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,006F316A,?,?), ref: 006F31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,006F316A,?,?), ref: 006F3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006F3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,006F316A,?,?), ref: 006F3232
CreatePopupMenu.USER32 ref: 006F3246
PostQuitMessage.USER32(00000000), ref: 006F3267

Strings

TaskbarCreated, xrefs: 006F322D

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 093b3b53cc938ab3c2edec1a4a67c7054767818c41009e875bdcfc2476be4079
Instruction ID: a01d5a45436f9f6cd91b7223eef79f38b44239824edfe5f8bacef976548227b5
Opcode Fuzzy Hash: 093b3b53cc938ab3c2edec1a4a67c7054767818c41009e875bdcfc2476be4079
Instruction Fuzzy Hash: 7E410531240268A6EB156B789D0DFB9371BE706344F54813DFB06853A3CB7A9B4287A9

Function 006F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006F1459
CoUninitialize.COMBASE ref: 006F14F8
UnregisterHotKey.USER32(?), ref: 006F16DD
DestroyWindow.USER32(?), ref: 007324B9
FreeLibrary.KERNEL32(?), ref: 0073251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0073254B

Strings

close all, xrefs: 006F1454

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 3d6bbc9cc9527805b116e68e2efb206c3e5e2f366bc0de52be7f6cb4927a1b83
Instruction ID: fc8095a10414fe957b3a2407741e96d24e23693c7f4bdf6b8e40508bd08c8b03
Opcode Fuzzy Hash: 3d6bbc9cc9527805b116e68e2efb206c3e5e2f366bc0de52be7f6cb4927a1b83
Instruction Fuzzy Hash: 33D18D31701212CFDB29EF15C499A29F7A2BF05740F2442ADE94AAB252DB34AD23CF54

Function 006F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006F2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006F2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,006F1CAD,?), ref: 006F2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,006F1CAD,?), ref: 006F2CCF

Strings

edit, xrefs: 006F2CAC
AutoIt v3, xrefs: 006F2C89, 006F2C8E, 006F2C8F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 8b51384d925be66b80aa702c6d80a1636d5e56da78759943126459ad730c4473
Instruction ID: 73ef97aecc4785caf035b1f63602230cc1e68bb42ba33e3d613c39f403f3ba0f
Opcode Fuzzy Hash: 8b51384d925be66b80aa702c6d80a1636d5e56da78759943126459ad730c4473
Instruction Fuzzy Hash: C1F0DA755802D07AEB311717AC08E772FBDD7C7F64B51806EF900A29A1C6791850DBB8

Function 006F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,006F3B0F,SwapMouseButtons,00000004,?), ref: 006F3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,006F3B0F,SwapMouseButtons,00000004,?), ref: 006F3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,006F3B0F,SwapMouseButtons,00000004,?), ref: 006F3B83

Strings

Control Panel\Mouse, xrefs: 006F3B3E

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ab26b74802349e11f21f9953a9dc8e6a17e032cf05392f807c6313a8887cb2ac
Instruction ID: addff818681a50a355382d7a5bb5a9530e668ff14bf083e67d44c23cf96e627f
Opcode Fuzzy Hash: ab26b74802349e11f21f9953a9dc8e6a17e032cf05392f807c6313a8887cb2ac
Instruction Fuzzy Hash: E4115AB1511219FFDB218FA4DC44AFEB7B9EF20780B10845AA901D7210E2319E419764

Function 006F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007333A2

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 006F3A04

Strings

Line: , xrefs: 007333EB

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 99b8b40f107eb9d49693ecc1dd9bf5862fe5ea98d149c44ce51b52ae35559321
Instruction ID: 2ab629e3223dbfb8b2d11ed3f3b4978e17b4013b037c09081379d2f9391f04a6
Opcode Fuzzy Hash: 99b8b40f107eb9d49693ecc1dd9bf5862fe5ea98d149c44ce51b52ae35559321
Instruction Fuzzy Hash: 99312671408358AED321EB10DC45FFBB7D9AB41314F00452EF69983292EB789A48C7CA

Function 006F2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00732C8C

Part of subcall function 006F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F3A97,?,?,006F2E7F,?,?,?,00000000), ref: 006F3AC2

Part of subcall function 006F2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006F2DC4

Strings

`e{, xrefs: 00732C85
X, xrefs: 00732C5A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e{
API String ID: 779396738-1989916424
Opcode ID: d058bcea549ff1f03d67c2e2872817c5cd7dd9c9aed22a9a318c75672e61678f
Instruction ID: 6396e7e6238377aa46dc700a13be9394f7925e38848aa42167c01199b2a173ec
Opcode Fuzzy Hash: d058bcea549ff1f03d67c2e2872817c5cd7dd9c9aed22a9a318c75672e61678f
Instruction Fuzzy Hash: 1121A571A0029C9FDF41DF94C845BEE7BF9AF49304F108069E605B7242DBBC5A898F65

Function 0070FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00710668

Part of subcall function 007132A4: RaiseException.KERNEL32(?,?,?,0071068A,?,007C1444,?,?,?,?,?,?,0071068A,006F1129,007B8738,006F1129), ref: 00713304

__CxxThrowException@8.LIBVCRUNTIME ref: 00710685

Strings

Unknown exception, xrefs: 00710692

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 14fe580ea54b128606d239b101dc2a2b6e8b0cf61e2d679af51cfd43eabefc63
Instruction ID: 3ff082557eb870f3e78328d944c1df3c4a747753a38f45c0d2c85532e193c835
Opcode Fuzzy Hash: 14fe580ea54b128606d239b101dc2a2b6e8b0cf61e2d679af51cfd43eabefc63
Instruction Fuzzy Hash: 8DF02234A0020CF7CB04B6ACD85ADDE77AC6E00314B604131F824928D2EFBDDAEAC6C0

Function 006F10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006F1BF4
Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 006F1BFC
Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006F1C07
Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006F1C12
Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 006F1C1A
Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 006F1C22

Part of subcall function 006F1B4A: RegisterWindowMessageW.USER32(00000004,?,006F12C4), ref: 006F1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006F136A
OleInitialize.OLE32 ref: 006F1388
CloseHandle.KERNEL32(00000000,00000000), ref: 007324AB

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 08f485441bffbd6edf89561544d260c5f3610b03e966a85ae9a79218e7da894c
Instruction ID: 6d70cc0456171961539d02c42d86215f0f846c678b6175362f2ca123c132296d
Opcode Fuzzy Hash: 08f485441bffbd6edf89561544d260c5f3610b03e966a85ae9a79218e7da894c
Instruction Fuzzy Hash: F671A9B49152448E8388EF79B855E653BE1AB8B3903D4C27ED50AC7363EB3C85218F5C

Function 0075C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 006F3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0075C259
KillTimer.USER32(?,00000001,?,?), ref: 0075C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0075C270

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 6d2a444370319f4109785dbccc68116e30a442f66a86055630ff1bb02c0cae0e
Instruction ID: bf8217b8e7f97210d7b851ddb419a0a5e4c217dd5d7e27902e80d94fd2331347
Opcode Fuzzy Hash: 6d2a444370319f4109785dbccc68116e30a442f66a86055630ff1bb02c0cae0e
Instruction Fuzzy Hash: D531D970904344AFEB338F648855BE7BBECAF06305F00449DD6DA97241C7B85A88CB55

Function 007286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007285CC,?,007B8CC8,0000000C), ref: 00728704
GetLastError.KERNEL32(?,007285CC,?,007B8CC8,0000000C), ref: 0072870E
__dosmaperr.LIBCMT ref: 00728739

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 3f3a40236356bad329c4ca4fc8cf67f4b2f88a42722f72991bbb891d6f281a12
Instruction ID: 78f0b26da4a3fdfa55ff383634b7d4d3781b1adbca27e3acfb2c282a2f37d0b9
Opcode Fuzzy Hash: 3f3a40236356bad329c4ca4fc8cf67f4b2f88a42722f72991bbb891d6f281a12
Instruction Fuzzy Hash: 50018932A07230A6D2A0A334B84DB7E27494B82778F39411DF8148B1D3DEBECC818292

Function 006FDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 006FDB7B
DispatchMessageW.USER32(?), ref: 006FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006FDB9F
Sleep.KERNELBASE(0000000A), ref: 006FDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00741CC9

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: a0ecb034015c8e412e320c01ed2672c70c93fa99ad08e673da71db5348b6b2e6
Instruction ID: 3992c808abeaa52968c3b651923552ca7c461b7eb7cb759349eff1a9923b13f5
Opcode Fuzzy Hash: a0ecb034015c8e412e320c01ed2672c70c93fa99ad08e673da71db5348b6b2e6
Instruction Fuzzy Hash: F4F054306443459BE730DB608C89FEA73A9EB45350F508A28E619C30D0DB38A4849B29

Function 00701310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007017F6

Strings

CALL, xrefs: 007017C6

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: a2cda54a6a91c944e6985a9c5f6706c3bd3e11c36e0a96b6acf91c51adb50d41
Instruction ID: f0fb413540be04d3ae5303bf0c7f50742ac210e515c0182aedb3b6ba8cde1755
Opcode Fuzzy Hash: a2cda54a6a91c944e6985a9c5f6706c3bd3e11c36e0a96b6acf91c51adb50d41
Instruction Fuzzy Hash: 76229B70608241DFC714DF14C884A2ABBF1BF85314F548A6DF4968B3A2D77AE951CB92

Function 006F3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 006F3908

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: aa9c22aa9bf5d9bd45aaab8beb1ee790ffddca71b48e40d1a6d7cc8ace9e6ec9
Instruction ID: b076c5f99da09a3f395cb3310365c06473dd5ab22949947a05f8b9c13ff470f0
Opcode Fuzzy Hash: aa9c22aa9bf5d9bd45aaab8beb1ee790ffddca71b48e40d1a6d7cc8ace9e6ec9
Instruction Fuzzy Hash: 7531B1705043449FD721DF24D884BE7BBE8FB49748F00492EFA9983341E7B9AA44CB56

Function 0070F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0070F661

Part of subcall function 006FD730: GetInputState.USER32 ref: 006FD807

Sleep.KERNEL32(00000000), ref: 0074F2DE

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 64fe47f009f58e54b75aa31e1abf5f1620d59d113d45db650c809fc3d0d48b57
Instruction ID: 192a172e0c1c9b7921cacc8387b441db4d7cf94cfdb0efdbc49a6e2f7ff85665
Opcode Fuzzy Hash: 64fe47f009f58e54b75aa31e1abf5f1620d59d113d45db650c809fc3d0d48b57
Instruction Fuzzy Hash: 5EF08C312802099FD350EF69D459B6AB7EAFF46760F00402AE959C72A0DB74B800CBA8

Function 006F4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006F4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006F4EDD,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E9C
Part of subcall function 006F4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006F4EAE
Part of subcall function 006F4E90: FreeLibrary.KERNEL32(00000000,?,?,006F4EDD,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4EFD

Part of subcall function 006F4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00733CDE,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E62
Part of subcall function 006F4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006F4E74
Part of subcall function 006F4E59: FreeLibrary.KERNEL32(00000000,?,?,00733CDE,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E87

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7919660873c5c5730be5c3678afb1a602f33becd61a453befbb8a3c5ca3b5885
Instruction ID: 4f6d9a5912f484d799da3136ebcbd1eebd5e5f03e4ef5c397744da33d1af0555
Opcode Fuzzy Hash: 7919660873c5c5730be5c3678afb1a602f33becd61a453befbb8a3c5ca3b5885
Instruction Fuzzy Hash: 4811E731610209ABDB24FB64DC07FBE77A6AF80710F10842DF646A65C1DE749E459764

Function 00728402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00728440

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: bd741925cfc033a8e6f10ee59d40d04e4c43115ad3ef45cbf81c168e085ca6fb
Instruction ID: a8dfe66e76d78645882cc718ea8104d1e3e4ab3258c9ba3828d65bdc59e67ad5
Opcode Fuzzy Hash: bd741925cfc033a8e6f10ee59d40d04e4c43115ad3ef45cbf81c168e085ca6fb
Instruction Fuzzy Hash: 3211187590410AEFCB05DF58E94599A7BF5EF48314F144059F808AB312DB35EA21CBA5

Function 00725000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00724C7D: RtlAllocateHeap.NTDLL(00000008,006F1129,00000000,?,00722E29,00000001,00000364,?,?,?,0071F2DE,00723863,007C1444,?,0070FDF5,?), ref: 00724CBE

_free.LIBCMT ref: 0072506C

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 661d3316837a932e49c2e861c7da457006271b4c86c897509d0c619b5636a669
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: CD014972204714ABE3318F69EC85A5AFBECFB89370F65061DE184932C0EA34A805C7B4

Function 0071E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 89d35c641f45834f52d01ccadfd0ada6d12470f7817bdf94f8a339b99201c9b3
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 3FF02D32511A20EBC7313E6D9C0DBDA33A89F52330F100715FD21931D2CB7CE88289A6

Function 00724C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,006F1129,00000000,?,00722E29,00000001,00000364,?,?,?,0071F2DE,00723863,007C1444,?,0070FDF5,?), ref: 00724CBE

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8d5c020f1db0aa62e8aa598f820cc8649e6665d8c7565ef09660a26da68e5504
Instruction ID: fbeb9fe61937e281a508d7987d89aef227a2cb7648b180479fd804b07e348b54
Opcode Fuzzy Hash: 8d5c020f1db0aa62e8aa598f820cc8649e6665d8c7565ef09660a26da68e5504
Instruction Fuzzy Hash: 26F0E932602234A7DB315F6EFC09F9A3788BF41BA0B148125F815A62C1CA7CDC8186F0

Function 00723820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6,?,006F1129), ref: 00723852

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f68e799db8d5642a417fe5d779a2290add1fcc2429904d590d204c765f12506b
Instruction ID: 00fb8e42888eb6fc247f1e28535fa7fe42c80cb8513aff4843af31f4894709a6
Opcode Fuzzy Hash: f68e799db8d5642a417fe5d779a2290add1fcc2429904d590d204c765f12506b
Instruction Fuzzy Hash: 93E0E5331002349AE721266ABC09BDA3759AB42FB0F160026FD059A5C1CB2DDD0182F0

Function 006F4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4F6D

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b6d8b35fd168b447f1fdb83ffa08b10653653540de5406d45c408c69dffafcdd
Instruction ID: 5e81bb97224f6cd6d6b310e92864c2c032c2a0becbe783af9c79aa87731597ea
Opcode Fuzzy Hash: b6d8b35fd168b447f1fdb83ffa08b10653653540de5406d45c408c69dffafcdd
Instruction Fuzzy Hash: E9F03071506755CFDB349F68D494863B7E6BF54329320C97EE2DE82A21CB319884DF10

Function 00782A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00782A66

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 7a824b23ab57762db266ed9383c6a5d58c3f2a3e74a763bb56a8a8142ec6d461
Instruction ID: 4e9cafbbc2bc0a8473f16809b829ed518cb251becfaf3a2e65b3e02cb0a071f9
Opcode Fuzzy Hash: 7a824b23ab57762db266ed9383c6a5d58c3f2a3e74a763bb56a8a8142ec6d461
Instruction Fuzzy Hash: EAE04F7639011AAAC718FB30DC888FA735CEF503967108536AC2AC2111EB38999687A0

Function 006F30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 006F314E

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 045856c2fccc6746f36f197aa7923b4bcfc634d16c69033f70fc8e4d110f0e16
Instruction ID: e2cfade92d782b7e5d68521b068452be8167d34505292cf7f15ebddd9c4242d7
Opcode Fuzzy Hash: 045856c2fccc6746f36f197aa7923b4bcfc634d16c69033f70fc8e4d110f0e16
Instruction Fuzzy Hash: 55F0A7709003589FE752DB24DC49BD57BBCB70170CF0040E9A64896283D7784798CF55

Function 006F2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006F2DC4

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: c273ec153243ad6a233154a54d39eb5c7f1c8566040e4448e3cbb5ebf50cc5f8
Instruction ID: 8646eb9d05ec5e4f82dfabc3c5fd303199abb9500026e1ce3017d3e535a4bd62
Opcode Fuzzy Hash: c273ec153243ad6a233154a54d39eb5c7f1c8566040e4448e3cbb5ebf50cc5f8
Instruction Fuzzy Hash: BCE0CD726001245BD7119258DC05FEA77DDDFC8790F044075FD09D7248D974AD808654

Function 006F2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006F3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006F3908

Part of subcall function 006FD730: GetInputState.USER32 ref: 006FD807

SetCurrentDirectoryW.KERNEL32(?), ref: 006F2B6B

Part of subcall function 006F30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 006F314E

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: b82e9e42c42bb3905a29932e20b9a5defeeb0222abd97b726935b57ed2fcfcf0
Instruction ID: 0a2a1430e74186a31e279ce161757eba35f902e487869157281d9aecf88536da
Opcode Fuzzy Hash: b82e9e42c42bb3905a29932e20b9a5defeeb0222abd97b726935b57ed2fcfcf0
Instruction Fuzzy Hash: 07E0263130425C02CA48BB3498129BDA34BCBD2392F80143EF34243263CE288645432A

Function 0073039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00730704,?,?,00000000,?,00730704,00000000,0000000C), ref: 007303B7

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d449854f82fa2ac3603ad0a3e5acaa4bcd5a8aa759ae897da951b84352582ce9
Instruction ID: 417a8fe82aa286ef05461d616f921cae280ab48bece95c43877f64a9f0850ea5
Opcode Fuzzy Hash: d449854f82fa2ac3603ad0a3e5acaa4bcd5a8aa759ae897da951b84352582ce9
Instruction Fuzzy Hash: E2D06C3204010DBBDF028F84DD4AEDA3BAAFB48714F118000BE1856020C736E821AB94

Function 006F1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 006F1CBC

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 2ed80db7acf26cc4e70df6325e5d74c93342329f083b86b2bae76261ac4b2a7a
Instruction ID: 2ac375eb8d8debe194e5de060c1e98905746a755dcfb8cf1efb39f741a6144b0
Opcode Fuzzy Hash: 2ed80db7acf26cc4e70df6325e5d74c93342329f083b86b2bae76261ac4b2a7a
Instruction Fuzzy Hash: ADC09B352C03049FF6155780BC5AF117754A348B04F64C005F609555E3C3F51431D758

Non-executed Functions

Function 00789576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0078961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0078965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0078969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007896C9
SendMessageW.USER32 ref: 007896F2
GetKeyState.USER32(00000011), ref: 0078978B
GetKeyState.USER32(00000009), ref: 00789798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007897AE
GetKeyState.USER32(00000010), ref: 007897B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007897E9
SendMessageW.USER32 ref: 00789810
SendMessageW.USER32(?,00001030,?,00787E95), ref: 00789918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0078992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00789941
SetCapture.USER32(?), ref: 0078994A
ClientToScreen.USER32(?,?), ref: 007899AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007899BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007899D6
ReleaseCapture.USER32 ref: 007899E1
GetCursorPos.USER32(?), ref: 00789A19
ScreenToClient.USER32(?,?), ref: 00789A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00789A80
SendMessageW.USER32 ref: 00789AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00789AEB
SendMessageW.USER32 ref: 00789B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00789B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00789B4A
GetCursorPos.USER32(?), ref: 00789B68
ScreenToClient.USER32(?,?), ref: 00789B75
GetParent.USER32(?), ref: 00789B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00789BFA
SendMessageW.USER32 ref: 00789C2B
ClientToScreen.USER32(?,?), ref: 00789C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00789CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00789CDE
SendMessageW.USER32 ref: 00789D01
ClientToScreen.USER32(?,?), ref: 00789D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00789D82

Part of subcall function 00709944: GetWindowLongW.USER32(?,000000EB), ref: 00709952

GetWindowLongW.USER32(?,000000F0), ref: 00789E05

Strings

F, xrefs: 00789D07
p#|, xrefs: 00789990
@GUI_DRAGID, xrefs: 0078997D

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#|
API String ID: 3429851547-2998581402
Opcode ID: e7f96a0b66cb70bc0c7d9cc410f12e70f484bd6848227bfd7af0749270081dfa
Instruction ID: 391cc37cd13a00ab3ccd0a427f083d52df191fef17a394b400b31840b8bb8476
Opcode Fuzzy Hash: e7f96a0b66cb70bc0c7d9cc410f12e70f484bd6848227bfd7af0749270081dfa
Instruction Fuzzy Hash: 17428A70244240EFDB25EF24CC44EBABBE5EF49310F18466DF699872A1E739E850CB55

Function 00784873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007848F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00784908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00784927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0078494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0078495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0078497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007849AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007849D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00784A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00784A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00784A7E
IsMenu.USER32(?), ref: 00784A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00784AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00784B20
GetWindowLongW.USER32(?,000000F0), ref: 00784B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00784BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00784C82
wsprintfW.USER32 ref: 00784CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00784CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00784CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00784D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00784D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00784D5A

Strings

%d/%02d/%02d, xrefs: 00784CA8

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 48f1d981a24750a0037656c68e3b4171dce065973bc0ffead5b00c8db9a978bd
Instruction ID: e92870cfc897ca186c64f31cbde98abd1c3615df21439a9765147f37726b5e1b
Opcode Fuzzy Hash: 48f1d981a24750a0037656c68e3b4171dce065973bc0ffead5b00c8db9a978bd
Instruction Fuzzy Hash: 19121071680255ABEB25AF28CC49FAE7BF8FF44310F144169F515DB2E1DBB89940CB60

Function 0070F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0070F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0074F474
IsIconic.USER32(00000000), ref: 0074F47D
ShowWindow.USER32(00000000,00000009), ref: 0074F48A
SetForegroundWindow.USER32(00000000), ref: 0074F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0074F4AA
GetCurrentThreadId.KERNEL32 ref: 0074F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0074F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0074F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0074F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0074F4DE
SetForegroundWindow.USER32(00000000), ref: 0074F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074F4F6
keybd_event.USER32(00000012,00000000), ref: 0074F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074F50B
keybd_event.USER32(00000012,00000000), ref: 0074F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074F519
keybd_event.USER32(00000012,00000000), ref: 0074F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074F528
keybd_event.USER32(00000012,00000000), ref: 0074F52D
SetForegroundWindow.USER32(00000000), ref: 0074F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0074F557

Strings

Shell_TrayWnd, xrefs: 0074F46F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 5f46899d4f1d3a3d2c373726635a6e9e0b7e7acb80c5d0035e6b1b78573790a7
Instruction ID: 9a15fe23ea14f96198f41597f367b180c1770884184518e40bb36ce34b1f39d9
Opcode Fuzzy Hash: 5f46899d4f1d3a3d2c373726635a6e9e0b7e7acb80c5d0035e6b1b78573790a7
Instruction Fuzzy Hash: CD317471B80218BBEB216BB55C4AFBF7E6CEB44B50F204065F601E61D1D7B85D10AB74

Function 00751201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0075170D
Part of subcall function 007516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0075173A
Part of subcall function 007516C3: GetLastError.KERNEL32 ref: 0075174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00751286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007512A8
CloseHandle.KERNEL32(?), ref: 007512B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007512D1
GetProcessWindowStation.USER32 ref: 007512EA
SetProcessWindowStation.USER32(00000000), ref: 007512F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00751310

Part of subcall function 007510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007511FC), ref: 007510D4
Part of subcall function 007510BF: CloseHandle.KERNEL32(?,?,007511FC), ref: 007510E9

Strings

default, xrefs: 0075130B
, xrefs: 0075125A
Z{, xrefs: 00751392
winsta0, xrefs: 007512CC

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z{
API String ID: 22674027-874364712
Opcode ID: c7a65091374cb8c05905417d867efe8d4f40ff94f3495149bbcf899939ac2da6
Instruction ID: 245574a88036ff71d3641f2656f19fe3a08682fa984146c00da1fa51475ce9f5
Opcode Fuzzy Hash: c7a65091374cb8c05905417d867efe8d4f40ff94f3495149bbcf899939ac2da6
Instruction Fuzzy Hash: 3E819B71A00249AFDF219FA4DC49FEE7BB9EF04706F148129FD10A61A0D7B98949CB64

Function 00750B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00751114
Part of subcall function 007510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751120
Part of subcall function 007510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 0075112F
Part of subcall function 007510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751136
Part of subcall function 007510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0075114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00750BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00750C00
GetLengthSid.ADVAPI32(?), ref: 00750C17
GetAce.ADVAPI32(?,00000000,?), ref: 00750C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00750C6D
GetLengthSid.ADVAPI32(?), ref: 00750C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00750C8C
HeapAlloc.KERNEL32(00000000), ref: 00750C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00750CB4
CopySid.ADVAPI32(00000000), ref: 00750CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00750CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00750D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00750D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750D45
HeapFree.KERNEL32(00000000), ref: 00750D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750D55
HeapFree.KERNEL32(00000000), ref: 00750D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750D65
HeapFree.KERNEL32(00000000), ref: 00750D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00750D78
HeapFree.KERNEL32(00000000), ref: 00750D7F

Part of subcall function 00751193: GetProcessHeap.KERNEL32(00000008,00750BB1,?,00000000,?,00750BB1,?), ref: 007511A1
Part of subcall function 00751193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00750BB1,?), ref: 007511A8
Part of subcall function 00751193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00750BB1,?), ref: 007511B7

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: cc2f4d1cee01c892fb93b639cbe6f2bb473a6d0892a27a6ec8ea2a825cd5a193
Instruction ID: 185483a9b0fa871c2bce86a78c8aac2766bd16635e6d9c2c89f5e93bd7a63ff1
Opcode Fuzzy Hash: cc2f4d1cee01c892fb93b639cbe6f2bb473a6d0892a27a6ec8ea2a825cd5a193
Instruction Fuzzy Hash: 72715D71A0020AABDF11DFE4DC49FEEBBB8BF05341F148515ED14A6191D7B9A909CBB0

Function 0076EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0078CC08), ref: 0076EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0076EB37
GetClipboardData.USER32(0000000D), ref: 0076EB43
CloseClipboard.USER32 ref: 0076EB4F
GlobalLock.KERNEL32(00000000), ref: 0076EB87
CloseClipboard.USER32 ref: 0076EB91
GlobalUnlock.KERNEL32(00000000), ref: 0076EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0076EBC9
GetClipboardData.USER32(00000001), ref: 0076EBD1
GlobalLock.KERNEL32(00000000), ref: 0076EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0076EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0076EC38
GetClipboardData.USER32(0000000F), ref: 0076EC44
GlobalLock.KERNEL32(00000000), ref: 0076EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0076EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0076EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0076ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0076ECF3
CountClipboardFormats.USER32 ref: 0076ED14
CloseClipboard.USER32 ref: 0076ED59

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 0146bf1957a2626fb259eb3e1ebb4238de7a29ba1b64589548d24b7b6d4ed8a6
Instruction ID: 4404d7f34f2237ee630e3336d7ba97201f6038773100f548b5fa0cb4050f9fec
Opcode Fuzzy Hash: 0146bf1957a2626fb259eb3e1ebb4238de7a29ba1b64589548d24b7b6d4ed8a6
Instruction Fuzzy Hash: AA6101782042059FD301EF20D888F3A77A4AF84744F28851DF95B872A2DB39DD05CBB6

Function 0076698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007669BE
FindClose.KERNEL32(00000000), ref: 00766A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00766A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00766A75

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00766AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00766ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00766B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00766B32
%4d, xrefs: 00766BB1
%02d, xrefs: 00766C00, 00766C0A, 00766C5A, 00766CAA, 00766CFA, 00766D4A
%03d, xrefs: 00766DA2

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d6e6e491498f5bf8d27e31ca161e4410b35f2a8245762a2cae123dcc9a8bee8c
Instruction ID: d1c0e1b93ae42a96693c7a46fd13f79c360aae7c7898552e2dfb932ae4de7967
Opcode Fuzzy Hash: d6e6e491498f5bf8d27e31ca161e4410b35f2a8245762a2cae123dcc9a8bee8c
Instruction Fuzzy Hash: 0BD160B2508344AFC354EBA4C885EBBB7EDAF88704F44491DF685C6191EB38DA04CB62

Function 00769642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00769663
GetFileAttributesW.KERNEL32(?), ref: 007696A1
SetFileAttributesW.KERNEL32(?,?), ref: 007696BB
FindNextFileW.KERNEL32(00000000,?), ref: 007696D3
FindClose.KERNEL32(00000000), ref: 007696DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007696FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0076974A
SetCurrentDirectoryW.KERNEL32(007B6B7C), ref: 00769768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00769772
FindClose.KERNEL32(00000000), ref: 0076977F
FindClose.KERNEL32(00000000), ref: 0076978F

Strings

*.*, xrefs: 007696F5

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: a58f187623d99f051618d45e3410e2409c59fc011f59bb9076c485a3dfd117ae
Instruction ID: 4e262bc9e429f572775f87dd016ed5c6afbf1ee16df3399eb358d5345393d915
Opcode Fuzzy Hash: a58f187623d99f051618d45e3410e2409c59fc011f59bb9076c485a3dfd117ae
Instruction Fuzzy Hash: 2A31B572540219AEDF15AFB4EC49AEE77ACAF49320F208165FA16E20D0DB3CDD44CB24

Function 0076979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 007697BE
FindNextFileW.KERNEL32(00000000,?), ref: 00769819
FindClose.KERNEL32(00000000), ref: 00769824
FindFirstFileW.KERNEL32(*.*,?), ref: 00769840
SetCurrentDirectoryW.KERNEL32(?), ref: 00769890
SetCurrentDirectoryW.KERNEL32(007B6B7C), ref: 007698AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007698B8
FindClose.KERNEL32(00000000), ref: 007698C5
FindClose.KERNEL32(00000000), ref: 007698D5

Part of subcall function 0075DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0075DB00

Strings

*.*, xrefs: 0076983B

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 0a58c34c98b88d676bb7650e0b475e4acd12880612eb16e7e3a180cbe253f124
Instruction ID: 3b7ea4a954050bdb0877674eae8f3e2dc657391f0a8d63cf0c78d54e144dcfea
Opcode Fuzzy Hash: 0a58c34c98b88d676bb7650e0b475e4acd12880612eb16e7e3a180cbe253f124
Instruction Fuzzy Hash: 1031C77254021AAADF15AFB4DC48ADE77ACAF46320F208155EE11A30D0DB3CDD85CB64

Function 0077BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0077C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077B6AE,?,?), ref: 0077C9B5
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077C9F1
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA68
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0077BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0077BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0077C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0077C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0077C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0077C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0077C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0077C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0077C382
RegCloseKey.ADVAPI32(00000000), ref: 0077C38F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 52c7a78c432ab1630f0bb27d0056f1331c19c931dff643d32506d3a28ce09e4e
Instruction ID: 6599e65ff68f993805badaf388c1717feebf6e3da91991f5be4cd8c61c6d25e9
Opcode Fuzzy Hash: 52c7a78c432ab1630f0bb27d0056f1331c19c931dff643d32506d3a28ce09e4e
Instruction Fuzzy Hash: B0027071604200AFDB15CF24C895E2ABBE5EF89358F18C49DF84ADB2A2D735EC45CB52

Function 00768195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00768257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00768267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00768273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00768310
SetCurrentDirectoryW.KERNEL32(?), ref: 00768324
SetCurrentDirectoryW.KERNEL32(?), ref: 00768356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0076838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00768395

Strings

*.*, xrefs: 0076839B

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 2583f88ad4a83735a3148a3e4a98fd6b39f619d8c727d066a43f31ea2ac93eb1
Instruction ID: 6966f23882d20f9d7347539d527305490eda45d06f292df4d47f0d6bbb41735d
Opcode Fuzzy Hash: 2583f88ad4a83735a3148a3e4a98fd6b39f619d8c727d066a43f31ea2ac93eb1
Instruction Fuzzy Hash: A8618DB25043099FCB50EF64C8449AEB3E9FF89310F04891DFA8AC7251DB39E945CB96

Function 0075D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F3A97,?,?,006F2E7F,?,?,?,00000000), ref: 006F3AC2

Part of subcall function 0075E199: GetFileAttributesW.KERNEL32(?,0075CF95), ref: 0075E19A

FindFirstFileW.KERNEL32(?,?), ref: 0075D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0075D1DD
MoveFileW.KERNEL32(?,?), ref: 0075D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0075D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0075D237

Part of subcall function 0075D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0075D21C,?,?), ref: 0075D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0075D253
FindClose.KERNEL32(00000000), ref: 0075D264

Strings

\*.*, xrefs: 0075D0CD, 0075D0D6, 0075D0EB

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3efe82975dc6dd2b533cf63dd8ebac02aa5b9c85cac791820bcfcb73a600d4eb
Instruction ID: ef9c61889bef9c79f82f29c517a78333ba6bee415b301c4c676ed8127da2a322
Opcode Fuzzy Hash: 3efe82975dc6dd2b533cf63dd8ebac02aa5b9c85cac791820bcfcb73a600d4eb
Instruction Fuzzy Hash: 8861AD3180511D9BCF25EBE0C9929FDB7B6AF15301F204169E90277291EB786F0DCB64

Function 0076ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0076ED91
EmptyClipboard.USER32 ref: 0076ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0076EDAC
CloseClipboard.USER32 ref: 0076EEA3

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1d433345739e007795023dc037aeb654d452cf65e5766adf40ad3f86fa5571f1
Instruction ID: bc9576be86d27f0f733062295de579ceb024eb41510a00384b4d4f4a0ee410cf
Opcode Fuzzy Hash: 1d433345739e007795023dc037aeb654d452cf65e5766adf40ad3f86fa5571f1
Instruction Fuzzy Hash: 864182356046119FE711DF15D848F19BBE5FF44328F24C09DE8168BAA2D77AEC41CBA4

Function 0075E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0075170D
Part of subcall function 007516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0075173A
Part of subcall function 007516C3: GetLastError.KERNEL32 ref: 0075174A

ExitWindowsEx.USER32(?,00000000), ref: 0075E932

Strings

, xrefs: 0075E95C
, xrefs: 0075E920
SeShutdownPrivilege, xrefs: 0075E902
@, xrefs: 0075E925

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 2b2e7c4b117c12c7d90523498a59288d59bf9e1041d9d5e98c3f8327d733059e
Instruction ID: 8372db146b15fc07f741e701f1968cb17ad9d9037ed44f986237ce8b16ce0009
Opcode Fuzzy Hash: 2b2e7c4b117c12c7d90523498a59288d59bf9e1041d9d5e98c3f8327d733059e
Instruction Fuzzy Hash: F5012B72A10210ABEB182674AC8AFFF725CDB04743F254422FC03E20D1D7EC6D4882A5

Function 00771204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00771276
WSAGetLastError.WSOCK32 ref: 00771283
bind.WSOCK32(00000000,?,00000010), ref: 007712BA
WSAGetLastError.WSOCK32 ref: 007712C5
closesocket.WSOCK32(00000000), ref: 007712F4
listen.WSOCK32(00000000,00000005), ref: 00771303
WSAGetLastError.WSOCK32 ref: 0077130D
closesocket.WSOCK32(00000000), ref: 0077133C

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: f32b7a055f25461b2369a6be1ddf666b36a33926cd858f0b1bd2bea64ddf6bc6
Instruction ID: e6099ecf034785d0af87bd3b67bd56c3a2d92b192ef014f5842178ff30b7a14d
Opcode Fuzzy Hash: f32b7a055f25461b2369a6be1ddf666b36a33926cd858f0b1bd2bea64ddf6bc6
Instruction Fuzzy Hash: F44183316001009FDB10DF68C498B29BBE6BF46358F68C198D95A9F293C779ED85CBE1

Function 0072B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0072B9D4
_free.LIBCMT ref: 0072B9F8
_free.LIBCMT ref: 0072BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00793700), ref: 0072BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,007C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0072BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,007C1270,000000FF,?,0000003F,00000000,?), ref: 0072BC36
_free.LIBCMT ref: 0072BD4B

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 868f4087cda2567060c0dd5f6392d206bbb618cb713c33fcd05f06fc32e5c059
Instruction ID: 229ed9a17a98a9a451b1b3719cafe0c608c888460a844d72e6b14717851a9821
Opcode Fuzzy Hash: 868f4087cda2567060c0dd5f6392d206bbb618cb713c33fcd05f06fc32e5c059
Instruction Fuzzy Hash: 03C13B71A04225EFCB20DF78AC45BAE7BB9EF46310F5481AEE491D7252D7389E41C750

Function 0075D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F3A97,?,?,006F2E7F,?,?,?,00000000), ref: 006F3AC2

Part of subcall function 0075E199: GetFileAttributesW.KERNEL32(?,0075CF95), ref: 0075E19A

FindFirstFileW.KERNEL32(?,?), ref: 0075D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0075D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0075D481
FindClose.KERNEL32(00000000), ref: 0075D498
FindClose.KERNEL32(00000000), ref: 0075D4A1

Strings

\*.*, xrefs: 0075D3F2

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 51a0e0f4e9768224d210e2bc2c0d1e3bb22b8424ee051e641f9b0a5490cdd30e
Instruction ID: 031cb8306a2e121ab9cfe66d4bb7da1c7f7890ee2746d58081a72a9dc151bf88
Opcode Fuzzy Hash: 51a0e0f4e9768224d210e2bc2c0d1e3bb22b8424ee051e641f9b0a5490cdd30e
Instruction Fuzzy Hash: EA318D710083899BC225EF64C8918BFB7E9BE91341F404A1DF9D592291EB74AE0D8767

Function 0072E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0072E645

Strings

1#QNAN, xrefs: 0072F84B
1#INF, xrefs: 0072F852
1#IND, xrefs: 0072F83D
1#SNAN, xrefs: 0072F844

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d8e1548292b49f4e65de767891889716c67a5cd9825f6a37839116d1e85bdbc1
Instruction ID: e3d3907dfb85b903ca39f63b230aa840d37dc49aff41b9d666b6541c021c3a14
Opcode Fuzzy Hash: d8e1548292b49f4e65de767891889716c67a5cd9825f6a37839116d1e85bdbc1
Instruction Fuzzy Hash: 18C22B72E046288FDB25CE28ED447EAB7B5EB49305F1541EAD84DE7241E778AE818F40

Function 0076648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007664DC
CoInitialize.OLE32(00000000), ref: 00766639
CoCreateInstance.OLE32(0078FCF8,00000000,00000001,0078FB68,?), ref: 00766650
CoUninitialize.OLE32 ref: 007668D4

Strings

.lnk, xrefs: 007664BA, 00766524, 007665E0

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 9f15c5b2206e12cd40489f2a0ed8ceb16e54e76a9ba7e26470486d5c3975ff41
Instruction ID: 0dcf667158a03ae67e46dbaaafaa20a3d27080d1a1d3cfa194faad14f4b01ae4
Opcode Fuzzy Hash: 9f15c5b2206e12cd40489f2a0ed8ceb16e54e76a9ba7e26470486d5c3975ff41
Instruction Fuzzy Hash: ABD14B715083059FC314EF24C881A6BB7E9FF94704F50496DF6968B2A2EB70ED05CBA6

Function 007722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007722E8

Part of subcall function 0076E4EC: GetWindowRect.USER32(?,?), ref: 0076E504

GetDesktopWindow.USER32 ref: 00772312
GetWindowRect.USER32(00000000), ref: 00772319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00772355
GetCursorPos.USER32(?), ref: 00772381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007723DF

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 94e14e3fc4bfb39b6316009fcf61c52e3a36f0877392366ffc469de3f414d4c6
Instruction ID: a32b034916f33f58c61e9ba03bc726c63390cf88ff098c09b19010078ac193f5
Opcode Fuzzy Hash: 94e14e3fc4bfb39b6316009fcf61c52e3a36f0877392366ffc469de3f414d4c6
Instruction Fuzzy Hash: 413104721043059FCB20DF14D848F9BBBE9FF84354F104919F99997182DB38EA09CBA2

Function 00769B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00769B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00769C8B

Part of subcall function 00763874: GetInputState.USER32 ref: 007638CB
Part of subcall function 00763874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00763966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00769BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00769C75

Strings

*.*, xrefs: 00769B5D

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 47a5e3c764a83ae042188892ab559d2d02cead62c976f05a89e9c0df960af6c5
Instruction ID: c4051c243f947cb6d34c517dd0e654399f72c883632f1d4e5610bbcacd317711
Opcode Fuzzy Hash: 47a5e3c764a83ae042188892ab559d2d02cead62c976f05a89e9c0df960af6c5
Instruction Fuzzy Hash: 954180B194421A9FCF55DF64C989AEEBBB9EF05310F204059F906A2191EB389E84CF64

Function 0070997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00709A4E
GetSysColor.USER32(0000000F), ref: 00709B23
SetBkColor.GDI32(?,00000000), ref: 00709B36

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 8ba80c43f4d7593c57599d0c50862352191084c311dc8f2160ba130d8a684c46
Instruction ID: 8e48776cd0c3e488f3ab629538a606b2a39ef6991e10fff6a013babdafe79fba
Opcode Fuzzy Hash: 8ba80c43f4d7593c57599d0c50862352191084c311dc8f2160ba130d8a684c46
Instruction Fuzzy Hash: 92A106B0209444FEE729AA2C8C8DE7B3ADDDB86350B558319F612D69D3CB2D9D01C376

Function 00771806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0077304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0077307A
Part of subcall function 0077304E: _wcslen.LIBCMT ref: 0077309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0077185D
WSAGetLastError.WSOCK32 ref: 00771884
bind.WSOCK32(00000000,?,00000010), ref: 007718DB
WSAGetLastError.WSOCK32 ref: 007718E6
closesocket.WSOCK32(00000000), ref: 00771915

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0030fc8364ca060fee9c9b1aa6cd0c8ec2259b2f5877ac40c0661f4cb5746f2a
Instruction ID: 24c93251120ff6210d421b816d9aa475b7c9d25fd6f9be4660c93a3b930a20f9
Opcode Fuzzy Hash: 0030fc8364ca060fee9c9b1aa6cd0c8ec2259b2f5877ac40c0661f4cb5746f2a
Instruction Fuzzy Hash: 2A51B371A402049FDB10AF24C886F3A77E6AB45728F54C45CFA095F3C3C775AD418BA5

Function 00781C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00781CC0
IsWindowEnabled.USER32 ref: 00781CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00781CDB
IsIconic.USER32 ref: 00781CE9
IsZoomed.USER32 ref: 00781CF7

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: d36ec0b42df1be5caa9c2af7ebdf803230f9ca7f3b7e549930a47de256d6d2fc
Instruction ID: 6be39a0c512a095129c42b0d68a1772c7272aec84622dc2cf20c5a0f537d8d4e
Opcode Fuzzy Hash: d36ec0b42df1be5caa9c2af7ebdf803230f9ca7f3b7e549930a47de256d6d2fc
Instruction Fuzzy Hash: 9721D6317C02015FD721AF1AC844B267BA9EF85325B598068E845CB352D779DC43CBA4

Function 006F8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00735DF0
VUUU, xrefs: 006F83E8
ERCP, xrefs: 006F813C
VUUU, xrefs: 006F83FA
VUUU, xrefs: 006F843C

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d5212dfbe54eda9ff058103fd65e9f3ae6f6208db9da2887de4ee4529831d01e
Instruction ID: 51d157787780522fc46dedbb13c82e8670b6a9f5551586503b4d9319a3b0b9cf
Opcode Fuzzy Hash: d5212dfbe54eda9ff058103fd65e9f3ae6f6208db9da2887de4ee4529831d01e
Instruction Fuzzy Hash: DEA25E71A0061ECFEF24CF58C8417BEB7B2BB54314F2485A9D915AB286EB749D81CB90

Function 00758298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007582AA

Strings

|, xrefs: 007582DA
(, xrefs: 007582F0
tb{, xrefs: 007584F4

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb{$|
API String ID: 1659193697-2424425762
Opcode ID: fc8de6ca8a1d0755a042a99b62ccd7a828b4a1ff4533c4016b65438e6c1933d5
Instruction ID: d6fd577f1fd255f5104dcd2a5b53bc4fe6395b4ed12bb0fcab4c6a4da3222669
Opcode Fuzzy Hash: fc8de6ca8a1d0755a042a99b62ccd7a828b4a1ff4533c4016b65438e6c1933d5
Instruction Fuzzy Hash: 3F323975A00605DFC768CF59C0819AAB7F0FF48710B15C56EE89AEB3A1EB74E941CB40

Function 0075AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0075AAAC
SetKeyboardState.USER32(00000080), ref: 0075AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0075AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0075AB88

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 40513e9ab12224b186063bc48017ca530ee520c7b0f134e277decbaaa81d02d2
Instruction ID: 073cd4af78875cb7496392593274f760d11e960e1b9150c215b9d2b10a660f01
Opcode Fuzzy Hash: 40513e9ab12224b186063bc48017ca530ee520c7b0f134e277decbaaa81d02d2
Instruction Fuzzy Hash: E231FCB0A40248BEFF358A64CC05BFA77A6AB44312F14433BF981565D1D3BD8989C7E6

Function 0076CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0076CE89
GetLastError.KERNEL32(?,00000000), ref: 0076CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0076CEFE

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 6a68a1169e33cd6dc2c81c3e3f4312bdadbd0d8b32a14d9bebe23cfb299b3a20
Instruction ID: f10b1a183c64d82cebf25dacf6613ded5936a87948b403cb8022de6755ef7c3d
Opcode Fuzzy Hash: 6a68a1169e33cd6dc2c81c3e3f4312bdadbd0d8b32a14d9bebe23cfb299b3a20
Instruction Fuzzy Hash: C721B0B25003059BE732DF65C948BA6B7FCEB10314F10841EEA87D2191E779EE44CB64

Function 00765C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00765CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00765D17
FindClose.KERNEL32(?), ref: 00765D5F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: c0a0d985a55f0220481a07ddda898ed3085559bf108a8b2286543e3ec0c7ece1
Instruction ID: 0e15442345051acab69c67550e155aefb70d81de10d14f58c0d78ca5149fd965
Opcode Fuzzy Hash: c0a0d985a55f0220481a07ddda898ed3085559bf108a8b2286543e3ec0c7ece1
Instruction Fuzzy Hash: 29519974704A019FC714CF28C4D4AAAB7E4FF49324F14855EE99A8B3A2CB34ED44CBA1

Function 00722622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0072271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00722724
UnhandledExceptionFilter.KERNEL32(?), ref: 00722731

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: dd965d0c43a2e8c3b38e8de39a5cd4c3e0c208a68284a05afdaa8d03b0149d7f
Instruction ID: 5bf8273e004ac992a457038b1850a035939794ff1999e44467df463e49ee43e4
Opcode Fuzzy Hash: dd965d0c43a2e8c3b38e8de39a5cd4c3e0c208a68284a05afdaa8d03b0149d7f
Instruction Fuzzy Hash: FF31D77494122CABCB21DF68DC897DDBBB8AF08310F5081DAE41CA72A1E7749F818F45

Function 007651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007651DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00765238
SetErrorMode.KERNEL32(00000000), ref: 007652A1

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0d290ce92187b5c26585d97dc0fdc30ceaf6df03d638fd62ab386847d9261e85
Instruction ID: fcba2fda55c32763ccf7f9d6f138a2743949c58ebbabca00a073281fe5adad3b
Opcode Fuzzy Hash: 0d290ce92187b5c26585d97dc0fdc30ceaf6df03d638fd62ab386847d9261e85
Instruction Fuzzy Hash: D1316B75A00508DFDB00DF54D888EADBBB5FF48314F188099E905AB3A2CB35E846CBA0

Function 007516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0070FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00710668
Part of subcall function 0070FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00710685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0075170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0075173A
GetLastError.KERNEL32 ref: 0075174A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 0a4ed9286fe0da33be1912694caecdba7fd5cd3433de07c403ed3c384d3e2d26
Instruction ID: a8acd766461cde6dd45ae41ddc78bc026ed034f7e73a709d2f7bdf15e303f7bb
Opcode Fuzzy Hash: 0a4ed9286fe0da33be1912694caecdba7fd5cd3433de07c403ed3c384d3e2d26
Instruction Fuzzy Hash: 411101B2500304EFD7289F64EC86EABB7F9EB44711B20852EE45653681EB78BC418B20

Function 0075D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0075D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0075D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0075D650

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 29a770467d28d94bdabb12f477136e3704aabd6347871aae580d27dcf3536e91
Instruction ID: 59044493744779d3752fbd3e751ee06c6e3aedf93ddbe045716990b4b6e02f26
Opcode Fuzzy Hash: 29a770467d28d94bdabb12f477136e3704aabd6347871aae580d27dcf3536e91
Instruction Fuzzy Hash: 36117C71E01228BBDB208F949C48FAFBBBCEB45B50F108111F904E7290C2B44A058BA1

Function 00751663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0075168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007516A1
FreeSid.ADVAPI32(?), ref: 007516B1

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: f0b26960f140cec9e3e71c8ff22989b7be0069f58faca88d7a29588d681199e7
Instruction ID: 799be79c4c61676ae9308c147a5fd6a2315ae5f9bfd06efc2f66066beb8b12b8
Opcode Fuzzy Hash: f0b26960f140cec9e3e71c8ff22989b7be0069f58faca88d7a29588d681199e7
Instruction Fuzzy Hash: CFF04971940308FBDB00CFE09C89EAEBBBCEB04241F504460E500E2180D774AA048B64

Function 0072C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0072C36C

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 56e702dbf4899789a78318ae031c6ee28211b280dc9d5f527be2f42fd3235810
Instruction ID: 50035a5f0a1c7c43a984b297a5a07a5194c820441f0fd803bdac463f427bc422
Opcode Fuzzy Hash: 56e702dbf4899789a78318ae031c6ee28211b280dc9d5f527be2f42fd3235810
Instruction Fuzzy Hash: C3412A72500229ABCB20DFB9EC49EAF77B8EB94354F104669F905D7181E6749D818B50

Function 0074D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0074D28C

Strings

X64, xrefs: 0074D2A8

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 7537543f3e06c5d2b59ff7ae6f939fd7997e0debba408cdcac58c254a34073bc
Instruction ID: 02aa5243219dbabb5daaf2508a65863e7fc47346bd269a1ba14c2470b70157d9
Opcode Fuzzy Hash: 7537543f3e06c5d2b59ff7ae6f939fd7997e0debba408cdcac58c254a34073bc
Instruction Fuzzy Hash: 78D0C9B480111DEBCBA0CB90DC88DD9B3BCBB04345F104251F106A2140D77899488F20

Function 0071CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: a784fde2932e66391fa6593ce2eb468100691ea19348762339c60e3ae029bb85
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 48024B72E402199BDF15CFADC8806EDBBF5EF48314F25816AD819EB380D734AE418B94

Function 006FCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#|, xrefs: 006FCF7F
Variable is not of type 'Object'., xrefs: 00740C40

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#|
API String ID: 0-140544570
Opcode ID: 116a8c93bcb21619c344646a270963424b021dd6540ffbbcf3422729e1c3909c
Instruction ID: d01eeec8b42d4c7b103de8fdc97a25af08f397a9beeb8b2638a010f7c62bb072
Opcode Fuzzy Hash: 116a8c93bcb21619c344646a270963424b021dd6540ffbbcf3422729e1c3909c
Instruction Fuzzy Hash: 55328D7090021CDFCF14DF94CA95AFDB7B6BF05314F148059EA06AB292D779AD46CBA0

Function 007668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00766918
FindClose.KERNEL32(00000000), ref: 00766961

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c9cba707c3a41332daddbb39c39cf1122c26cdb390d59a20471d631463d5811b
Instruction ID: 946586fbf5d891cbf882aafd5d0fc2684294cb645e6391514f2d02595fb78898
Opcode Fuzzy Hash: c9cba707c3a41332daddbb39c39cf1122c26cdb390d59a20471d631463d5811b
Instruction Fuzzy Hash: AF11D0316042059FD710CF29C484A26BBE5FF84328F54C69DE86A8F2A2CB34EC05CB90

Function 007637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00774891,?,?,00000035,?), ref: 007637E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00774891,?,?,00000035,?), ref: 007637F4

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: eaaa90872d037d478e97af73e84e713d38d6ce93225d656bb64fc7df5135b71a
Instruction ID: 46d4d1bac44366ae50372ed912194b3b33dc3458729e757cc6e1ce58dd98935c
Opcode Fuzzy Hash: eaaa90872d037d478e97af73e84e713d38d6ce93225d656bb64fc7df5135b71a
Instruction Fuzzy Hash: D0F0E5B06052296AE72017769C8DFEB3BAEEFC4761F000265F509D2281D9749904C7B4

Function 0075B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0075B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0075B270

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 3eb39bee4975ec1909556d39160a227f9a57ee218eb47d90af6b2538227a0715
Instruction ID: dbe7bb4b0b8816c845003aed18cff498e1e8ceec8dd7106588717e00d8123309
Opcode Fuzzy Hash: 3eb39bee4975ec1909556d39160a227f9a57ee218eb47d90af6b2538227a0715
Instruction Fuzzy Hash: CAF01D7184428DABDF059FA0C805BFE7BB4FF08305F10C009F955A5191C77D86159FA4

Function 007510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007511FC), ref: 007510D4
CloseHandle.KERNEL32(?,?,007511FC), ref: 007510E9

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b6c64a5348d27d9ec4099061c1c1951ced0f879bf5958ae8d899fc514146043d
Instruction ID: 52a08e18ee6b74f55ae8786dd88e28ddb965372eeb77f812890c4c6af4894243
Opcode Fuzzy Hash: b6c64a5348d27d9ec4099061c1c1951ced0f879bf5958ae8d899fc514146043d
Instruction Fuzzy Hash: 8AE04F32004600EEE7262B61FC09E7377E9EB04311B20C92DF4A5808F1DB76AC90DB64

Function 0072676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00726766,?,?,00000008,?,?,0072FEFE,00000000), ref: 00726998

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2905eec165dfff64997dd97ff0de311c23e2a9d5816b9a15c4bf76501c82d1d6
Instruction ID: 91d3b1df60aad6147dc9de3d94ed8f0737ddaffeebbe5b29866f539f06fed5d8
Opcode Fuzzy Hash: 2905eec165dfff64997dd97ff0de311c23e2a9d5816b9a15c4bf76501c82d1d6
Instruction Fuzzy Hash: 51B148316106189FD719CF28D48AB657BA0FF05364F25C69AE8D9CF2A2C739E981CB40

Function 0070B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0074851F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9e3c7c6e11921ca34d6ae5860b379845dad78f4eed114fb801859351fa38e6de
Instruction ID: 5e88f9de49730de69faf2a7de7a68e0142094b836f3f58ece2115c2b80dc3968
Opcode Fuzzy Hash: 9e3c7c6e11921ca34d6ae5860b379845dad78f4eed114fb801859351fa38e6de
Instruction Fuzzy Hash: 8A124071900229DFDB54CF58C881AEEB7F5FF48710F14819AE849EB295DB389E81CB91

Function 0076EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0076EABD

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f95f11fd11d90becfa6e7ed1c822834d2b5decadc272e625332b7645e5169d67
Instruction ID: a05868667fbddac56f579678e69aee6dd9d0fa2de95856abc2dd87c5a49d911e
Opcode Fuzzy Hash: f95f11fd11d90becfa6e7ed1c822834d2b5decadc272e625332b7645e5169d67
Instruction Fuzzy Hash: 2AE04F352002089FC710EF99D844EAAF7EAAF98770F10C42AFD4AC7351DB74E8408BA4

Function 007109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007103EE), ref: 007109DA

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 497e48832632899f06585627cf79dbf50c98f76b5e9902b9452f4e19d5cac428
Instruction ID: 904296e70eab61751267da4243684bd7227597b102c653e16a97a5edd82e2cdf
Opcode Fuzzy Hash: 497e48832632899f06585627cf79dbf50c98f76b5e9902b9452f4e19d5cac428
Instruction Fuzzy Hash:

Function 0071781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0071798B

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 5b141596717b04cbeca30450a2fb426da03f5e764549d8829c8621b5e6f8cda2
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: DE515AB160C7459BDB3C456C889E7FE63B99B12340F180509E882DB2C2C61DEECAD356

Function 00762046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&|, xrefs: 00762053

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: 0&|
API String ID: 0-1095205553
Opcode ID: 84dbe7e1acdd3b8362112475fe2ca0a8550df4907b7eff91fae41d2abaa92318
Instruction ID: 4c39fa1226f2f874897c7de784906fef8e5a90cde67c5f74a5baf4926ed8c6d1
Opcode Fuzzy Hash: 84dbe7e1acdd3b8362112475fe2ca0a8550df4907b7eff91fae41d2abaa92318
Instruction Fuzzy Hash: 3621D5322206158BD728CF79C82267A73E5A754310F14862EE4A7D37D1DE3EA905CB94

Function 00726DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067eee942d04fbce1f5fcfb2c44beb9201b80a07337c43c1a36f222c5916e57d
Instruction ID: 1eec1fa6f4d6a65e187051957936a749c5ffa8745bf7c3b02ea72e8ba241647d
Opcode Fuzzy Hash: 067eee942d04fbce1f5fcfb2c44beb9201b80a07337c43c1a36f222c5916e57d
Instruction Fuzzy Hash: E3325721D29F514DD727A635ED62335A289AFB73C5F15C337F81AB59AAEB2CC4838100

Function 0070CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6f28e58858fe4bced97187e8df461b60da526c961d31a20f6aab28edfd508f
Instruction ID: ade38043bbb61fe05644ea87c892396dea8e9e2b81539dd518de3ce22f549491
Opcode Fuzzy Hash: 5a6f28e58858fe4bced97187e8df461b60da526c961d31a20f6aab28edfd508f
Instruction Fuzzy Hash: AB322431B02115CBEF6ACF28C4D067E77E1EB45304F29866AD44A9B292E73CDD81DB61

Function 006F7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd1daf8c168dc21ce4a1621451a2d9a9a379221338ad982eedcae17514c3c853
Instruction ID: e4fd4e029b0f3187815befbf3a6d5e5e239febc050153fd63d8e0676303c0ae9
Opcode Fuzzy Hash: cd1daf8c168dc21ce4a1621451a2d9a9a379221338ad982eedcae17514c3c853
Instruction Fuzzy Hash: 6F2290B0A04609DFDF14CFA4C881AFEB7F6FF44300F144629E916A7291EB39A955CB54

Function 006F91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4afe86c5eb220aab24a08ccf4c0df498c59c0171adff212976558c535e0ae23a
Instruction ID: 05b66eafda1619f997a29fe017104e8dc38ecaac20a5c0664cc4bea33bd06559
Opcode Fuzzy Hash: 4afe86c5eb220aab24a08ccf4c0df498c59c0171adff212976558c535e0ae23a
Instruction Fuzzy Hash: EE02B4B1A00209EBDF14DF64D881BAEB7B2FF44300F118169E9169B3D1EB35AE51CB95

Function 00729EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7076f3f756463febdcdbf3319e23dfdb81d6062cb862dacc51a5fe1237f01de6
Instruction ID: 77a2de8879f3c632e4e8d010829035629ec0413e7c1c46c3d7765211db2467ff
Opcode Fuzzy Hash: 7076f3f756463febdcdbf3319e23dfdb81d6062cb862dacc51a5fe1237f01de6
Instruction Fuzzy Hash: 4AB12320D6AF505DD72396398831336B65CAFBB6D5F91D31BFC2A74D22EB2686834140

Function 00711C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 87558c01b2c2096b0eaa61ed1fe254848871f534a2894b163aa6ec7fb4fd5f27
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6F91AA722080E34ADB2D467E94340BEFFE15A923A235A079DD5F2CF1C5FE18D998D620

Function 007119B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 32f8ddb0aa0125807037b8225808e58753f24e5817b7bdbea925e78d1cb81e86
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: D591A37220D0E34ADB2D427E84740BDFFE15A923A135A479ED5F2CE1C1FD28D5A4D620

Function 00717A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f2d8fb9554034da7b57cab2a4b76432bcf956f5bc44325fa079945c87bc2a2
Instruction ID: 65a1f723822b0c915a2c774eb89ee040b6101187353bd43d5ee6017fcdd77e7d
Opcode Fuzzy Hash: 40f2d8fb9554034da7b57cab2a4b76432bcf956f5bc44325fa079945c87bc2a2
Instruction Fuzzy Hash: 9E6118B160C74996DB3C5A2C8995BFE63B9DF41700F244919E842DB2C1DB1DDEC2C396

Function 00717CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 155914fd3cfd53e57316b3c98b5c6d2af9e174612cc4bb90497549baed847948
Instruction ID: ee5e4d417bb9930c0e04b40094fd9cb68a10fac1bb928fd1240112bc2e06386a
Opcode Fuzzy Hash: 155914fd3cfd53e57316b3c98b5c6d2af9e174612cc4bb90497549baed847948
Instruction Fuzzy Hash: A461467130C60D96DB3C4A2C6896BFE23F49F42704F104959E9C2DB2C1DA1EEDC6C256

Function 00711706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 74e2377194124575f37d05107b23843174a73c9973cd779d81f9868402ac1a52
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 118163726090E30DDB6D823E85344BEFFE15A923B135A479DD5F2CE1C1EE289694E620

Function 00772ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00772B30
DeleteObject.GDI32(00000000), ref: 00772B43
DestroyWindow.USER32 ref: 00772B52
GetDesktopWindow.USER32 ref: 00772B6D
GetWindowRect.USER32(00000000), ref: 00772B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00772CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00772CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772CF8
GetClientRect.USER32(00000000,?), ref: 00772D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00772D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772D80
GlobalLock.KERNEL32(00000000), ref: 00772D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772D98
GlobalUnlock.KERNEL32(00000000), ref: 00772DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772DA8
GlobalFree.KERNEL32(00000000), ref: 00772DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0078FC38,00000000), ref: 00772DDB
GlobalFree.KERNEL32(00000000), ref: 00772DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00772E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00772E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0077303F

Strings

, xrefs: 00772FC5
AutoIt v3, xrefs: 00772CF2
DISPLAY, xrefs: 00772EA2
static, xrefs: 00772D3A, 00772E91

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b7d0cd24f97609c75debcaf556f8dcf92568cedd2072246cd28b13e724f6a2fa
Instruction ID: 9824b90020045b80b193656a953e2cb58b8aaee30b6222d37baaccd9ed0afbe5
Opcode Fuzzy Hash: b7d0cd24f97609c75debcaf556f8dcf92568cedd2072246cd28b13e724f6a2fa
Instruction Fuzzy Hash: 39027F71900208AFDB15DF64CC89EAE7BB9FF49350F108158F915AB2A1DB78ED01CB64

Function 007870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0078712F
GetSysColorBrush.USER32(0000000F), ref: 00787160
GetSysColor.USER32(0000000F), ref: 0078716C
SetBkColor.GDI32(?,000000FF), ref: 00787186
SelectObject.GDI32(?,?), ref: 00787195
InflateRect.USER32(?,000000FF,000000FF), ref: 007871C0
GetSysColor.USER32(00000010), ref: 007871C8
CreateSolidBrush.GDI32(00000000), ref: 007871CF
FrameRect.USER32(?,?,00000000), ref: 007871DE
DeleteObject.GDI32(00000000), ref: 007871E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00787230
FillRect.USER32(?,?,?), ref: 00787262
GetWindowLongW.USER32(?,000000F0), ref: 00787284

Part of subcall function 007873E8: GetSysColor.USER32(00000012), ref: 00787421
Part of subcall function 007873E8: SetTextColor.GDI32(?,?), ref: 00787425
Part of subcall function 007873E8: GetSysColorBrush.USER32(0000000F), ref: 0078743B
Part of subcall function 007873E8: GetSysColor.USER32(0000000F), ref: 00787446
Part of subcall function 007873E8: GetSysColor.USER32(00000011), ref: 00787463
Part of subcall function 007873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00787471
Part of subcall function 007873E8: SelectObject.GDI32(?,00000000), ref: 00787482
Part of subcall function 007873E8: SetBkColor.GDI32(?,00000000), ref: 0078748B
Part of subcall function 007873E8: SelectObject.GDI32(?,?), ref: 00787498
Part of subcall function 007873E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007874B7
Part of subcall function 007873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007874CE
Part of subcall function 007873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007874DB

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: acbfb2dacbd8ef3b537d87bb4440a4a93b920c71c0048de738fd2ffeced5223d
Instruction ID: be51df0df916fac22941e5d8dbaba171575a269cf26cf59f90d650a01ab8c321
Opcode Fuzzy Hash: acbfb2dacbd8ef3b537d87bb4440a4a93b920c71c0048de738fd2ffeced5223d
Instruction Fuzzy Hash: 64A1B072448305EFDB06AF60DC48E5B7BA9FF89320F304A19F962961E1D738E944CB65

Function 00708D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00708E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00746AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00746AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00746F43

Part of subcall function 00708F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00708BE8,?,00000000,?,?,?,?,00708BBA,00000000,?), ref: 00708FC5

SendMessageW.USER32(?,00001053), ref: 00746F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00746F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00746FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00746FB7

Strings

0, xrefs: 00746DCF

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 6a1a028eb8594c5e491d902a64a5ea05d3a773e381ce138322e43b35f5413181
Instruction ID: 3a69abcf036d06a0250c2a0ddf2bce76566739300c814011aa9d292105663c80
Opcode Fuzzy Hash: 6a1a028eb8594c5e491d902a64a5ea05d3a773e381ce138322e43b35f5413181
Instruction Fuzzy Hash: AB12BE70600251DFDB25CF24C888BA5B7E1FB46300F6485A9F5958B2A2CB39EC51DFA6

Function 00772711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0077273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0077286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007728A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007728B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00772900
GetClientRect.USER32(00000000,?), ref: 0077290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00772955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00772964
GetStockObject.GDI32(00000011), ref: 00772974
SelectObject.GDI32(00000000,00000000), ref: 00772978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00772988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00772991
DeleteDC.GDI32(00000000), ref: 0077299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007729C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007729DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00772A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00772A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00772A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00772A77
GetStockObject.GDI32(00000011), ref: 00772A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00772A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00772A97

Strings

msctls_progress32, xrefs: 00772A13
AutoIt v3, xrefs: 007728F8
DISPLAY, xrefs: 0077295A
static, xrefs: 0077294F, 00772A71

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 264b1dc13d571fb2cd0368f794fa311372746b61eeaf7c10ca134f39ab7f10f5
Instruction ID: f69cf8864e50b11d122cc1b7fd95fdc7d8b10526f20625587284271bb31ee8c3
Opcode Fuzzy Hash: 264b1dc13d571fb2cd0368f794fa311372746b61eeaf7c10ca134f39ab7f10f5
Instruction Fuzzy Hash: 5CB162B1A40209AFDB14DF68CD89FAE7BB9EB05714F108118FA15E7291D778ED40CBA4

Function 00764ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00764AED
GetDriveTypeW.KERNEL32(?,0078CB68,?,\\.\,0078CC08), ref: 00764BCA
SetErrorMode.KERNEL32(00000000,0078CB68,?,\\.\,0078CC08), ref: 00764D36

Strings

1394, xrefs: 00764C9F
\\.\, xrefs: 00764B3F
SAS, xrefs: 00764CC9
RAMDisk, xrefs: 00764BF4
CDROM, xrefs: 00764BFB
SATA, xrefs: 00764CD0
MMC, xrefs: 00764CDE
RAID, xrefs: 00764CBB
ATA, xrefs: 00764C98
Network, xrefs: 00764C02
Fixed, xrefs: 00764C09
SSA, xrefs: 00764CA6
iSCSI, xrefs: 00764CC2
Fibre, xrefs: 00764CAD
Virtual, xrefs: 00764CE5
Removable, xrefs: 00764C10, 00764C15
SCSI, xrefs: 00764C8A
SSD, xrefs: 00764C4A
FileBackedVirtual, xrefs: 00764CEC
ATAPI, xrefs: 00764C91
USB, xrefs: 00764CB4
Unknown, xrefs: 00764BED, 00764C83
PhysicalDrive, xrefs: 00764B76

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 530c3b80d751626368767e08cf3d8714f62f674684b045b3fdec0fe3a239177a
Instruction ID: a62570f7710f179d1cceceb6059f88aa7dc41c348914373f1142afbdd155e3f9
Opcode Fuzzy Hash: 530c3b80d751626368767e08cf3d8714f62f674684b045b3fdec0fe3a239177a
Instruction Fuzzy Hash: F261D0B070510ADBCB54DF28CA91AB97BB1AF04340B288419FE07AB791DB3DED41DB65

Function 007873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00787421
SetTextColor.GDI32(?,?), ref: 00787425
GetSysColorBrush.USER32(0000000F), ref: 0078743B
GetSysColor.USER32(0000000F), ref: 00787446
CreateSolidBrush.GDI32(?), ref: 0078744B
GetSysColor.USER32(00000011), ref: 00787463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00787471
SelectObject.GDI32(?,00000000), ref: 00787482
SetBkColor.GDI32(?,00000000), ref: 0078748B
SelectObject.GDI32(?,?), ref: 00787498
InflateRect.USER32(?,000000FF,000000FF), ref: 007874B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007874CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007874DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0078752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00787554
InflateRect.USER32(?,000000FD,000000FD), ref: 00787572
DrawFocusRect.USER32(?,?), ref: 0078757D
GetSysColor.USER32(00000011), ref: 0078758E
SetTextColor.GDI32(?,00000000), ref: 00787596
DrawTextW.USER32(?,007870F5,000000FF,?,00000000), ref: 007875A8
SelectObject.GDI32(?,?), ref: 007875BF
DeleteObject.GDI32(?), ref: 007875CA
SelectObject.GDI32(?,?), ref: 007875D0
DeleteObject.GDI32(?), ref: 007875D5
SetTextColor.GDI32(?,?), ref: 007875DB
SetBkColor.GDI32(?,?), ref: 007875E5

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 4a0caa9ffa3810d948d494215f6905f2ea3a43187fd661299ab01c3ef29af57e
Instruction ID: adfaaa96afbffe21092051664207bd97fd9462e8cfa7c4d1402bbb678355ad41
Opcode Fuzzy Hash: 4a0caa9ffa3810d948d494215f6905f2ea3a43187fd661299ab01c3ef29af57e
Instruction Fuzzy Hash: 46616E72D40218EFDF059FA4DC49EAE7FB9EB08320F218115F915AB2A1D7789940CBA4

Function 00780FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00781128
GetDesktopWindow.USER32 ref: 0078113D
GetWindowRect.USER32(00000000), ref: 00781144
GetWindowLongW.USER32(?,000000F0), ref: 00781199
DestroyWindow.USER32(?), ref: 007811B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007811ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0078120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0078121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00781232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00781245
IsWindowVisible.USER32(00000000), ref: 007812A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007812BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007812D0
GetWindowRect.USER32(00000000,?), ref: 007812E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0078130E
GetMonitorInfoW.USER32(00000000,?), ref: 00781328
CopyRect.USER32(?,?), ref: 0078133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007813AA

Strings

(, xrefs: 0078131B
0, xrefs: 007810D3
tooltips_class32, xrefs: 007811E6

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: fba2226dea6a22a820fe746667c154aeb9dce281b8096017e8cbf36109f98e6f
Instruction ID: 79626eb9fc2be9dfa5b28fe78f6882f9fe7d669834b0b3b5555e9b4b177cb5f9
Opcode Fuzzy Hash: fba2226dea6a22a820fe746667c154aeb9dce281b8096017e8cbf36109f98e6f
Instruction Fuzzy Hash: 95B1BE71644341AFD700EF64C888B6BBBE9FF84310F40891CF9999B2A1D735E845CBA6

Function 00780241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007802E5
_wcslen.LIBCMT ref: 0078031F
_wcslen.LIBCMT ref: 00780389
_wcslen.LIBCMT ref: 007803F1
_wcslen.LIBCMT ref: 00780475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007804C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00780504

Part of subcall function 0070F9F2: _wcslen.LIBCMT ref: 0070F9FD

Part of subcall function 0075223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00752258
Part of subcall function 0075223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0075228A

Strings

DESELECT, xrefs: 0078059C
GETITEMCOUNT, xrefs: 00780316, 00780337
SELECTINVERT, xrefs: 0078057E
FINDITEM, xrefs: 00780627
GETSELECTEDCOUNT, xrefs: 00780470, 0078048B
ISSELECTED, xrefs: 007804DD
SELECTALL, xrefs: 00780515
VIEWCHANGE, xrefs: 00780675
GETSUBITEMCOUNT, xrefs: 00780384, 0078039F
SELECTCLEAR, xrefs: 0078052D
GETTEXT, xrefs: 007803EC, 00780407
GETSELECTED, xrefs: 007805E1
SELECT, xrefs: 00780548

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: b709556fd7626ef85f706d20f956111bf6bde9bf4ca13cb14367d33e8c12db72
Instruction ID: 375a1c974579522526d7313c22976976441856aedc5d297619bb8263621b5f63
Opcode Fuzzy Hash: b709556fd7626ef85f706d20f956111bf6bde9bf4ca13cb14367d33e8c12db72
Instruction Fuzzy Hash: 84E1DD312482018FC794EF24C45197AB7E6BFC9314B144A6CF8969B6A2DB38ED49CB91

Function 00708891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00708968
GetSystemMetrics.USER32(00000007), ref: 00708970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0070899B
GetSystemMetrics.USER32(00000008), ref: 007089A3
GetSystemMetrics.USER32(00000004), ref: 007089C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007089E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007089F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00708A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00708A3C
GetClientRect.USER32(00000000,000000FF), ref: 00708A5A
GetStockObject.GDI32(00000011), ref: 00708A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00708A81

Part of subcall function 0070912D: GetCursorPos.USER32(?), ref: 00709141
Part of subcall function 0070912D: ScreenToClient.USER32(00000000,?), ref: 0070915E
Part of subcall function 0070912D: GetAsyncKeyState.USER32(00000001), ref: 00709183
Part of subcall function 0070912D: GetAsyncKeyState.USER32(00000002), ref: 0070919D

SetTimer.USER32(00000000,00000000,00000028,007090FC), ref: 00708AA8

Strings

AutoIt v3 GUI, xrefs: 00708A20

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 715c597f980aef09f9a0ad9c3994cf66c390be2eae56f5b67324d7ae885ef6fc
Instruction ID: 6401232ba5d88105b64214e7f1864ceb24a29ed022e6ed79716bb170fe3721d1
Opcode Fuzzy Hash: 715c597f980aef09f9a0ad9c3994cf66c390be2eae56f5b67324d7ae885ef6fc
Instruction Fuzzy Hash: 58B16D71A40209DFDF15DF68CC49BAA3BB5FB49314F218229FA15A72D0DB38E840CB55

Function 00750D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00751114
Part of subcall function 007510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751120
Part of subcall function 007510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 0075112F
Part of subcall function 007510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751136
Part of subcall function 007510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0075114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00750DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00750E29
GetLengthSid.ADVAPI32(?), ref: 00750E40
GetAce.ADVAPI32(?,00000000,?), ref: 00750E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00750E96
GetLengthSid.ADVAPI32(?), ref: 00750EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00750EB5
HeapAlloc.KERNEL32(00000000), ref: 00750EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00750EDD
CopySid.ADVAPI32(00000000), ref: 00750EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00750F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00750F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00750F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750F6E
HeapFree.KERNEL32(00000000), ref: 00750F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750F7E
HeapFree.KERNEL32(00000000), ref: 00750F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750F8E
HeapFree.KERNEL32(00000000), ref: 00750F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00750FA1
HeapFree.KERNEL32(00000000), ref: 00750FA8

Part of subcall function 00751193: GetProcessHeap.KERNEL32(00000008,00750BB1,?,00000000,?,00750BB1,?), ref: 007511A1
Part of subcall function 00751193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00750BB1,?), ref: 007511A8
Part of subcall function 00751193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00750BB1,?), ref: 007511B7

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 09958bc268ad3cb8aa8ecc5bf7908215b84524ac4d73ba186bb3123e33dd18e7
Instruction ID: 44b0ab8088c148651034bb9230fdaba50a5687ef42b6c60e8b2d76fcce29ceb6
Opcode Fuzzy Hash: 09958bc268ad3cb8aa8ecc5bf7908215b84524ac4d73ba186bb3123e33dd18e7
Instruction Fuzzy Hash: B6715E7190020AEBDF219FA4DC49FEEBBB8BF04741F148115F919E6191D7799A09CBB0

Function 0077C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0078CC08,00000000,?,00000000,?,?), ref: 0077C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0077C5A4
_wcslen.LIBCMT ref: 0077C5F4
_wcslen.LIBCMT ref: 0077C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0077C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0077C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0077C84D
RegCloseKey.ADVAPI32(?), ref: 0077C881
RegCloseKey.ADVAPI32(00000000), ref: 0077C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0077C960

Strings

REG_BINARY, xrefs: 0077C913
REG_EXPAND_SZ, xrefs: 0077C5CD
REG_MULTI_SZ, xrefs: 0077C6F5
REG_DWORD, xrefs: 0077C804
REG_QWORD, xrefs: 0077C8C3
REG_SZ, xrefs: 0077C644

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: ea4ed485a89be327d3ff0d551f4b5771b974a4af00045aaaa014525b00e94f18
Instruction ID: d3ebae17e31971fdb62de6e80e078127e1119c216cd7e198d37a33d29927448a
Opcode Fuzzy Hash: ea4ed485a89be327d3ff0d551f4b5771b974a4af00045aaaa014525b00e94f18
Instruction Fuzzy Hash: 8F1267352042019FDB15DF24C881A2AB7E6EF88754F14C89CF98A9B3A2DB35FD45CB85

Function 0078091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007809C6
_wcslen.LIBCMT ref: 00780A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00780A54
_wcslen.LIBCMT ref: 00780A8A
_wcslen.LIBCMT ref: 00780B06
_wcslen.LIBCMT ref: 00780B81

Part of subcall function 0070F9F2: _wcslen.LIBCMT ref: 0070F9FD

Part of subcall function 00752BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00752BFA

Strings

EXISTS, xrefs: 00780B7C, 00780B97
ISCHECKED, xrefs: 00780CE1
UNCHECK, xrefs: 00780D3E
EXPAND, xrefs: 00780BF8
CHECK, xrefs: 00780A85, 00780AA0
GETITEMCOUNT, xrefs: 00780C1E
GETTEXT, xrefs: 00780C97
COLLAPSE, xrefs: 00780B01, 00780B1C
GETSELECTED, xrefs: 00780C4E
SELECT, xrefs: 00780D11
GETTOTALCOUNT, xrefs: 007809F2, 00780A17

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 20eaf88e0eec19585bb09baef393912ae022ed87ffb1e88d25e0b56af66ec69a
Instruction ID: 73ba9d24a6f8112ca6db4ce58ee19e109a2adb95051309455ef39aef8cf1e298
Opcode Fuzzy Hash: 20eaf88e0eec19585bb09baef393912ae022ed87ffb1e88d25e0b56af66ec69a
Instruction Fuzzy Hash: FCE1AC71248301CFC758EF24C45096AB7E2BF98314F14895CF8969B3A2DB38ED49CB92

Function 0077C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077B6AE,?,?), ref: 0077C9B5
_wcslen.LIBCMT ref: 0077C9F1
_wcslen.LIBCMT ref: 0077CA68
_wcslen.LIBCMT ref: 0077CA9E
_wcslen.LIBCMT ref: 0077CAF9
_wcslen.LIBCMT ref: 0077CB2F
_wcslen.LIBCMT ref: 0077CB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 0077CB79, 0077CB7E
HKU, xrefs: 0077CBF0
HKEY_CLASSES_ROOT, xrefs: 0077CAF3, 0077CAF8
HKCR, xrefs: 0077CB29, 0077CB2E
HKLM, xrefs: 0077CA98, 0077CA9D
HKCU, xrefs: 0077CBCE
HKCC, xrefs: 0077CBAC
HKEY_LOCAL_MACHINE, xrefs: 0077CA62, 0077CA67
HKEY_CURRENT_USER, xrefs: 0077CBBD
HKEY_USERS, xrefs: 0077CBDF

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 26faa52ef5fd53481696ddb05aecb6fe4ed3bbced7cb683a4e3cc6cb2e7a0e5f
Instruction ID: 48b1a3a6888d44cdb3ae678f1c3b1a63f02e1639d89a5fb6e7e8c7355bde553b
Opcode Fuzzy Hash: 26faa52ef5fd53481696ddb05aecb6fe4ed3bbced7cb683a4e3cc6cb2e7a0e5f
Instruction Fuzzy Hash: B271E67260016A8BCF22DE7CCD416FA33919BA87D4B25C52CF85DA7294EA3DDD44C3A0

Function 0078833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0078835A
_wcslen.LIBCMT ref: 0078836E
_wcslen.LIBCMT ref: 00788391
_wcslen.LIBCMT ref: 007883B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007883F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00785BF2), ref: 0078844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00788487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007884CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00788501
FreeLibrary.KERNEL32(?), ref: 0078850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0078851D
DestroyIcon.USER32(?,?,?,?,?,00785BF2), ref: 0078852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00788549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00788555

Strings

.icl, xrefs: 00788368
.dll, xrefs: 007883AB
.exe, xrefs: 00788388

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 6b412e0254c9c2ba2627ba600f2472ba604e526f5d74ca266c39eeb1aa9cfcd7
Instruction ID: cba729cb586143a4dcae90faa06fe8ee46b06703b14b4d7ea96f9ecf7ff498b5
Opcode Fuzzy Hash: 6b412e0254c9c2ba2627ba600f2472ba604e526f5d74ca266c39eeb1aa9cfcd7
Instruction Fuzzy Hash: 8761D172580219FAEB14EF64CC45BFE77A8BF04721F608509F915E60D1DB78A990C7A0

Function 006F7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#notrayicon, xrefs: 006F77E7
#comments-end, xrefs: 006F78D9
Cannot parse #include, xrefs: 00735279
#include, xrefs: 006F7847
Bad directive syntax error, xrefs: 0073519A
#requireadmin, xrefs: 006F77FF
#comments-start, xrefs: 006F785F, 006F78B1
#OnAutoItStartRegister, xrefs: 006F7817
Unterminated group of comments, xrefs: 0073528C
", xrefs: 00735153
#ce, xrefs: 006F78ED
#include-once, xrefs: 006F782F
', xrefs: 00735169
#cs, xrefs: 006F7873, 006F78C5
#pragma compile, xrefs: 006F77D3

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 954e8a7f024e795178f39bd0ec416aa03d6fa5cd7b7c6f99432052898e38904f
Instruction ID: c6229d0b700f9a94923fc7205740f3bf559b54c57198078aee75d17d1967ef05
Opcode Fuzzy Hash: 954e8a7f024e795178f39bd0ec416aa03d6fa5cd7b7c6f99432052898e38904f
Instruction Fuzzy Hash: 1B81F6B1644609FBEB21BF64CC46FFE77AAAF15300F044024FA04AA1D6EB78D955C7A1

Function 00763E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00763EF8
_wcslen.LIBCMT ref: 00763F03
_wcslen.LIBCMT ref: 00763F5A
_wcslen.LIBCMT ref: 00763F98
GetDriveTypeW.KERNEL32(?), ref: 00763FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0076401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00764059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00764087

Strings

closed, xrefs: 00763F08, 00763F2D, 00763F46, 00763F7E, 00763F97
type cdaudio alias cd wait, xrefs: 00764001
wait, xrefs: 00764044
open, xrefs: 00763F54, 00763F59
set cd door , xrefs: 00764028
close, xrefs: 00763EFE, 00763F18
open , xrefs: 00763FE5
close cd wait, xrefs: 00764072

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 3cbd617b2ff9051a8ff7b1ceb22c6d6df0a5ee297bf172bc9799fa6c13f34208
Instruction ID: a2d7883c05ab1d7f271356490f4627562f4e175b7b5a08a8872abaec26b05bfd
Opcode Fuzzy Hash: 3cbd617b2ff9051a8ff7b1ceb22c6d6df0a5ee297bf172bc9799fa6c13f34208
Instruction Fuzzy Hash: 987124726042169FC310EF24C8809BBB7F5EF94754F10492DFA9693291EB38ED45CB51

Function 00755A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00755A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00755A40
SetWindowTextW.USER32(?,?), ref: 00755A57
GetDlgItem.USER32(?,000003EA), ref: 00755A6C
SetWindowTextW.USER32(00000000,?), ref: 00755A72
GetDlgItem.USER32(?,000003E9), ref: 00755A82
SetWindowTextW.USER32(00000000,?), ref: 00755A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00755AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00755AC3
GetWindowRect.USER32(?,?), ref: 00755ACC
_wcslen.LIBCMT ref: 00755B33
SetWindowTextW.USER32(?,?), ref: 00755B6F
GetDesktopWindow.USER32 ref: 00755B75
GetWindowRect.USER32(00000000), ref: 00755B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00755BD3
GetClientRect.USER32(?,?), ref: 00755BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00755C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00755C2F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 7f3484598fe8607e13042e80e4a55a6bbd374854c4a649561542f8f5adf5162b
Instruction ID: 3a96d082bc561c26d955753d6f09b825a9918f901eeb439f8b73c5875247ac95
Opcode Fuzzy Hash: 7f3484598fe8607e13042e80e4a55a6bbd374854c4a649561542f8f5adf5162b
Instruction Fuzzy Hash: 8371A271A00B05DFDB21DFA8CD59BAEBBF5FF48705F104518E542A25A0D7B8E904CB60

Function 0076FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0076FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0076FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0076FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0076FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0076FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0076FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0076FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0076FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0076FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0076FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0076FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0076FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0076FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0076FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0076FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0076FECC
GetCursorInfo.USER32(?), ref: 0076FEDC
GetLastError.KERNEL32 ref: 0076FF1E

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: fc72c8e21f8080ce7cec6e5b28b0bb923723177a9509ab0d0e6607f37d34cf81
Instruction ID: f79cb431d93f6fe3879e79bdba3deffdea568ad6f0aa986026fd1b6ef19c1c22
Opcode Fuzzy Hash: fc72c8e21f8080ce7cec6e5b28b0bb923723177a9509ab0d0e6607f37d34cf81
Instruction Fuzzy Hash: 244153B0D443196ADB109FBA9C8585EBFE8FF04354B50452AE519E7281DB7899018F91

Function 007530F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0075318D
_wcslen.LIBCMT ref: 007531F8

Strings

NAME, xrefs: 00753335, 00753346
TEXT, xrefs: 0075347C
INSTANCE, xrefs: 00753453
CLASS, xrefs: 00753188, 007531A5
REGEXPCLASS, xrefs: 00753255, 00753266
CLASSNN, xrefs: 007531F3, 00753204
[{, xrefs: 0075339A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[{
API String ID: 176396367-669646794
Opcode ID: 9ae6060e64349fff247518dbdba72be8148d856ed597807c8dd0f333e6cb176c
Instruction ID: 4852e6b19362d05293c4e77bc153c8206258e10b0ffbb7b7cc225fb0a57bae5d
Opcode Fuzzy Hash: 9ae6060e64349fff247518dbdba72be8148d856ed597807c8dd0f333e6cb176c
Instruction Fuzzy Hash: A7E1F932A00516EBCB149F78C4517FEFBB1BF04791F548129E856E7260DBB8AE8D8790

Function 007100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007100C6

Part of subcall function 007100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(007C070C,00000FA0,56870B35,?,?,?,?,007323B3,000000FF), ref: 0071011C
Part of subcall function 007100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007323B3,000000FF), ref: 00710127
Part of subcall function 007100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007323B3,000000FF), ref: 00710138
Part of subcall function 007100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0071014E
Part of subcall function 007100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0071015C
Part of subcall function 007100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0071016A
Part of subcall function 007100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00710195
Part of subcall function 007100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007101A0

___scrt_fastfail.LIBCMT ref: 007100E7

Part of subcall function 007100A3: __onexit.LIBCMT ref: 007100A9

Strings

InitializeConditionVariable, xrefs: 00710148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00710122
SleepConditionVariableCS, xrefs: 00710154
kernel32.dll, xrefs: 00710133
WakeAllConditionVariable, xrefs: 00710162

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: eee71713bd19dbb1a8c87b44e9be1979cf6aaa35df2df00320e45628780fa942
Instruction ID: e66e1c273826ffa72c42a0f7e1840a10cf95471ea7ff20e14ee962c3d4cbaa17
Opcode Fuzzy Hash: eee71713bd19dbb1a8c87b44e9be1979cf6aaa35df2df00320e45628780fa942
Instruction Fuzzy Hash: FA21C8B2A84714EBD7116B78AC4DB9D3394EB04F51F108129F901E26D1DABC98808BE4

Function 007644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0078CC08), ref: 00764527
_wcslen.LIBCMT ref: 0076453B
_wcslen.LIBCMT ref: 00764599
_wcslen.LIBCMT ref: 007645F4
_wcslen.LIBCMT ref: 0076463F
_wcslen.LIBCMT ref: 007646A7

Part of subcall function 0070F9F2: _wcslen.LIBCMT ref: 0070F9FD

GetDriveTypeW.KERNEL32(?,007B6BF0,00000061), ref: 00764743

Strings

network, xrefs: 0076469D, 007646A2
removable, xrefs: 007645EA, 007645EF
ramdisk, xrefs: 007646F1
fixed, xrefs: 00764635, 0076463A
cdrom, xrefs: 0076458F, 00764594
all, xrefs: 00764531, 00764536
unknown, xrefs: 00764708

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 7495e85859b1ead8de7cdb2a6b1d2b0feb18b9d3cefa75c9cb7e2a29eab00119
Instruction ID: 8b9ce1a1ecece5846fc3a31751f9e6f51c645ee377d4b3d00df8b8afa5776fb4
Opcode Fuzzy Hash: 7495e85859b1ead8de7cdb2a6b1d2b0feb18b9d3cefa75c9cb7e2a29eab00119
Instruction Fuzzy Hash: E6B1CF716083029FC714DF28C890A7AB7E5BFA5760F50491DF997C7292E738E944CBA2

Function 0078911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

DragQueryPoint.SHELL32(?,?), ref: 00789147

Part of subcall function 00787674: ClientToScreen.USER32(?,?), ref: 0078769A
Part of subcall function 00787674: GetWindowRect.USER32(?,?), ref: 00787710
Part of subcall function 00787674: PtInRect.USER32(?,?,00788B89), ref: 00787720

SendMessageW.USER32(?,000000B0,?,?), ref: 007891B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007891BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007891DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00789225
SendMessageW.USER32(?,000000B0,?,?), ref: 0078923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00789255
SendMessageW.USER32(?,000000B1,?,?), ref: 00789277
DragFinish.SHELL32(?), ref: 0078927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00789371

Strings

@GUI_DRAGFILE, xrefs: 00789320
@GUI_DRAGID, xrefs: 007892E9
p#|, xrefs: 007892BB
@GUI_DROPID, xrefs: 0078929E

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#|
API String ID: 221274066-704254282
Opcode ID: 724aa9b50a8b6baa82540750f990b18b5c5a20d2a0cf435abe284b4d79b5a50a
Instruction ID: 82b4458ee9ca065fbe53dd0a0b236cbbd416fadf477bf234c2c212343454a7db
Opcode Fuzzy Hash: 724aa9b50a8b6baa82540750f990b18b5c5a20d2a0cf435abe284b4d79b5a50a
Instruction Fuzzy Hash: BC61AC71108305AFC701EF60DC89EAFBBE9EF89350F10092DF695921A1DB349A49CB66

Function 006F326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(007C1990), ref: 00732F8D
GetMenuItemCount.USER32(007C1990), ref: 0073303D
GetCursorPos.USER32(?), ref: 00733081
SetForegroundWindow.USER32(00000000), ref: 0073308A
TrackPopupMenuEx.USER32(007C1990,00000000,?,00000000,00000000,00000000), ref: 0073309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007330A9

Strings

0, xrefs: 006F327D

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5c61ad56d8daacd943fa27e7c3a9613fed289e25bd07b40a938394ffe6823376
Instruction ID: 9f30a9d84441f52882867247d7bd43e5218b76219c0f1c18628d96a9df15bc14
Opcode Fuzzy Hash: 5c61ad56d8daacd943fa27e7c3a9613fed289e25bd07b40a938394ffe6823376
Instruction Fuzzy Hash: 13713C70644216BEFB359F24CC49FAABF65FF01364F204216F6246A2E2C7B9AD11C764

Function 00786CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00786DEB

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00786E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00786E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00786E94
DestroyWindow.USER32(?), ref: 00786EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006F0000,00000000), ref: 00786EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00786EFD
GetDesktopWindow.USER32 ref: 00786F16
GetWindowRect.USER32(00000000), ref: 00786F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00786F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00786F4D

Part of subcall function 00709944: GetWindowLongW.USER32(?,000000EB), ref: 00709952

Strings

0, xrefs: 00786D98
tooltips_class32, xrefs: 00786E58, 00786EDD

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: a6955c1b14df404ddb1a6f48329d183adfe00db6c04a87dde382daa279af5834
Instruction ID: 1c50e25f7d7cf64e9ec8685aa1ebcc982307d35a2c2ca9458caf952cc8df88d6
Opcode Fuzzy Hash: a6955c1b14df404ddb1a6f48329d183adfe00db6c04a87dde382daa279af5834
Instruction Fuzzy Hash: 94717870284244AFDB21DF18DC48FAABBE9FB89304F54446DFA8987261D778E905CB25

Function 0076C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0076C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0076C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0076C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0076C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0076C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0076C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0076C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0076C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0076C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0076C5F0
InternetCloseHandle.WININET(00000000), ref: 0076C5FB

Strings

, xrefs: 0076C575

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 16df5e4230239937fd3373e6be41bbdeb5cab2899969ac21bd74fc946cf21a8b
Instruction ID: 5c342a209f024a323c885b20ed4ef4a2f8acffaa5ba6af2d7654d21d3c84fcd4
Opcode Fuzzy Hash: 16df5e4230239937fd3373e6be41bbdeb5cab2899969ac21bd74fc946cf21a8b
Instruction Fuzzy Hash: 22515EB1540208BFEB228F61CD48ABB7BBCFF08744F24841AF987D6551DB38E9549B64

Function 0078856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00788592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007885A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007885AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007885BA
GlobalLock.KERNEL32(00000000), ref: 007885C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007885D7
GlobalUnlock.KERNEL32(00000000), ref: 007885E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007885E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007885F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0078FC38,?), ref: 00788611
GlobalFree.KERNEL32(00000000), ref: 00788621
GetObjectW.GDI32(?,00000018,?), ref: 00788641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00788671
DeleteObject.GDI32(?), ref: 00788699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007886AF

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 5612f5c273118012d324dc64a6d7cd3d168f7faec5c1bdb6b19582e96122195e
Instruction ID: 9455179b720ddb24584b13ea8b58290d2fce87123568c050a45cec4e719f8244
Opcode Fuzzy Hash: 5612f5c273118012d324dc64a6d7cd3d168f7faec5c1bdb6b19582e96122195e
Instruction Fuzzy Hash: 03413D75680208AFDB11DF65DC88EAA7BB9FF89711F208058F905D7251DB389D01DB35

Function 007614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00761502
VariantCopy.OLEAUT32(?,?), ref: 0076150B
VariantClear.OLEAUT32(?), ref: 00761517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007615FB
VarR8FromDec.OLEAUT32(?,?), ref: 00761657
VariantInit.OLEAUT32(?), ref: 00761708
SysFreeString.OLEAUT32(?), ref: 0076178C
VariantClear.OLEAUT32(?), ref: 007617D8
VariantClear.OLEAUT32(?), ref: 007617E7
VariantInit.OLEAUT32(00000000), ref: 00761823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00761625
Default, xrefs: 007616AF

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: bbde0e94db0211c0632f4d10b1e33b023547bbb1123f142928621baa57a7ba44
Instruction ID: 447e5a87b5115c9485694d26e9814906ca33f21cbe9f1394481d512d5a44a5ef
Opcode Fuzzy Hash: bbde0e94db0211c0632f4d10b1e33b023547bbb1123f142928621baa57a7ba44
Instruction Fuzzy Hash: 10D1F271A00205EBDB109F65D88DB79F7B5BF44700F58815AF807AB582EB38ED50DB61

Function 0077B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 0077C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077B6AE,?,?), ref: 0077C9B5
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077C9F1
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA68
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0077B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0077B80A
RegCloseKey.ADVAPI32(?), ref: 0077B87E
RegCloseKey.ADVAPI32(?), ref: 0077B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0077B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0077B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0077B922
FreeLibrary.KERNEL32(00000000), ref: 0077B983
RegCloseKey.ADVAPI32(00000000), ref: 0077B994

Strings

advapi32.dll, xrefs: 0077B8ED
RegDeleteKeyExW, xrefs: 0077B8FE

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 0076d48f25cd45e33f1baf0a263b472da73dd3776eeeebb178a134823d715b13
Instruction ID: 9ba3bc1f61596b5e199808fe296a123f317f8057bd5389162c2dbe51a70d6c34
Opcode Fuzzy Hash: 0076d48f25cd45e33f1baf0a263b472da73dd3776eeeebb178a134823d715b13
Instruction Fuzzy Hash: 02C16C70208201EFDB14DF14C494F2ABBE5BF84358F14C45CE5AA8B2A2CB79E845CB92

Function 0077255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007725D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007725E8
CreateCompatibleDC.GDI32(?), ref: 007725F4
SelectObject.GDI32(00000000,?), ref: 00772601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0077266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007726AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007726D0
SelectObject.GDI32(?,?), ref: 007726D8
DeleteObject.GDI32(?), ref: 007726E1
DeleteDC.GDI32(?), ref: 007726E8
ReleaseDC.USER32(00000000,?), ref: 007726F3

Strings

(, xrefs: 0077268D

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 1d047662e821c4b5c4f04d78afe5bd96b2684bf7380be9bb364924d62ad97dcf
Instruction ID: 44e01638d8fc8123b0e1ceabaed59ddc4a356817a6e70a0f8672131cc8b38f4f
Opcode Fuzzy Hash: 1d047662e821c4b5c4f04d78afe5bd96b2684bf7380be9bb364924d62ad97dcf
Instruction Fuzzy Hash: 2E6115B5D00209EFCF05CFA4D888AAEBBF5FF48310F20852AE559A7251E734A941CF64

Function 0072DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0072DAA1

Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D659
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D66B
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D67D
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D68F
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6A1
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6B3
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6C5
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6D7
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6E9
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6FB
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D70D
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D71F
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D731

_free.LIBCMT ref: 0072DA96

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 0072DAB8
_free.LIBCMT ref: 0072DACD
_free.LIBCMT ref: 0072DAD8
_free.LIBCMT ref: 0072DAFA
_free.LIBCMT ref: 0072DB0D
_free.LIBCMT ref: 0072DB1B
_free.LIBCMT ref: 0072DB26
_free.LIBCMT ref: 0072DB5E
_free.LIBCMT ref: 0072DB65
_free.LIBCMT ref: 0072DB82
_free.LIBCMT ref: 0072DB9A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: fbab61daa6e1ca46dd4917aa0dbf40bc73da13ffb298b3acdc7fc0b6b8ef5514
Instruction ID: 12c952bde6553e6687f1add7f44f500840b6ec9c168d5ef4ccfbddabc94a47db
Opcode Fuzzy Hash: fbab61daa6e1ca46dd4917aa0dbf40bc73da13ffb298b3acdc7fc0b6b8ef5514
Instruction Fuzzy Hash: ED315C71604224EFEB31AB38F849B5677E9FF04310F518429E489E71A2DA38FC818B60

Function 0075365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0075369C
_wcslen.LIBCMT ref: 007536A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00753797
GetClassNameW.USER32(?,?,00000400), ref: 0075380C
GetDlgCtrlID.USER32(?), ref: 0075385D
GetWindowRect.USER32(?,?), ref: 00753882
GetParent.USER32(?), ref: 007538A0
ScreenToClient.USER32(00000000), ref: 007538A7
GetClassNameW.USER32(?,?,00000100), ref: 00753921
GetWindowTextW.USER32(?,?,00000400), ref: 0075395D

Strings

%s%u, xrefs: 00753734

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: fb780586aa6200fa9b1dd8b182551f0d9ece2ac654cb408ff93c150d23bcfe57
Instruction ID: 1a11795e8818dc097fa23be0d0152b4a382a3325a392ef9139e2cb1668e900cb
Opcode Fuzzy Hash: fb780586aa6200fa9b1dd8b182551f0d9ece2ac654cb408ff93c150d23bcfe57
Instruction Fuzzy Hash: A191F9B1204606EFD709DF24C885BEAF7A8FF44355F008519FD99C21A0DB78EA59CBA1

Function 00754954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00754994
GetWindowTextW.USER32(?,?,00000400), ref: 007549DA
_wcslen.LIBCMT ref: 007549EB
CharUpperBuffW.USER32(?,00000000), ref: 007549F7
_wcsstr.LIBVCRUNTIME ref: 00754A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00754A64
GetWindowTextW.USER32(?,?,00000400), ref: 00754A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00754AE6
GetClassNameW.USER32(?,?,00000400), ref: 00754B20
GetWindowRect.USER32(?,?), ref: 00754B8B

Strings

ThumbnailClass, xrefs: 00754A6F, 00754AF1

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: c4f5fd482cc76d94b6b341c630ab877385cfe699313dd2b2cb2654f211574e27
Instruction ID: abf19ec6c0d414644cbe29b8e1c9bf19b6f3918c205c02f58f417f8b64f98beb
Opcode Fuzzy Hash: c4f5fd482cc76d94b6b341c630ab877385cfe699313dd2b2cb2654f211574e27
Instruction Fuzzy Hash: 6591BE71104209DFDB05CF14C985BEA77E8FF84319F048469FD859A096EBB8ED89CBA1

Function 00788D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00788D5A
GetFocus.USER32 ref: 00788D6A
GetDlgCtrlID.USER32(00000000), ref: 00788D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00788E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00788ECF
GetMenuItemCount.USER32(?), ref: 00788EEC
GetMenuItemID.USER32(?,00000000), ref: 00788EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00788F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00788F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00788FA1

Strings

0, xrefs: 00788E9F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 5a8306c53ace187a8b462a5241a7dde6689f15e3ab2abdf0914da872d5b9f831
Instruction ID: 142c0be85152397e8593d4d34404b54e6fe846608eae7ec2b0270b0b1fa8957f
Opcode Fuzzy Hash: 5a8306c53ace187a8b462a5241a7dde6689f15e3ab2abdf0914da872d5b9f831
Instruction Fuzzy Hash: BC81B0715443019FDB51EF24D888A6B77E9FB88314F54056DFA9497291DB38D900CB62

Function 0075DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0075DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0075DC46
_wcslen.LIBCMT ref: 0075DC50
_wcsstr.LIBVCRUNTIME ref: 0075DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0075DCBC

Strings

\VarFileInfo\Translation, xrefs: 0075DCB4
DefaultLangCodepage, xrefs: 0075DD1F
StringFileInfo\, xrefs: 0075DC8F
%u.%u.%u.%u, xrefs: 0075DD9A
04090000, xrefs: 0075DCF2

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: a214a77ffbaac0cc9fdb2b199c00941c1b508640bb8576a98662b06779286813
Instruction ID: da168887d21df026582bd7da74b9c6bbd0f476e6c7b0b7ead51592f58950c311
Opcode Fuzzy Hash: a214a77ffbaac0cc9fdb2b199c00941c1b508640bb8576a98662b06779286813
Instruction Fuzzy Hash: 7A410872640205BADB21A774DC0BEFF77ACEF45711F10006AFA00A61C2EA7C9E4187B5

Function 0077CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0077CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0077CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0077CD48

Part of subcall function 0077CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0077CCAA
Part of subcall function 0077CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0077CCBD
Part of subcall function 0077CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0077CCCF
Part of subcall function 0077CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0077CD05
Part of subcall function 0077CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0077CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0077CCF3

Strings

advapi32.dll, xrefs: 0077CCB8
RegDeleteKeyExW, xrefs: 0077CCC9

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: c5e524595237d347c6b36f7d18dd78a077343d1adece20a420431257d3cf4a66
Instruction ID: b045c0fe27b37ccbc5acbd8e7216c0e1c85f58dc7a76a29281d9ea40e21167ee
Opcode Fuzzy Hash: c5e524595237d347c6b36f7d18dd78a077343d1adece20a420431257d3cf4a66
Instruction Fuzzy Hash: 813183B1A41118BBDB228B50DC88EFFBB7CEF49780F108169B909E6140D7389A45DBB4

Function 00763D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00763D40
_wcslen.LIBCMT ref: 00763D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00763D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00763DBE
RemoveDirectoryW.KERNEL32(?), ref: 00763DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00763E55
CloseHandle.KERNEL32(00000000), ref: 00763E60
CloseHandle.KERNEL32(00000000), ref: 00763E6B

Strings

\, xrefs: 00763D77
:, xrefs: 00763D82
\??\%s, xrefs: 00763D5B

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: d46e0ae64b63659f3f4a27ab2327a3dcea221244c38558c10b6863e29bce3269
Instruction ID: adeff77e454b14f9bb07e036f309f0f19760c1e7c9f3d2713554d97a034693cd
Opcode Fuzzy Hash: d46e0ae64b63659f3f4a27ab2327a3dcea221244c38558c10b6863e29bce3269
Instruction Fuzzy Hash: 423183B1A40209ABDB219BA4DC49FEF77BCEF89700F1041A5F915D6190E7789744CB64

Function 0075E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0075E6B4

Part of subcall function 0070E551: timeGetTime.WINMM(?,?,0075E6D4), ref: 0070E555

Sleep.KERNEL32(0000000A), ref: 0075E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0075E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0075E727
SetActiveWindow.USER32 ref: 0075E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0075E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0075E773
Sleep.KERNEL32(000000FA), ref: 0075E77E
IsWindow.USER32 ref: 0075E78A
EndDialog.USER32(00000000), ref: 0075E79B

Strings

BUTTON, xrefs: 0075E719

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7d917289d48beae6e35ec2d8ce96406d988b01d1e75e40c1753b182eb4cd4e08
Instruction ID: 7014dcb33fa94f3a853937121aca6634ba5ca6369022c1a360dde5a15c98ac17
Opcode Fuzzy Hash: 7d917289d48beae6e35ec2d8ce96406d988b01d1e75e40c1753b182eb4cd4e08
Instruction Fuzzy Hash: 6D21A4B0340244AFEB055F20ECC9E653B69FB5534AF208828F951915B2DFBD9D099B3C

Function 0075E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0075EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0075EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0075EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0075EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0075EAA7

Strings

play PlayMe wait, xrefs: 0075EA91
close PlayMe, xrefs: 0075EA6E, 0075EA9B
alias PlayMe, xrefs: 0075EA36
play PlayMe, xrefs: 0075EAA2
status PlayMe mode, xrefs: 0075EA58
open , xrefs: 0075EA0C

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7b7ce32fe2901ae32a3b1980b79fed0c32526992dc2dd20ff3ea84e133f543a3
Instruction ID: 8917b95d265feee65eff03a0a2a25dbc65c85336e2a580e6174b11f4b918460e
Opcode Fuzzy Hash: 7b7ce32fe2901ae32a3b1980b79fed0c32526992dc2dd20ff3ea84e133f543a3
Instruction Fuzzy Hash: 7A117372A9026D79D724E7B1DC4AEFF6B7CEBD1B40F00442DBA11A20D1EEB81A45C5B0

Function 00755CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00755CE2
GetWindowRect.USER32(00000000,?), ref: 00755CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00755D59
GetDlgItem.USER32(?,00000002), ref: 00755D69
GetWindowRect.USER32(00000000,?), ref: 00755D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00755DCF
GetDlgItem.USER32(?,000003E9), ref: 00755DDD
GetWindowRect.USER32(00000000,?), ref: 00755DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00755E31
GetDlgItem.USER32(?,000003EA), ref: 00755E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00755E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00755E67

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 37fc532a057888145fd4584b96f97d0ada8e86125eae3feb62a59ba6e21f196e
Instruction ID: 1883a302a67e59c02bbaabe777226b062de0d1b66b81d340a902004954bd23d9
Opcode Fuzzy Hash: 37fc532a057888145fd4584b96f97d0ada8e86125eae3feb62a59ba6e21f196e
Instruction Fuzzy Hash: 96512F71B40609AFDF18CF68DD99AAE7BB5FF48301F248129F915E6290D7749E04CB60

Function 00708BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00708F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00708BE8,?,00000000,?,?,?,?,00708BBA,00000000,?), ref: 00708FC5

DestroyWindow.USER32(?), ref: 00708C81
KillTimer.USER32(00000000,?,?,?,?,00708BBA,00000000,?), ref: 00708D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00746973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00708BBA,00000000,?), ref: 007469A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00708BBA,00000000,?), ref: 007469B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00708BBA,00000000), ref: 007469D4
DeleteObject.GDI32(00000000), ref: 007469E6

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 8419eac3b3b65147e12ec46c5ba9f5c3cb3023ad9e36e5a314939522d125a837
Instruction ID: ef3d2a40cc47f696936859003e0aba3e73c6df71032fadb201e885a2dd47dab9
Opcode Fuzzy Hash: 8419eac3b3b65147e12ec46c5ba9f5c3cb3023ad9e36e5a314939522d125a837
Instruction Fuzzy Hash: B361AF30102600DFDB669F14D948B2677F1FB42312F64866CE0829A9A0CB7DBD90DF6A

Function 00709838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00709944: GetWindowLongW.USER32(?,000000EB), ref: 00709952

GetSysColor.USER32(0000000F), ref: 00709862

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3bb73a9189323ad994f2a82dd7e7530b2e9846deee1cf80bbe215d19496be240
Instruction ID: d540e176220e47c5f1c598983384b4ecb3fac53ee7257b557d86a751e97fc2e5
Opcode Fuzzy Hash: 3bb73a9189323ad994f2a82dd7e7530b2e9846deee1cf80bbe215d19496be240
Instruction Fuzzy Hash: 6741A171544644EFDB215F389C88BB93BA5AB46330F248715FAA28B2E3D7399C41DB20

Function 00728D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.q, xrefs: 0072903A, 00728FD0, 00728FF2

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: .q
API String ID: 0-2393120612
Opcode ID: b2b4698ade1b7e969dd0221b34b0c8931477b74cddff6daae37d4cb1f67d607b
Instruction ID: 7b5d890c2336b60a44089c652920c63548469d72719a24cb468cd58db69cb3e3
Opcode Fuzzy Hash: b2b4698ade1b7e969dd0221b34b0c8931477b74cddff6daae37d4cb1f67d607b
Instruction Fuzzy Hash: 0FC10575E0426AEFCB21DFA8E845BEDBBB0BF09310F184059E515A7392CB3D9941CB61

Function 007596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0073F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00759717
LoadStringW.USER32(00000000,?,0073F7F8,00000001), ref: 00759720

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0073F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00759742
LoadStringW.USER32(00000000,?,0073F7F8,00000001), ref: 00759745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00759866

Strings

^ ERROR, xrefs: 007597FB
Line %d (File "%s"):, xrefs: 0075978F
Line %d:, xrefs: 007597A0
Error: , xrefs: 0075981D
%s (%d) : ==> %s: %s %s, xrefs: 0075984A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3b3f1f992dab0ccce3a8e2a13a3d57d263fb001475fa9e6f1412bbc1242b4709
Instruction ID: 53dff9934effa73d0a5ba84cc42df78de0c749341256499a4ac3094341e0fff2
Opcode Fuzzy Hash: 3b3f1f992dab0ccce3a8e2a13a3d57d263fb001475fa9e6f1412bbc1242b4709
Instruction Fuzzy Hash: E8414B7280021DAACB45EBE0CD86EFE7379AF14341F200429F70572192EA796F48CB75

Function 007506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007507A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007507BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007507DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00750804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0075082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00750837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0075083C

Strings

SOFTWARE\Classes\, xrefs: 0075070E
\IPC$, xrefs: 00750784
\CLSID, xrefs: 00750724

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: f8dafb145044a6ae4b2a856035026bf50786c264aaa0e050f5a574eb0c74b575
Instruction ID: d219c69a87d7eea47d1fd82b3a4dbb875234d138f65661f58675d4647dde8d3a
Opcode Fuzzy Hash: f8dafb145044a6ae4b2a856035026bf50786c264aaa0e050f5a574eb0c74b575
Instruction Fuzzy Hash: B04118B2C1022DABDF15EBA4DC85DFDB779BF04390F144129E915A3261EB74AE04CBA4

Function 00773C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00773C5C
CoInitialize.OLE32(00000000), ref: 00773C8A
CoUninitialize.OLE32 ref: 00773C94
_wcslen.LIBCMT ref: 00773D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00773DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00773ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00773F0E
CoGetObject.OLE32(?,00000000,0078FB98,?), ref: 00773F2D
SetErrorMode.KERNEL32(00000000), ref: 00773F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00773FC4
VariantClear.OLEAUT32(?), ref: 00773FD8

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 4503ef084823df79a23f3395ed8f0d92370b8e4f07ef56c5ad5da510527f1607
Instruction ID: d550ce4e73ba067b8c3e39022257928e0b13d38c99b550d1190ec20e0aa95d8b
Opcode Fuzzy Hash: 4503ef084823df79a23f3395ed8f0d92370b8e4f07ef56c5ad5da510527f1607
Instruction Fuzzy Hash: 9EC166716083059FDB00DF68C88492BBBE9FF89784F10891DF98A9B250D775EE05CB62

Function 00767A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00767AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00767B8F
SHGetDesktopFolder.SHELL32(?), ref: 00767BA3
CoCreateInstance.OLE32(0078FD08,00000000,00000001,007B6E6C,?), ref: 00767BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00767C74
CoTaskMemFree.OLE32(?,?), ref: 00767CCC
SHBrowseForFolderW.SHELL32(?), ref: 00767D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00767D7A
CoTaskMemFree.OLE32(00000000), ref: 00767D81
CoTaskMemFree.OLE32(00000000), ref: 00767DD6
CoUninitialize.OLE32 ref: 00767DDC

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 743a644c764cfa33c2a6b2bc0b25443669c9b30f2dcc78481edb2e925c59809a
Instruction ID: 9e0a588f4f9123726da1928419f903d5d7702a9cbceabed55399d90e0ca08370
Opcode Fuzzy Hash: 743a644c764cfa33c2a6b2bc0b25443669c9b30f2dcc78481edb2e925c59809a
Instruction Fuzzy Hash: 62C12A75A04109AFCB14DFA4C884DAEBBF9FF48354B148498E91ADB361D734EE45CBA0

Function 0078541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00785504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00785515
CharNextW.USER32(00000158), ref: 00785544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00785585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0078559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007855AC

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 7328d4428e422e6545b85af50cddc9d9edc654dd94aca999edb251ce33cebfbb
Instruction ID: fe72a6848a80de42802a13e699a7b7b34a1f6b9962c65fca8e9cc17728d45376
Opcode Fuzzy Hash: 7328d4428e422e6545b85af50cddc9d9edc654dd94aca999edb251ce33cebfbb
Instruction Fuzzy Hash: 8B61A070A80608EFDF11AF54CC84DFE7BB9EF05721F208195F929A6290D77C9A80DB60

Function 0074FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0074FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0074FB08
VariantInit.OLEAUT32(?), ref: 0074FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0074FB3A
VariantCopy.OLEAUT32(?,?), ref: 0074FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0074FBA1
VariantClear.OLEAUT32(?), ref: 0074FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0074FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0074FBCC
VariantClear.OLEAUT32(?), ref: 0074FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0074FBE9

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: dfcb48ee2e354e28066a233203fd8ed9276631ef6841e08bf9cfae590fb60ac7
Instruction ID: c02f544abf7a5736330dd99f3ef1d8fcfced276d04e58fd1d027cdc45cb219c9
Opcode Fuzzy Hash: dfcb48ee2e354e28066a233203fd8ed9276631ef6841e08bf9cfae590fb60ac7
Instruction Fuzzy Hash: 7E415F75A00219DFCB01DF64D858DAEBBB9FF49354F10C069E90AA7261CB38A945CBA4

Function 00759C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00759CA1
GetAsyncKeyState.USER32(000000A0), ref: 00759D22
GetKeyState.USER32(000000A0), ref: 00759D3D
GetAsyncKeyState.USER32(000000A1), ref: 00759D57
GetKeyState.USER32(000000A1), ref: 00759D6C
GetAsyncKeyState.USER32(00000011), ref: 00759D84
GetKeyState.USER32(00000011), ref: 00759D96
GetAsyncKeyState.USER32(00000012), ref: 00759DAE
GetKeyState.USER32(00000012), ref: 00759DC0
GetAsyncKeyState.USER32(0000005B), ref: 00759DD8
GetKeyState.USER32(0000005B), ref: 00759DEA

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9d9198fa41a8d682ff76d443be7d1d5f288242e7c75ad33009a13967670ea5f3
Instruction ID: 30c3bdb5939949c4b32f1b72b57e9704c58a20ec064dd55a38e1d919cdcadc49
Opcode Fuzzy Hash: 9d9198fa41a8d682ff76d443be7d1d5f288242e7c75ad33009a13967670ea5f3
Instruction Fuzzy Hash: 0A41A4346047C9A9FF71967088143E5BEB06B11345F08805ADFC65A6C2EBEDA9CCC7A2

Function 0077055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007705BC
inet_addr.WSOCK32(?), ref: 0077061C
gethostbyname.WSOCK32(?), ref: 00770628
IcmpCreateFile.IPHLPAPI ref: 00770636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007706C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007706E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007707B9
WSACleanup.WSOCK32 ref: 007707BF

Strings

Ping, xrefs: 00770676

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 9c3145fc7d3a32d2c8bf772df62a23ba7b3a6fd1a01f7ca6aec3bf2211882113
Instruction ID: cce3b79c96911d325d18ee02f25c78c6d1cc8ad134976bd0a21d04e67bccf565
Opcode Fuzzy Hash: 9c3145fc7d3a32d2c8bf772df62a23ba7b3a6fd1a01f7ca6aec3bf2211882113
Instruction Fuzzy Hash: 7E918A75604201DFDB24CF15C888F2ABBE1AF84358F14C5A9E5698B6A2C738ED41CFD1

Function 00778CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00778CF3

Part of subcall function 00758E54: _wcslen.LIBCMT ref: 00758E77

_wcslen.LIBCMT ref: 00778D4E
_wcslen.LIBCMT ref: 00778D9C
_wcslen.LIBCMT ref: 00778DDC
_wcslen.LIBCMT ref: 00778E6E

Strings

cdecl, xrefs: 00778D48, 00778D4D
none, xrefs: 00778E65, 00778E6A
stdcall, xrefs: 00778DD6, 00778DDB
winapi, xrefs: 00778D96, 00778D9B

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 4e865d26b1bcfb030f79a8cba36f4c52bc58001fe5554bf99733409850eb8486
Instruction ID: cc6fe095db737f8d91cd04d7983331495a5e658dc5b563460a0b21c9115e6edf
Opcode Fuzzy Hash: 4e865d26b1bcfb030f79a8cba36f4c52bc58001fe5554bf99733409850eb8486
Instruction Fuzzy Hash: C551D731A405169BCF64DF6CC8449BEB7A6BF643A4B208229E529E73C4DF78DD40C791

Function 0077372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00773774
CoUninitialize.OLE32 ref: 0077377F
CoCreateInstance.OLE32(?,00000000,00000017,0078FB78,?), ref: 007737D9
IIDFromString.OLE32(?,?), ref: 0077384C
VariantInit.OLEAUT32(?), ref: 007738E4
VariantClear.OLEAUT32(?), ref: 00773936

Strings

Invalid parameter, xrefs: 00773865
Failed to create object, xrefs: 007737E4, 0077389A
NULL Pointer assignment, xrefs: 0077381E

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e816d7742408c5e78cfa0e20f0aa13c8610c4cfef74bf41a97a75070c5b72af6
Instruction ID: 099ffa9bf7b1d27d9bb6eedebb37015aaa51948e1cb5f76558ab01171af23cab
Opcode Fuzzy Hash: e816d7742408c5e78cfa0e20f0aa13c8610c4cfef74bf41a97a75070c5b72af6
Instruction Fuzzy Hash: 7761C1B0208301EFD710DF54C889F6AB7E4EF48750F108909F9899B291C778EE48DBA6

Function 00788B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

Part of subcall function 0070912D: GetCursorPos.USER32(?), ref: 00709141
Part of subcall function 0070912D: ScreenToClient.USER32(00000000,?), ref: 0070915E
Part of subcall function 0070912D: GetAsyncKeyState.USER32(00000001), ref: 00709183
Part of subcall function 0070912D: GetAsyncKeyState.USER32(00000002), ref: 0070919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00788B6B
ImageList_EndDrag.COMCTL32 ref: 00788B71
ReleaseCapture.USER32 ref: 00788B77
SetWindowTextW.USER32(?,00000000), ref: 00788C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00788C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00788CFF

Strings

@GUI_DRAGFILE, xrefs: 00788C9A
p#|, xrefs: 00788C71
@GUI_DROPID, xrefs: 00788C51

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#|
API String ID: 1924731296-624169274
Opcode ID: 602c9a46b830a158b50f52b97a636298c7e5414534c263cb27a4db2b6b289600
Instruction ID: f5505c1d5108d0f3aa2aeefb361eaf242c8a86d363913991420016425bb49cf1
Opcode Fuzzy Hash: 602c9a46b830a158b50f52b97a636298c7e5414534c263cb27a4db2b6b289600
Instruction Fuzzy Hash: D751CD70204304AFD704EF20DC5AFAA77E5FB88710F90062DF956972E2CB78A904CB66

Function 00763388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007633CF

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007633F0

Strings

Line %d (File "%s"):, xrefs: 00763443, 0076345C
Incorrect parameters to object property !, xrefs: 007634AB
"%s" (%d) : ==> %s:, xrefs: 00763522
^ ERROR , xrefs: 0076349E
Error: , xrefs: 007634D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00763504

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 99f8fdca20ca3f4d1d2d8e228d56354cb71b779b3bf872edc60593c6a1a0dd7a
Instruction ID: 78c4cdee54c3f165de55a398c07988ca7066bdc011a5be2a3144514be9a681dd
Opcode Fuzzy Hash: 99f8fdca20ca3f4d1d2d8e228d56354cb71b779b3bf872edc60593c6a1a0dd7a
Instruction Fuzzy Hash: 445192B2900259AADF15EBE0CD46EFEB779EF04340F204069F60572192EB796F58CB64

Function 0075B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0075B5FC
_wcslen.LIBCMT ref: 0075B608
_wcslen.LIBCMT ref: 0075B64D
_wcslen.LIBCMT ref: 0075B68C
_wcslen.LIBCMT ref: 0075B6C7

Strings

EXISTS, xrefs: 0075B686, 0075B68B
KEYS, xrefs: 0075B647, 0075B64C
REMOVE, xrefs: 0075B602, 0075B607
APPEND, xrefs: 0075B6C1, 0075B6C6

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 40cfeadae82c185158ef096958d836b64946d1443aed56a4ffd42feef3f0b164
Instruction ID: db8fda3f0b131fe515acdc3ceee4930c879137f8caf041394daaddb7177a07d6
Opcode Fuzzy Hash: 40cfeadae82c185158ef096958d836b64946d1443aed56a4ffd42feef3f0b164
Instruction Fuzzy Hash: EB41D532A000279ACB205F7DC8905FEB7A5EFA0755B24452AED21DB284E77DDD8AC790

Function 00765393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007653A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00765416
GetLastError.KERNEL32 ref: 00765420
SetErrorMode.KERNEL32(00000000,READY), ref: 007654A7

Strings

READONLY, xrefs: 00765452
READY, xrefs: 00765460, 00765468
NOTREADY, xrefs: 0076544B
INVALID, xrefs: 00765459
UNKNOWN, xrefs: 00765444

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 3b8e7ec1cfaa6ed7f26d9ee4c3653ed115c23fdc36599e7716a5a1780f6f8380
Instruction ID: bd9717827c21566033214c46c38781ef8eec149bf8970e097deff72adaea3df9
Opcode Fuzzy Hash: 3b8e7ec1cfaa6ed7f26d9ee4c3653ed115c23fdc36599e7716a5a1780f6f8380
Instruction Fuzzy Hash: 0C31C375A005489FCB11DF68C484BAA7FB4FF05305F1480A9E906DB292DF79DD86DBA0

Function 00783C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00783C79
SetMenu.USER32(?,00000000), ref: 00783C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00783D10
IsMenu.USER32(?), ref: 00783D24
CreatePopupMenu.USER32 ref: 00783D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00783D5B
DrawMenuBar.USER32 ref: 00783D63

Strings

F, xrefs: 00783D4E
0, xrefs: 00783C54

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 29bbe522185d1d24ccdf789e965fabc82bc66f910a5f4784c13c6ef0d2e5e6ce
Instruction ID: c9ff8da0dc2af69a5960a6826345918449c4857957bb653877399c74aa17a3f8
Opcode Fuzzy Hash: 29bbe522185d1d24ccdf789e965fabc82bc66f910a5f4784c13c6ef0d2e5e6ce
Instruction Fuzzy Hash: B8418B75A01209EFDF14DF68D844EAA7BB5FF49310F244028F90697360D738AA10CFA4

Function 00751EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00751F64
GetDlgCtrlID.USER32 ref: 00751F6F
GetParent.USER32 ref: 00751F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00751F8E
GetDlgCtrlID.USER32(?), ref: 00751F97
GetParent.USER32(?), ref: 00751FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00751FAE

Strings

ListBox, xrefs: 00751F21
ComboBox, xrefs: 00751EEC

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 00946dfccc9f0c13f191146aad2d86eeb4b03dd789493c4f55f56aa994bc282d
Instruction ID: 1d7402e61a9391ecdb3754ec7d4074f7e929d76dc6aaeacb18614420e1e4bb6c
Opcode Fuzzy Hash: 00946dfccc9f0c13f191146aad2d86eeb4b03dd789493c4f55f56aa994bc282d
Instruction Fuzzy Hash: 3021FF70A00218BBCF05AFA0DC84EFEBBB9EF05341B104599F961A32E1DB794908CB74

Function 00783A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00783A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00783AA0
GetWindowLongW.USER32(?,000000F0), ref: 00783AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00783AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00783B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00783BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00783BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00783BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00783BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00783C13

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 2b5217332b70628de70eb2d36904d564b7a06239b083c792c6a2f3b8da87be82
Instruction ID: 9d90404b9290680fab63a3589dfddade3b03aceeb10eddf0fb339db5edc2900b
Opcode Fuzzy Hash: 2b5217332b70628de70eb2d36904d564b7a06239b083c792c6a2f3b8da87be82
Instruction Fuzzy Hash: 16617FB5940248AFDB10DF68CC81EEE77F8EF09710F1041A9FA15A7292D778AE45DB60

Function 0075B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0075B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B165
GetWindowThreadProcessId.USER32(00000000), ref: 0075B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0075B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B21D

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d05a92c2470e946d081ad448301862561217f3cc7a88b58557334756238f2fde
Instruction ID: e1fa470ee8ed2b5fc97f0c78e312b568c0345db098024ffcb3005f5cca2dc856
Opcode Fuzzy Hash: d05a92c2470e946d081ad448301862561217f3cc7a88b58557334756238f2fde
Instruction Fuzzy Hash: BD318E72640604AFDB119F64EC49FBD7BAABB51312F20C019FE01DA190D7BC9A848F78

Function 00722C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00722C94

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 00722CA0
_free.LIBCMT ref: 00722CAB
_free.LIBCMT ref: 00722CB6
_free.LIBCMT ref: 00722CC1
_free.LIBCMT ref: 00722CCC
_free.LIBCMT ref: 00722CD7
_free.LIBCMT ref: 00722CE2
_free.LIBCMT ref: 00722CED
_free.LIBCMT ref: 00722CFB

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6cdaeb16ae950897123b5bb02bbd3f5dd34a0acce4833595c865a34a9247c166
Instruction ID: 4ba1eb87de32280607a79ed89fd75a1658bc2be73e68c27ac4a544f0887edac3
Opcode Fuzzy Hash: 6cdaeb16ae950897123b5bb02bbd3f5dd34a0acce4833595c865a34a9247c166
Instruction Fuzzy Hash: 62119476100118FFCB02EF54E846CDD3BA5BF09350F9144A5F9886B232D635FA919F90

Function 00767DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00767FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00767FC1
GetFileAttributesW.KERNEL32(?), ref: 00767FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00768005
SetCurrentDirectoryW.KERNEL32(?), ref: 00768017
SetCurrentDirectoryW.KERNEL32(?), ref: 00768060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007680B0

Strings

*.*, xrefs: 00768066

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 58883dfdefe54fa52d6fa2c3cb82fca1ba61625cd1d0d9c8a67f5443cea8d793
Instruction ID: 04f09617abdb3e516a5a7abda52a9417306852107230f9f94092b7f9aca5c4fb
Opcode Fuzzy Hash: 58883dfdefe54fa52d6fa2c3cb82fca1ba61625cd1d0d9c8a67f5443cea8d793
Instruction Fuzzy Hash: CE81C0725082059BCB28EF54C8449BAB3E9BF88354F144D5EFD86C7250EB3ADD49CB52

Function 006F5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 006F5C7A

Part of subcall function 006F5D0A: GetClientRect.USER32(?,?), ref: 006F5D30
Part of subcall function 006F5D0A: GetWindowRect.USER32(?,?), ref: 006F5D71
Part of subcall function 006F5D0A: ScreenToClient.USER32(?,?), ref: 006F5D99

GetDC.USER32 ref: 007346F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00734708
SelectObject.GDI32(00000000,00000000), ref: 00734716
SelectObject.GDI32(00000000,00000000), ref: 0073472B
ReleaseDC.USER32(?,00000000), ref: 00734733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007347C4

Strings

U, xrefs: 00734693

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7303afe74a6e53cbce81f969d1864dc4245e50acf17667ad310d1e094eb3b328
Instruction ID: 4c7eedaf408b0fdb5500e689764b595cec6e08fa5ed67cde1aca675bd300278b
Opcode Fuzzy Hash: 7303afe74a6e53cbce81f969d1864dc4245e50acf17667ad310d1e094eb3b328
Instruction Fuzzy Hash: 9A71D131500209DFDF298F64C985ABA3BB2FF46360F144269EA565A2A7C338AC41DF60

Function 0076359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007635E4

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

LoadStringW.USER32(007C2390,?,00000FFF,?), ref: 0076360A

Strings

^ ERROR, xrefs: 007636C9
Line %d (File "%s"):, xrefs: 0076366B
"%s" (%d) : ==> %s:, xrefs: 00763742
Error: , xrefs: 007636EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00763724

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 37145be153f7ab62fc36173322615a993c22a85ae12a2620b86095f96146f86f
Instruction ID: e10a40480995b39667355dd7d2eebb9b19676080376a61d7f6e5c3939bb3626e
Opcode Fuzzy Hash: 37145be153f7ab62fc36173322615a993c22a85ae12a2620b86095f96146f86f
Instruction Fuzzy Hash: 9C516FB2800259AADF15EBA0DC46EFDBB75EF05340F144129F60572192DB391B98DB64

Function 0076C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0076C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0076C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0076C2CA
GetLastError.KERNEL32 ref: 0076C322
SetEvent.KERNEL32(?), ref: 0076C336
InternetCloseHandle.WININET(00000000), ref: 0076C341

Strings

, xrefs: 0076C2BB

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 6d985060a6edf76e10a6f8f124ca63c1ac058bb2508b60797d03432635154eb1
Instruction ID: 3018b3c625e58c766e3bad2db9617578e3239a745f1d3adb10e57b83d7c9b4e3
Opcode Fuzzy Hash: 6d985060a6edf76e10a6f8f124ca63c1ac058bb2508b60797d03432635154eb1
Instruction Fuzzy Hash: 87316BB1640208AFD7239F66DC88ABB7AFCEB49744B14851EF88796240DB38DD049B75

Function 0075989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00733AAF,?,?,Bad directive syntax error,0078CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007598BC
LoadStringW.USER32(00000000,?,00733AAF,?), ref: 007598C3

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00759987

Strings

Line %d (File "%s"):, xrefs: 0075992D
%s (%d) : ==> %s.: %s %s, xrefs: 007598F1
Line %d:, xrefs: 00759912
Error: , xrefs: 00759955
., xrefs: 0075996D

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: ed0178f4acf853678f697cf9c6cc0b4be4a31954d97c112f345b7b611cb94980
Instruction ID: cf5ed17916c7cb4248747f4303e38a24201b56d205eafc854ea87648b027dae8
Opcode Fuzzy Hash: ed0178f4acf853678f697cf9c6cc0b4be4a31954d97c112f345b7b611cb94980
Instruction Fuzzy Hash: 4F21717284026EEBDF16EF90CC0AEFD7775BF14341F044429F615620A2EB79A618CB20

Function 0075209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007520AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007520C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0075214D

Strings

smallicons, xrefs: 00752115
SHELLDLL_DefView, xrefs: 007520CC
details, xrefs: 007520FB
largeicons, xrefs: 007520E1
list, xrefs: 0075212F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: d1d2e55f5f6327fc04d6920ea078af23a57108bcc42dea4863de1ec89db8361c
Instruction ID: 616e47f73424716a9405112a684a4330a11bb0be592494c653550452081593bd
Opcode Fuzzy Hash: d1d2e55f5f6327fc04d6920ea078af23a57108bcc42dea4863de1ec89db8361c
Instruction Fuzzy Hash: 1511E7B6684B0AF9F60522249C0AEE7379CDF06325B204126FE04A50D2FABD58475654

Function 0072CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0072CEB7
_free.LIBCMT ref: 0072CF22
_free.LIBCMT ref: 0072CF48
_free.LIBCMT ref: 0072CF71
_free.LIBCMT ref: 0072CFA9
_free.LIBCMT ref: 0072CFDA
_free.LIBCMT ref: 0072D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0072D09C
_free.LIBCMT ref: 0072D0B5

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 89dae02438a5365f2b74b2e119529098e7cd800bf0bb38acddfa3d8fc91e874c
Instruction ID: 4f8c82df85369014c29155fa517e4f15253ad8322821a2b9e406b4f81b56eb6e
Opcode Fuzzy Hash: 89dae02438a5365f2b74b2e119529098e7cd800bf0bb38acddfa3d8fc91e874c
Instruction Fuzzy Hash: DF617772A04320EFDB32AFB4BD89A6D7BA5AF15310F04426DF841A7292E63D9D4187D0

Function 007850D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00785186
ShowWindow.USER32(?,00000000), ref: 007851C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007851CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007851D1

Part of subcall function 00786FBA: DeleteObject.GDI32(00000000), ref: 00786FE6

GetWindowLongW.USER32(?,000000F0), ref: 0078520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0078521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0078524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00785287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00785296

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 179d1a943607db8083e47ec500a43ae4d63386c51a36f7350144f2928a370530
Instruction ID: c63cc40b62dc488f0d260b9683e407a3d790ea09e3d068b5556f5df8376a7d7d
Opcode Fuzzy Hash: 179d1a943607db8083e47ec500a43ae4d63386c51a36f7350144f2928a370530
Instruction Fuzzy Hash: 49518F70AD0A08FEEF21AF28CC4DBD93BA5BB05361F248111F615D62E1CB7DA990DB51

Function 00708B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00746890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007468A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007468B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007468D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007468F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00708874,00000000,00000000,00000000,000000FF,00000000), ref: 00746901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0074691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00708874,00000000,00000000,00000000,000000FF,00000000), ref: 0074692D

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: a6f4f88c4fc41413974022a7447c5a4767f1ece617887e1eaf28cf9dbad60ab0
Instruction ID: 00be32ce6fc7760494847da7be1a7e85abeca5984f1ac061f71b80baea5b73bb
Opcode Fuzzy Hash: a6f4f88c4fc41413974022a7447c5a4767f1ece617887e1eaf28cf9dbad60ab0
Instruction Fuzzy Hash: BD516AB0600209EFDB20CF24CC55FAA7BF5EB59760F204628F956962E0DB78E990DB51

Function 0076C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0076C182
GetLastError.KERNEL32 ref: 0076C195
SetEvent.KERNEL32(?), ref: 0076C1A9

Part of subcall function 0076C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0076C272
Part of subcall function 0076C253: GetLastError.KERNEL32 ref: 0076C322
Part of subcall function 0076C253: SetEvent.KERNEL32(?), ref: 0076C336
Part of subcall function 0076C253: InternetCloseHandle.WININET(00000000), ref: 0076C341

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 7c7f177256f71029dbdf45b4c1b64152087c8bfb9c8f62293ac039ca6bbf58fa
Instruction ID: ee995f543d033202cf4b090cc2f275ba57ca47af16357acfff83cf2858ebf3b0
Opcode Fuzzy Hash: 7c7f177256f71029dbdf45b4c1b64152087c8bfb9c8f62293ac039ca6bbf58fa
Instruction Fuzzy Hash: 1F318A71240605AFDB229FB5DC58A77BBF8FF18300B14842EFD9B86610D739E8149BA0

Function 007525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00753A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00753A57
Part of subcall function 00753A3D: GetCurrentThreadId.KERNEL32 ref: 00753A5E
Part of subcall function 00753A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007525B3), ref: 00753A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007525BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007525DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007525DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007525E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00752601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00752605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0075260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00752623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00752627

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a57c55acbc9da54c2f47d03062b264fe7253e7246ed5121c578da1a4f43f69c2
Instruction ID: cb2648fa751256cf50849e800b85249f6d6f483923dbe5629194305c542494f7
Opcode Fuzzy Hash: a57c55acbc9da54c2f47d03062b264fe7253e7246ed5121c578da1a4f43f69c2
Instruction Fuzzy Hash: 3601F570780214BBFB1067688C8EF993F59DB4AB52F204011F314AE0E1C9F518498A79

Function 00751803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00751449,?,?,00000000), ref: 0075180C
HeapAlloc.KERNEL32(00000000,?,00751449,?,?,00000000), ref: 00751813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00751449,?,?,00000000), ref: 00751828
GetCurrentProcess.KERNEL32(?,00000000,?,00751449,?,?,00000000), ref: 00751830
DuplicateHandle.KERNEL32(00000000,?,00751449,?,?,00000000), ref: 00751833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00751449,?,?,00000000), ref: 00751843
GetCurrentProcess.KERNEL32(00751449,00000000,?,00751449,?,?,00000000), ref: 0075184B
DuplicateHandle.KERNEL32(00000000,?,00751449,?,?,00000000), ref: 0075184E
CreateThread.KERNEL32(00000000,00000000,00751874,00000000,00000000,00000000), ref: 00751868

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a58311335bc974cc3abb949d523aeba84d24a826c081e0e95ce0f0079266cf19
Instruction ID: b5cf55e92d97822bf4f7c9113cb8a7e9312b6e5041710581ea8a4511d2dfb7d4
Opcode Fuzzy Hash: a58311335bc974cc3abb949d523aeba84d24a826c081e0e95ce0f0079266cf19
Instruction Fuzzy Hash: C701BFB5680308BFE711ABA5DC8EF573B6CEB89B11F518411FA05DB191D6759C00CB34

Function 0077A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0075D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0075D501
Part of subcall function 0075D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0075D50F
Part of subcall function 0075D4DC: CloseHandle.KERNELBASE(00000000), ref: 0075D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0077A16D
GetLastError.KERNEL32 ref: 0077A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0077A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0077A268
GetLastError.KERNEL32(00000000), ref: 0077A273
CloseHandle.KERNEL32(00000000), ref: 0077A2C4

Strings

SeDebugPrivilege, xrefs: 0077A18F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 540513f56aad41e6f2b3ea8dc56b35635d4b29d10aae7d9e15846f9b33605e56
Instruction ID: 37f663d38c15f42fd836a01bef9102819a744e07ebbec559621508f81ff6f84c
Opcode Fuzzy Hash: 540513f56aad41e6f2b3ea8dc56b35635d4b29d10aae7d9e15846f9b33605e56
Instruction Fuzzy Hash: 69619071204242AFEB10DF18C494F29BBE1AF84358F54C49CE45A8B7A3C77AEC45CB96

Function 00783886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00783925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0078393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00783954
_wcslen.LIBCMT ref: 00783999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007839C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007839F4

Strings

SysListView32, xrefs: 007838F7

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: db986a58536a828a65cbe028fc81234e602975ce299ef5154719a103e1f4ba08
Instruction ID: e2842cc984d57a1d63e0b54bae4065658f2348368f5b2ed07be70f0ad34bcc89
Opcode Fuzzy Hash: db986a58536a828a65cbe028fc81234e602975ce299ef5154719a103e1f4ba08
Instruction Fuzzy Hash: ED41E771A40208ABDF21AF68CC49FEA77A9EF08754F100126F544E7181D778DE80CB94

Function 0075BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0075BCFD
IsMenu.USER32(00000000), ref: 0075BD1D
CreatePopupMenu.USER32 ref: 0075BD53
GetMenuItemCount.USER32(00D95680), ref: 0075BDA4
InsertMenuItemW.USER32(00D95680,?,00000001,00000030), ref: 0075BDCC

Strings

0, xrefs: 0075BCA8
2, xrefs: 0075BD37

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 99651cf760704b39609eb4ce7c0b4f93e6043f92c10b04a96f9ec1b132868601
Instruction ID: 386d1b282b8b455a632f98134ab78a557b350cd6fcd6f9424092dd1eafba8b86
Opcode Fuzzy Hash: 99651cf760704b39609eb4ce7c0b4f93e6043f92c10b04a96f9ec1b132868601
Instruction Fuzzy Hash: B5517B70A00309DBDF11CFA8D888BFEBBF4AF45316F248159EC1197291D7B8A949CB61

Function 00712D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00712D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00712D53
_ValidateLocalCookies.LIBCMT ref: 00712DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00712E0C
_ValidateLocalCookies.LIBCMT ref: 00712E61

Strings

csm, xrefs: 00712DF6
&Hq, xrefs: 00712DFE, 00712E07, 00712E18

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hq$csm
API String ID: 1170836740-317068433
Opcode ID: b3f7ed0c9a83d83299ef0f0873e31c18a238bf715fa21ad7c1669a5dc733f9c8
Instruction ID: 175750d4f8c881dbfc515427b00d5abb0d47f08f8a0487aaf561e1f6cfcdf7af
Opcode Fuzzy Hash: b3f7ed0c9a83d83299ef0f0873e31c18a238bf715fa21ad7c1669a5dc733f9c8
Instruction Fuzzy Hash: 72416234A00209EBCF10DF6CD849ADEBBA5BF45324F148155E9146B3D3D739AAA6CBD0

Function 0075C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0075C913

Strings

blank, xrefs: 0075C895
warning, xrefs: 0075C8FC
question, xrefs: 0075C8CC
info, xrefs: 0075C8B4
stop, xrefs: 0075C8E4

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 3d4611a5dbf2fad985378be9907091a3a0f2fa59de56789dc40da533ccf81ecd
Instruction ID: d5ebca643b4d40691b99835648592fabd401d1ea85355c3123b453de7bdb4073
Opcode Fuzzy Hash: 3d4611a5dbf2fad985378be9907091a3a0f2fa59de56789dc40da533ccf81ecd
Instruction Fuzzy Hash: E9110D32689306BEE7025B549C83FEA679CDF15766B60402AFD00B62C2EBFC7D445268

Function 0075DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0075DE42
gethostname.WSOCK32(?,00000100), ref: 0075DE5C
gethostbyname.WSOCK32(?), ref: 0075DE69
inet_ntoa.WSOCK32(?), ref: 0075DEAB
_strcat.LIBCMT ref: 0075DEB9
WSACleanup.WSOCK32 ref: 0075DEDE

Strings

0.0.0.0, xrefs: 0075DE87

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: bdbae5946e9658bdcf24df283048fe7d24a70a5cdfb1ce39a04dd34942040a06
Instruction ID: 4296d53dace2ae8e54e57a1523784d3b74a81f3a3193b6f94e57f11bcd1f4249
Opcode Fuzzy Hash: bdbae5946e9658bdcf24df283048fe7d24a70a5cdfb1ce39a04dd34942040a06
Instruction Fuzzy Hash: 8311E171944119EBDB31AB249C0BEEE77ACDB11712F1001A9F905AA091EFBC9E858B60

Function 0075ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0075ED2A
_wcslen.LIBCMT ref: 0075ED3B
_wcslen.LIBCMT ref: 0075ED79
_wcslen.LIBCMT ref: 0075EDAF
_wcslen.LIBCMT ref: 0075EDDF
_wcslen.LIBCMT ref: 0075EDEF
_wcslen.LIBCMT ref: 0075EE2B
_wcslen.LIBCMT ref: 0075EE5A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 424cc9ff9b3bff7e3e49e669453a6b6023aa6b8ac4840d8519a8f4a95e5cc4d2
Instruction ID: c8e9cf535339611322ccd8637d62911d96357a915f7bcb464b262aedc60a5255
Opcode Fuzzy Hash: 424cc9ff9b3bff7e3e49e669453a6b6023aa6b8ac4840d8519a8f4a95e5cc4d2
Instruction Fuzzy Hash: 5641B366C10218B5DB11EBF8888E9CFB7B8AF45710F508466E914F3162FB38E785C7A5

Function 0070F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0074682C,00000004,00000000,00000000), ref: 0070F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0074682C,00000004,00000000,00000000), ref: 0074F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0074682C,00000004,00000000,00000000), ref: 0074F454

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c76fcf18afdbe6d8ecede97a0904efb1f7734709e1b115d11b84949ff56de640
Instruction ID: 58062a9ddef47536a55838bdada3611ee509dafff885bb1d858e57239f44a91e
Opcode Fuzzy Hash: c76fcf18afdbe6d8ecede97a0904efb1f7734709e1b115d11b84949ff56de640
Instruction Fuzzy Hash: 6A410931628680FED7359B2DD888B2A7BD1AB96314F24863DE047D2DE1D73DB881C711

Function 00782D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00782D1B
GetDC.USER32(00000000), ref: 00782D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00782D2E
ReleaseDC.USER32(00000000,00000000), ref: 00782D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00782D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00782D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00785A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00782DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00782DE1

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 14427f616d73fa6907ea19979327dabc114a9bb531a94df9feb3790701645590
Instruction ID: 9aaa591067bc6a00d8c51464526928253b7cefff33d1e563a5ad6e937866a6e9
Opcode Fuzzy Hash: 14427f616d73fa6907ea19979327dabc114a9bb531a94df9feb3790701645590
Instruction Fuzzy Hash: ED319C72281214BFEB158F50CC8AFEB3FA9EF09751F148065FE089A291D6799C41CBB4

Function 00755622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00755637
_memcmp.LIBVCRUNTIME ref: 00755659
_memcmp.LIBVCRUNTIME ref: 00755671
_memcmp.LIBVCRUNTIME ref: 00755684
_memcmp.LIBVCRUNTIME ref: 0075569E
_memcmp.LIBVCRUNTIME ref: 007556B1
_memcmp.LIBVCRUNTIME ref: 007556C9
_memcmp.LIBVCRUNTIME ref: 007556E4

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 618a3bf5aa80ac921cdcd7c0ef17d74cc0e01a78d56c9147e87be2492173cb7b
Instruction ID: 30419b0e74881b562b65933df5e45b863faf76f21ca6775c2e6807151a2c6ec8
Opcode Fuzzy Hash: 618a3bf5aa80ac921cdcd7c0ef17d74cc0e01a78d56c9147e87be2492173cb7b
Instruction Fuzzy Hash: 4021DAA1A81949F7D31465258DA2FFA335CEF14786F940020FE049E581F7ACEE1886A5

Function 00774FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0077502E, 00775383
Not an Object type, xrefs: 00775007

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: df91a5bad2662d50a2b42cc68be5ea8bc64726b19142cd286b19b1dc13afc349
Instruction ID: cdebb49b68b67ee788687039e004ed00d93bc27adbe0c89837a5f8c611282718
Opcode Fuzzy Hash: df91a5bad2662d50a2b42cc68be5ea8bc64726b19142cd286b19b1dc13afc349
Instruction Fuzzy Hash: D3D1C771A0060A9FDF10CF68C885BAEB7B5FF48384F14C469E919AB291D7B4DD45CB60

Function 00731522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,007317FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 007315CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00731651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,007317FB,?,007317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007316E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007316FB

Part of subcall function 00723820: RtlAllocateHeap.NTDLL(00000000,?,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6,?,006F1129), ref: 00723852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,007317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00731777
__freea.LIBCMT ref: 007317A2
__freea.LIBCMT ref: 007317AE

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2dda1da09ee7e2aa06c67f6762c8bbff0244695e9239fc5e4be017da9576a378
Instruction ID: 173d6199f30aec0eaed584f86fc0d25ca0937f4058abdcee8b90f320c39cb468
Opcode Fuzzy Hash: 2dda1da09ee7e2aa06c67f6762c8bbff0244695e9239fc5e4be017da9576a378
Instruction Fuzzy Hash: DC919371E002169AEF218FB4CC85EEE7BB5AF49710F984669E805E7242DB3DDD50CB60

Function 00774523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00774648
VariantInit.OLEAUT32(?), ref: 00774749
VariantClear.OLEAUT32(?), ref: 00774753
VariantClear.OLEAUT32(?), ref: 007747B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 007745D8, 00774706, 007747BE
Incorrect Object type in FOR..IN loop, xrefs: 0077472C

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 1cbcb88159f7e1e4b70c221caa70a70f0d027b238598467e76aa7400efa5dc5a
Instruction ID: c8e7b2d352b5d70aaf4c2618f54d1d951ed69fb90584610b7acb7969ea0000aa
Opcode Fuzzy Hash: 1cbcb88159f7e1e4b70c221caa70a70f0d027b238598467e76aa7400efa5dc5a
Instruction Fuzzy Hash: B6916271A00219EBDF24CFA4C845FAEBBB8EF46754F10C559F519AB280D7789941CFA0

Function 00761187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0076125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00761284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007612A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007612D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0076135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007613C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00761430

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 65483c050741166fbd26d691ca11e564710b325ec8c79bd34461196793ec2722
Instruction ID: c7ae924ef3fd78fe7d662162ee61e43a8d466a2c6913b0ffa6c22eafc1a497f3
Opcode Fuzzy Hash: 65483c050741166fbd26d691ca11e564710b325ec8c79bd34461196793ec2722
Instruction Fuzzy Hash: 1591C271A00209DFDB01DFA4C899BBE7BB5FF45324F598029E902E7291D77CA941CB94

Function 0070948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 50c4801a2cea4c39e82ed2f7ed8bc837fc7cc70796b3d983852495cc1ce427b4
Instruction ID: 7e7c15ce928e9e1878e3b21cbc256493149d1ba38d742b50e05cfa682511daf3
Opcode Fuzzy Hash: 50c4801a2cea4c39e82ed2f7ed8bc837fc7cc70796b3d983852495cc1ce427b4
Instruction Fuzzy Hash: 74915C71D40219EFCB15CFA9CC88AEEBBB8FF49320F248155E515B7292D378A951CB60

Function 00773947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0077396B
CharUpperBuffW.USER32(?,?), ref: 00773A7A
_wcslen.LIBCMT ref: 00773A8A
VariantClear.OLEAUT32(?), ref: 00773C1F

Part of subcall function 00760CDF: VariantInit.OLEAUT32(00000000), ref: 00760D1F
Part of subcall function 00760CDF: VariantCopy.OLEAUT32(?,?), ref: 00760D28
Part of subcall function 00760CDF: VariantClear.OLEAUT32(?), ref: 00760D34

Strings

Incorrect Parameter format, xrefs: 007739A6, 00773BA1
AUTOIT.ERROR, xrefs: 00773A80, 00773A85

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 91652315efbddcf4db30e007a875b216a3d65f17a1d9efa616824daee338305a
Instruction ID: a9945a5eb244a4553fdb799320341d015296751d2d89daa60813075a069c87b4
Opcode Fuzzy Hash: 91652315efbddcf4db30e007a875b216a3d65f17a1d9efa616824daee338305a
Instruction Fuzzy Hash: 989164756083059FCB04EF24C48596AB7E5FF88354F14892EF88A9B351DB38EE05CB92

Function 00774BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0075000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?,?,0075035E), ref: 0075002B
Part of subcall function 0075000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?), ref: 00750046
Part of subcall function 0075000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?), ref: 00750054
Part of subcall function 0075000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?), ref: 00750064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00774C51
_wcslen.LIBCMT ref: 00774D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00774DCF
CoTaskMemFree.OLE32(?), ref: 00774DDA

Strings

NULL Pointer assignment, xrefs: 00774E23, 00774E52

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 1564ae66068353b1baf69a6a34bd4ee7c0113274bf52be60d1fefba0d42dd93c
Instruction ID: 9d0046661b032ce2696cd3fc625af29639961f15502db80d7de1bd825310d975
Opcode Fuzzy Hash: 1564ae66068353b1baf69a6a34bd4ee7c0113274bf52be60d1fefba0d42dd93c
Instruction Fuzzy Hash: 54913771D0021DEFDF15DFA4C880AEEB7B9BF08350F108569E919A7281EB749A44CFA0

Function 007820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00782183
GetMenuItemCount.USER32(00000000), ref: 007821B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007821DD
_wcslen.LIBCMT ref: 00782213
GetMenuItemID.USER32(?,?), ref: 0078224D
GetSubMenu.USER32(?,?), ref: 0078225B

Part of subcall function 00753A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00753A57
Part of subcall function 00753A3D: GetCurrentThreadId.KERNEL32 ref: 00753A5E
Part of subcall function 00753A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007525B3), ref: 00753A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007822E3

Part of subcall function 0075E97B: Sleep.KERNEL32 ref: 0075E9F3

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 4006bd374b6a64fad44c6812beac4237d7153910b8aec7ddd98af9e14b681d39
Instruction ID: 71575960c1d1819f5536aaa5bf033b841b1ecf0f6357a87b1f8a780d85332123
Opcode Fuzzy Hash: 4006bd374b6a64fad44c6812beac4237d7153910b8aec7ddd98af9e14b681d39
Instruction Fuzzy Hash: 61717175E40209EFCB10EF64C845AAEB7F5FF48321F258459E916EB352D738AD428B90

Function 00787E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00D956A8), ref: 00787F37
IsWindowEnabled.USER32(00D956A8), ref: 00787F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0078801E
SendMessageW.USER32(00D956A8,000000B0,?,?), ref: 00788051
IsDlgButtonChecked.USER32(?,?), ref: 00788089
GetWindowLongW.USER32(00D956A8,000000EC), ref: 007880AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007880C3

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 2941ff41e178d64e65feb8dd29d14db28ff99ec63104c2df10479d5cee0acc71
Instruction ID: 3d307188b51241ebca09802228fec48df1edcca65fcae6107f5215f8b6524329
Opcode Fuzzy Hash: 2941ff41e178d64e65feb8dd29d14db28ff99ec63104c2df10479d5cee0acc71
Instruction Fuzzy Hash: 0D71B274688204AFEB25AF55CC84FAA7BB5FF09300F644059FA4697261CB39EC46DB20

Function 0075AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0075AEF9
GetKeyboardState.USER32(?), ref: 0075AF0E
SetKeyboardState.USER32(?), ref: 0075AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0075AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0075AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0075AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0075B020

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 19407b863129cd9cb4f4917e81377a3d1dccb253b3bdeab7ef728dc30555df53
Instruction ID: 43c2b46accf22bb0b10e43eae4984bcafa97ba056e8e1f13d6277e2c5393c59a
Opcode Fuzzy Hash: 19407b863129cd9cb4f4917e81377a3d1dccb253b3bdeab7ef728dc30555df53
Instruction Fuzzy Hash: 275103A0A043D53DFB3242348C4ABFABEA95B06305F088599E9D9454C2D3EDECCCD361

Function 0075ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0075AD19
GetKeyboardState.USER32(?), ref: 0075AD2E
SetKeyboardState.USER32(?), ref: 0075AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0075ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0075ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0075AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0075AE38

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ccfb31d704fede2079639bfafd95c8c7687f75776f9be1e6a40c3b0182a76a79
Instruction ID: 98b0ec7c0f03fcb248c619e2d550cc0bba7561d2347df88a85d786f2bc1d6897
Opcode Fuzzy Hash: ccfb31d704fede2079639bfafd95c8c7687f75776f9be1e6a40c3b0182a76a79
Instruction Fuzzy Hash: C95108A16047D53DFB3353348C46BFABEA86B05302F0886A8E5D5568C2D2DCEC8CD762

Function 0072542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00733CD6,?,?,?,?,?,?,?,?,00725BA3,?,?,00733CD6,?,?), ref: 00725470
__fassign.LIBCMT ref: 007254EB
__fassign.LIBCMT ref: 00725506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00733CD6,00000005,00000000,00000000), ref: 0072552C
WriteFile.KERNEL32(?,00733CD6,00000000,00725BA3,00000000,?,?,?,?,?,?,?,?,?,00725BA3,?), ref: 0072554B
WriteFile.KERNEL32(?,?,00000001,00725BA3,00000000,?,?,?,?,?,?,?,?,?,00725BA3,?), ref: 00725584

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9320480439b530dc13ebd2a30c427c216a1df92c57152c3f6ea203c4c187549e
Instruction ID: f0748af104d366a9e6e36f65e85aa38fdb7a7cbbc6aa8b87503825ec96da804a
Opcode Fuzzy Hash: 9320480439b530dc13ebd2a30c427c216a1df92c57152c3f6ea203c4c187549e
Instruction Fuzzy Hash: 4B51E6709006589FDB11CFA8E885AEEBBFAEF09300F14411AF555E7291E734DA51CBA0

Function 007710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0077304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0077307A
Part of subcall function 0077304E: _wcslen.LIBCMT ref: 0077309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00771112
WSAGetLastError.WSOCK32 ref: 00771121
WSAGetLastError.WSOCK32 ref: 007711C9
closesocket.WSOCK32(00000000), ref: 007711F9

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 2585b4b633c5bc37d60476f858c5d4c6ce46c02a9ec1401547b118b389199a8a
Instruction ID: 50064738d61d7fa6d2e11a604ac5061098c0f912a9db6882017b187195683c09
Opcode Fuzzy Hash: 2585b4b633c5bc37d60476f858c5d4c6ce46c02a9ec1401547b118b389199a8a
Instruction Fuzzy Hash: 3E410531600208AFDB109F58C884BA9B7EAEF453A4F94C059FE099F291C778ED41CBE5

Function 0075CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0075DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0075CF22,?), ref: 0075DDFD

Part of subcall function 0075DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0075CF22,?), ref: 0075DE16

lstrcmpiW.KERNEL32(?,?), ref: 0075CF45
MoveFileW.KERNEL32(?,?), ref: 0075CF7F
_wcslen.LIBCMT ref: 0075D005
_wcslen.LIBCMT ref: 0075D01B
SHFileOperationW.SHELL32(?), ref: 0075D061

Strings

\*.*, xrefs: 0075CFF3

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 200798e983109d9137dd41d17ee0bd7b1a74bfc09ac8792a75e9c72aab3955af
Instruction ID: e4baa755111b02fb29f3439ccc982d1086a83ac2c2ed48232108715fca3c723e
Opcode Fuzzy Hash: 200798e983109d9137dd41d17ee0bd7b1a74bfc09ac8792a75e9c72aab3955af
Instruction Fuzzy Hash: 6E4158729452189FDF27EBA4DD85BDD77B9AF08381F1000E6E505E7181EA78AB88CB50

Function 00782DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00782E1C
GetWindowLongW.USER32(?,000000F0), ref: 00782E4F
GetWindowLongW.USER32(?,000000F0), ref: 00782E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00782EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00782EE0
GetWindowLongW.USER32(?,000000F0), ref: 00782EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00782F0B

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 73f1092b80914555e03d3945e6767c7e241e0b40bb8cb0e34b9fa582462a0f01
Instruction ID: 804c07137c7e814db1ce394ad43d5093c6d5e1db9b3efabd78ce106d83d62f91
Opcode Fuzzy Hash: 73f1092b80914555e03d3945e6767c7e241e0b40bb8cb0e34b9fa582462a0f01
Instruction Fuzzy Hash: 2D312430784240AFEB21DF18DC88F6537E0FB8A711F6541A5F9008F2B2CB79A841DB18

Function 00757726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00757769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0075778F
SysAllocString.OLEAUT32(00000000), ref: 00757792
SysAllocString.OLEAUT32(?), ref: 007577B0
SysFreeString.OLEAUT32(?), ref: 007577B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007577DE
SysAllocString.OLEAUT32(?), ref: 007577EC

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e5e62fc11e63f5f976e46a6863efcd5181a1221d227bd89cecfae15f7e252c59
Instruction ID: ff62cb7265b04c89bc506edd1b589e9c118b2050de2b3f3416c528c884021729
Opcode Fuzzy Hash: e5e62fc11e63f5f976e46a6863efcd5181a1221d227bd89cecfae15f7e252c59
Instruction Fuzzy Hash: EA21AE76604219AFDB14DFA8EC88CFB77ACEB09364B108425FE04DB290D6B8DC85C764

Function 007577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00757842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00757868
SysAllocString.OLEAUT32(00000000), ref: 0075786B
SysAllocString.OLEAUT32 ref: 0075788C
SysFreeString.OLEAUT32 ref: 00757895
StringFromGUID2.OLE32(?,?,00000028), ref: 007578AF
SysAllocString.OLEAUT32(?), ref: 007578BD

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8f56d6523ecf5cd9a2f6616f989efe5a5a8af62e6256e4a66c65fdd4b812ae03
Instruction ID: eb7b3d1b527b1082b8b090b2cd7bd3f25f49f6f783dc2fd8a1ea5ec2067de122
Opcode Fuzzy Hash: 8f56d6523ecf5cd9a2f6616f989efe5a5a8af62e6256e4a66c65fdd4b812ae03
Instruction Fuzzy Hash: 9D21B671604214AFDB149FB8EC8CDBA77ECEB083607108125F915CB2A1D6B8EC85CB74

Function 007604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007604F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0076052E

Strings

nul, xrefs: 00760567

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: bf562c7bc8ca070ff47e0de1135247bdac2c376ebba4c2ef7c6256db116512be
Instruction ID: b3ccd2694ab8212a2ad8ffe708e7ab3d650ee2d943f15b5f691cdbb34494ca9d
Opcode Fuzzy Hash: bf562c7bc8ca070ff47e0de1135247bdac2c376ebba4c2ef7c6256db116512be
Instruction Fuzzy Hash: 88216D75500305ABDB209F29DC48E9B77A4BF45724F204A19FCA3D62E1E7749960CFA0

Function 007605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007605C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00760601

Strings

nul, xrefs: 00760639

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3ac5b9948fe64ef3964872e08ea51655523e647eb665edfa41faa2a83419fe30
Instruction ID: e1164f290825a9b661b52a09fe31ff87035fa40ea3799fa6f797f5fdcbd35497
Opcode Fuzzy Hash: 3ac5b9948fe64ef3964872e08ea51655523e647eb665edfa41faa2a83419fe30
Instruction Fuzzy Hash: AE2192755403059BDB209F69CC48E9B77F4BF95720F204A19FCA2E72E0D7B89860CBA5

Function 007840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006F604C
Part of subcall function 006F600E: GetStockObject.GDI32(00000011), ref: 006F6060
Part of subcall function 006F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006F606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00784112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0078411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0078412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00784139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00784145

Strings

Msctls_Progress32, xrefs: 007840E3

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: bffd124a16a446b07b14fbbc1b6f15efa6339f895212aca077cd2682daefa7fa
Instruction ID: 098f50dcfb9805f0a8ee65a256388d9b89ab346d4ba5666e3545e3ab9157f0d4
Opcode Fuzzy Hash: bffd124a16a446b07b14fbbc1b6f15efa6339f895212aca077cd2682daefa7fa
Instruction Fuzzy Hash: 6F1190B219021EBEEF119F64CC85EE77F9DEF08798F114110BA18A2090CA769C21DBA4

Function 0072D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0072D7A3: _free.LIBCMT ref: 0072D7CC

_free.LIBCMT ref: 0072D82D

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 0072D838
_free.LIBCMT ref: 0072D843
_free.LIBCMT ref: 0072D897
_free.LIBCMT ref: 0072D8A2
_free.LIBCMT ref: 0072D8AD
_free.LIBCMT ref: 0072D8B8

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 1afe24cca967fabe254edcbf039692efef0bcaa5f2b506780b165991184ffe64
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 66111F71540B24FAD531BFB0EC4BFCB7BDC6F04700F804825B2D9A65A3DA6DB9464A50

Function 0075DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0075DA74
LoadStringW.USER32(00000000), ref: 0075DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0075DA91
LoadStringW.USER32(00000000), ref: 0075DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0075DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0075DAB9

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: ad19c24180b3d3a57e553763f91df8453c3be53c9dfe566d020d0232d4d2fd0a
Instruction ID: 4373ce88f1f94738d44e13432e3bdb75e02e45de9a4a6b399f1a988944ee4f47
Opcode Fuzzy Hash: ad19c24180b3d3a57e553763f91df8453c3be53c9dfe566d020d0232d4d2fd0a
Instruction Fuzzy Hash: 240186F2940208BFF711ABA09D8DEE7336CE708701F5084A6B706E2041E6789E844F74

Function 0076096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00D8E998,00D8E998), ref: 0076097B
EnterCriticalSection.KERNEL32(00D8E978,00000000), ref: 0076098D
TerminateThread.KERNEL32(?,000001F6), ref: 0076099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007609A9
CloseHandle.KERNEL32(?), ref: 007609B8
InterlockedExchange.KERNEL32(00D8E998,000001F6), ref: 007609C8
LeaveCriticalSection.KERNEL32(00D8E978), ref: 007609CF

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 2bc716a8fae4d546c190055ee3e7a5670d53fd285702ba6397198a261b76262e
Instruction ID: b8e5d453e1effccd3a14ae9616b267381f3d83c02d55cba54f66346106e98f40
Opcode Fuzzy Hash: 2bc716a8fae4d546c190055ee3e7a5670d53fd285702ba6397198a261b76262e
Instruction Fuzzy Hash: 9AF0EC32482A12BBD7525FA4EE8DBD6BB39FF05712F506025F202908E1C779A465CFA4

Function 00771C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00771DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00771DE1
WSAGetLastError.WSOCK32 ref: 00771DF2
htons.WSOCK32(?,?,?,?,?), ref: 00771EDB
inet_ntoa.WSOCK32(?), ref: 00771E8C

Part of subcall function 007539E8: _strlen.LIBCMT ref: 007539F2

Part of subcall function 00773224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0076EC0C), ref: 00773240

_strlen.LIBCMT ref: 00771F35

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 50c64ad1c4658d97d6ed6da38d72b660eb6267af3f163cddd8e8a82f19d20b84
Instruction ID: fa05398699192be18078c17777d9838c8c2bc32660e085f73f7fb3c6c9035f86
Opcode Fuzzy Hash: 50c64ad1c4658d97d6ed6da38d72b660eb6267af3f163cddd8e8a82f19d20b84
Instruction Fuzzy Hash: 7CB1EF31204340AFC724DF28C895E3A7BE6AF85358F94894CF55A5B2E2CB75ED42CB91

Function 006F5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 006F5D30
GetWindowRect.USER32(?,?), ref: 006F5D71
ScreenToClient.USER32(?,?), ref: 006F5D99
GetClientRect.USER32(?,?), ref: 006F5ED7
GetWindowRect.USER32(?,?), ref: 006F5EF8

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 52ae2b35f9646bb065a760303ec3dd565197787f2338e8d99e14890730c7c181
Instruction ID: 7d31dfb5911191ccacbccf869b06517d2d7c5efa573a63fcbaec35345e967da9
Opcode Fuzzy Hash: 52ae2b35f9646bb065a760303ec3dd565197787f2338e8d99e14890730c7c181
Instruction Fuzzy Hash: EBB16A74A0074ADBDB14CFA9C4807FAB7F2FF58310F14841AEAAAD7250DB34AA51DB54

Function 007201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007200BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007200D6
__allrem.LIBCMT ref: 007200ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0072010B
__allrem.LIBCMT ref: 00720122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00720140

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 1448efe4918906e19afd48361064357949cfdd21720e7c138b423e9941ae403a
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 78811372A00716EBE7209E2CDC45BAE73E9AF41724F24413EF511D62C2E7B8D9418BA0

Function 007261FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007182D9,007182D9,?,?,?,0072644F,00000001,00000001,8BE85006), ref: 00726258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0072644F,00000001,00000001,8BE85006,?,?,?), ref: 007262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007263D8
__freea.LIBCMT ref: 007263E5

Part of subcall function 00723820: RtlAllocateHeap.NTDLL(00000000,?,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6,?,006F1129), ref: 00723852

__freea.LIBCMT ref: 007263EE
__freea.LIBCMT ref: 00726413

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 62e8d611f639e44711a71492d4b91871877e20a2e00fd38300e94792d82bd946
Instruction ID: a63a65485d08a10314fd460e494bd6e3732a7d241c1f4bf11e21596a508eedfb
Opcode Fuzzy Hash: 62e8d611f639e44711a71492d4b91871877e20a2e00fd38300e94792d82bd946
Instruction Fuzzy Hash: C451E472A00266ABEB259F64EC85EBF77A9EF44710F15466AFC05D6182DB3CDC40C6A0

Function 0077BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 0077C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077B6AE,?,?), ref: 0077C9B5
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077C9F1
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA68
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0077BD25
RegCloseKey.ADVAPI32(00000000), ref: 0077BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0077BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0077BDF3
RegCloseKey.ADVAPI32(?), ref: 0077BDFF

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: fa101aea266b8befecaee00e74aadea1c78760492b642fd51a96f37a36357b22
Instruction ID: 658be8d3059b528af7ef49a7bffcf4318b9ba3d3d0e7331eaeab8021780cd77d
Opcode Fuzzy Hash: fa101aea266b8befecaee00e74aadea1c78760492b642fd51a96f37a36357b22
Instruction Fuzzy Hash: C081AE70208241EFDB15DF24C885E2ABBE5FF84348F14895CF5598B2A2DB35ED45CBA2

Function 0074F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0074F7B9
SysAllocString.OLEAUT32(00000001), ref: 0074F860
VariantCopy.OLEAUT32(0074FA64,00000000), ref: 0074F889
VariantClear.OLEAUT32(0074FA64), ref: 0074F8AD
VariantCopy.OLEAUT32(0074FA64,00000000), ref: 0074F8B1
VariantClear.OLEAUT32(?), ref: 0074F8BB

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 3b34bf1b8c24ee941da77df9627f8e57ddc2674c356a7c77ebdba68451090f56
Instruction ID: ec9e3d9b90591e487bce1ef6c8c32fe68fef92523c23e9f237fd379d516cdda6
Opcode Fuzzy Hash: 3b34bf1b8c24ee941da77df9627f8e57ddc2674c356a7c77ebdba68451090f56
Instruction Fuzzy Hash: A551E831A01350FACF24AF65D895B39B3E9EF45310F24946BE905DF291DB789C40CB66

Function 0076910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 006F7620: _wcslen.LIBCMT ref: 006F7625

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007694E5
_wcslen.LIBCMT ref: 00769506
_wcslen.LIBCMT ref: 0076952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00769585

Strings

X, xrefs: 00769412

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 036bdd1ad2dccd97594883ce5b0a5a633f756f950e72d087e4a7363e5a1c9bea
Instruction ID: f230bf961fca39a3a512a14de3350054990f7e318c1751faffdbc62919021378
Opcode Fuzzy Hash: 036bdd1ad2dccd97594883ce5b0a5a633f756f950e72d087e4a7363e5a1c9bea
Instruction Fuzzy Hash: A1E1C031608350DFC764DF24C881A6AB7E5BF85310F04896DFA8A9B3A2DB34DD05CB92

Function 0070920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

BeginPaint.USER32(?,?,?), ref: 00709241
GetWindowRect.USER32(?,?), ref: 007092A5
ScreenToClient.USER32(?,?), ref: 007092C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007092D3
EndPaint.USER32(?,?,?,?,?), ref: 00709321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007471EA

Part of subcall function 00709339: BeginPath.GDI32(00000000), ref: 00709357

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 1c0862f2e33c7f3850da33c4ba0a619ef271c6851af7f86c036e767d50adb979
Instruction ID: 98a535ef260e3817fb7e410b431aee19ca7989793a3903c476e9043b61a3adc9
Opcode Fuzzy Hash: 1c0862f2e33c7f3850da33c4ba0a619ef271c6851af7f86c036e767d50adb979
Instruction Fuzzy Hash: 13419E70104240EFD721DF24CC88FBA7BF8EB86320F144229FA94872E2C779A845DB61

Function 007607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0076080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00760847
EnterCriticalSection.KERNEL32(?), ref: 00760863
LeaveCriticalSection.KERNEL32(?), ref: 007608DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007608F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00760921

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 176f7a1a025ba61cdc7daab9565be0870c7e0322750f8819525a322a24d5e33d
Instruction ID: de871908a9623606b76d00d81261791eff14ea4e8a91f77fe988c82480815218
Opcode Fuzzy Hash: 176f7a1a025ba61cdc7daab9565be0870c7e0322750f8819525a322a24d5e33d
Instruction Fuzzy Hash: 7A418B71900205EBDF15EF54DC85AAA77B9FF04310F1080A9ED019B297D738EE64DBA4

Function 007881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0074F3AB,00000000,?,?,00000000,?,0074682C,00000004,00000000,00000000), ref: 0078824C
EnableWindow.USER32(?,00000000), ref: 00788272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007882D1
ShowWindow.USER32(?,00000004), ref: 007882E5
EnableWindow.USER32(?,00000001), ref: 0078830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0078832F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 551b5e476bc6bbd88d906736f0fac8d2523a485143ad5faea51135a9cbcff66c
Instruction ID: 041c31116a5dc495104308e61c343544a98483a27ed198fcd37af87f3bfe7734
Opcode Fuzzy Hash: 551b5e476bc6bbd88d906736f0fac8d2523a485143ad5faea51135a9cbcff66c
Instruction Fuzzy Hash: 9141C734641644EFDB62EF14C899FE87BE0FB06714F9841B9E5088B263CB39A841CB55

Function 00754C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00754C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00754CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00754CEA
_wcslen.LIBCMT ref: 00754D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00754D10
_wcsstr.LIBVCRUNTIME ref: 00754D1A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 69229d369f632f104a7e6716bcc3bebd409a2c59cb0094b677bc4b026a1a46c0
Instruction ID: 80c845f5c8e5ce54eecaa5dfd64cb6d3b7ae8ded7b7e7d34d5c2c8e5528c06a9
Opcode Fuzzy Hash: 69229d369f632f104a7e6716bcc3bebd409a2c59cb0094b677bc4b026a1a46c0
Instruction Fuzzy Hash: 20210732704200BBEB255B39DC09EBB7BA8DF45754F108079FD05CA191EAA9DC8483A0

Function 0076581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 006F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F3A97,?,?,006F2E7F,?,?,?,00000000), ref: 006F3AC2

_wcslen.LIBCMT ref: 0076587B
CoInitialize.OLE32(00000000), ref: 00765995
CoCreateInstance.OLE32(0078FCF8,00000000,00000001,0078FB68,?), ref: 007659AE
CoUninitialize.OLE32 ref: 007659CC

Strings

.lnk, xrefs: 00765876, 007658C1, 00765985

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 4a0b4e9806cb6726aed67474fe0a0bf873c836b61f2b07f73f256bcd1ffc180a
Instruction ID: d1629f60ab4d46bc41e67cbcfbe99a6500b77a915c579279c1efcd5d9cfe0f77
Opcode Fuzzy Hash: 4a0b4e9806cb6726aed67474fe0a0bf873c836b61f2b07f73f256bcd1ffc180a
Instruction Fuzzy Hash: BAD163B0608705DFC714DF24C484A2ABBE2EF89720F14895DF98A9B361DB35EC45CB92

Function 0075175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00750FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00750FCA
Part of subcall function 00750FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00750FD6
Part of subcall function 00750FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00750FE5
Part of subcall function 00750FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00750FEC
Part of subcall function 00750FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00751002

GetLengthSid.ADVAPI32(?,00000000,00751335), ref: 007517AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007517BA
HeapAlloc.KERNEL32(00000000), ref: 007517C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007517DA
GetProcessHeap.KERNEL32(00000000,00000000,00751335), ref: 007517EE
HeapFree.KERNEL32(00000000), ref: 007517F5

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 10f02fa8e1d947b6e70b963c8a64f910f795f1178a8e6c3f82f730ab3e37d84a
Instruction ID: a9b38d549f08852019cecabb9043fdce9a4f242589952f46a396ca45c4dc240c
Opcode Fuzzy Hash: 10f02fa8e1d947b6e70b963c8a64f910f795f1178a8e6c3f82f730ab3e37d84a
Instruction Fuzzy Hash: 8711EE71900204FFDB119FA8CC89BEE7BA8EB49357F608918F841A7210C779AD08CB64

Function 007514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007514FF
OpenProcessToken.ADVAPI32(00000000), ref: 00751506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00751515
CloseHandle.KERNEL32(00000004), ref: 00751520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0075154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00751563

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7a10509afb59f1379325a8d5509a8a5e5f56df12a27ddae0bb3e96466fbf2ed7
Instruction ID: e75fcf4db73e20b276d74a7b3258543dcd8e2be7e5bc16f1b0af935f104eb6b4
Opcode Fuzzy Hash: 7a10509afb59f1379325a8d5509a8a5e5f56df12a27ddae0bb3e96466fbf2ed7
Instruction Fuzzy Hash: 0E119D7210024DABDF128F94DD09FDE3BA9EF48746F148018FE05A2060D3B9CE64EB61

Function 00713382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00713379,00712FE5), ref: 00713390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0071339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007133B7
SetLastError.KERNEL32(00000000,?,00713379,00712FE5), ref: 00713409

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d1fdd39a540152c238dc3082ea7b29e05975b85e94a00e33b129413ebe32ae92
Instruction ID: 51a2c378b7f0f0745b192ae783725b8ec376fa60c7ccda76f7ea5c2530ad018a
Opcode Fuzzy Hash: d1fdd39a540152c238dc3082ea7b29e05975b85e94a00e33b129413ebe32ae92
Instruction Fuzzy Hash: 7C01D832709311FEAB163B7C7C89AE62A54EB053757208329F420891F1EF1D4E82555C

Function 00722D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00725686,00733CD6,?,00000000,?,00725B6A,?,?,?,?,?,0071E6D1,?,007B8A48), ref: 00722D78
_free.LIBCMT ref: 00722DAB
_free.LIBCMT ref: 00722DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0071E6D1,?,007B8A48,00000010,006F4F4A,?,?,00000000,00733CD6), ref: 00722DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0071E6D1,?,007B8A48,00000010,006F4F4A,?,?,00000000,00733CD6), ref: 00722DEC
_abort.LIBCMT ref: 00722DF2

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 4f5277490ed71990abbe57c53912297c7e8aabf9b5fb5d2de291d764cf212c19
Instruction ID: 8f2e20fcfd7680177b93526e69c5df9602b220f54b239d21fc306b2fef6c09b7
Opcode Fuzzy Hash: 4f5277490ed71990abbe57c53912297c7e8aabf9b5fb5d2de291d764cf212c19
Instruction Fuzzy Hash: 0BF0A436744630B7C2132738BC0EE5A2699ABC27A1B348518F824A21E3EE3CD8434271

Function 00788A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00709639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00709693
Part of subcall function 00709639: SelectObject.GDI32(?,00000000), ref: 007096A2
Part of subcall function 00709639: BeginPath.GDI32(?), ref: 007096B9
Part of subcall function 00709639: SelectObject.GDI32(?,00000000), ref: 007096E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00788A4E
LineTo.GDI32(?,00000003,00000000), ref: 00788A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00788A70
LineTo.GDI32(?,00000000,00000003), ref: 00788A80
EndPath.GDI32(?), ref: 00788A90
StrokePath.GDI32(?), ref: 00788AA0

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ffeebf866c53322efe65dd4445f821584b676a1fa6fcd843b3c3896cf8e1b8f7
Instruction ID: c181f26711c3f93bd8eeb671c485d6ee4f7abccfe4da059d77179bee05462b11
Opcode Fuzzy Hash: ffeebf866c53322efe65dd4445f821584b676a1fa6fcd843b3c3896cf8e1b8f7
Instruction Fuzzy Hash: 2F11097604014CFFDB129F90DC88EAA7F6DEB08390F10C022BA199A1A1C775AD55DBA5

Function 007551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00755218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00755229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00755230
ReleaseDC.USER32(00000000,00000000), ref: 00755238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0075524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00755261

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 02022d740eb6246694591aa68447d8c398ab71e7c0a2944ab95ab3ce9d99aafd
Instruction ID: 3bcfc23e3958c9843d3e68ba5671cef554421089ca8612eb8cb7e15037d33cda
Opcode Fuzzy Hash: 02022d740eb6246694591aa68447d8c398ab71e7c0a2944ab95ab3ce9d99aafd
Instruction Fuzzy Hash: 02018FB5E40708BBEB119BB59C49A4EBFB8FF48351F148065FA04E7280DA749804CBA4

Function 006F1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006F1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 006F1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006F1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006F1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 006F1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 006F1C22

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8c936e60a9ff9f21b0eeeb87c08297ef4943b0d7cb250b50fdccf73afe202e7f
Instruction ID: dc52a45f81e59df53f09d4cb4478895fb6cb274729cd119423b2b3a544d7a0d4
Opcode Fuzzy Hash: 8c936e60a9ff9f21b0eeeb87c08297ef4943b0d7cb250b50fdccf73afe202e7f
Instruction Fuzzy Hash: ED016CB09427597DE3008F5A8C85B52FFA8FF19354F00415B915C47941C7F5A864CBE5

Function 0075EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0075EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0075EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0075EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0075EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0075EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0075EB75

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: fd8dd470a1ef6a2c04d5a99aa90b80a716631d7d1400dd653a3cc8d21542fbc9
Instruction ID: b71502eb6c1a5ae8472fe98ca8871064704503f5bace4415a16056f7298a8e31
Opcode Fuzzy Hash: fd8dd470a1ef6a2c04d5a99aa90b80a716631d7d1400dd653a3cc8d21542fbc9
Instruction Fuzzy Hash: 80F054B2680158BBE72257529C4EEEF3E7CEFCAB11F108168F601D1091E7B85A01C7B9

Function 00747439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00747452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00747469
GetWindowDC.USER32(?), ref: 00747475
GetPixel.GDI32(00000000,?,?), ref: 00747484
ReleaseDC.USER32(?,00000000), ref: 00747496
GetSysColor.USER32(00000005), ref: 007474B0

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: b2c04a6b364f9ebf910a225393034433fd02af79c6198e0d3b9be5bdbf40494d
Instruction ID: 5072e42ba2c72739ca1f03e128ace99d6486bb8fe1e9d0f711dec9abbb0657c2
Opcode Fuzzy Hash: b2c04a6b364f9ebf910a225393034433fd02af79c6198e0d3b9be5bdbf40494d
Instruction Fuzzy Hash: B801AD31540205EFDB125FA4EC08BBA7BB5FF04321F708164F915A21A1CB391E51EB24

Function 00751874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0075187F
UnloadUserProfile.USERENV(?,?), ref: 0075188B
CloseHandle.KERNEL32(?), ref: 00751894
CloseHandle.KERNEL32(?), ref: 0075189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007518A5
HeapFree.KERNEL32(00000000), ref: 007518AC

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ab2892cac1b7e3f227b3f554b57302e357ca59fb2278e9e92853eedd7f3e525a
Instruction ID: 5bf06edb8c93edaf652fcf37e14bfbde19d55178d2d1d09c34f3359cf9663953
Opcode Fuzzy Hash: ab2892cac1b7e3f227b3f554b57302e357ca59fb2278e9e92853eedd7f3e525a
Instruction Fuzzy Hash: DCE0E576484105BBDB025FA1ED0CD0ABF39FF49B22B20C220F22581474CB369821EF68

Function 006FBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006FBEB3

Strings

D%|D%|, xrefs: 006FBCA5
D%|, xrefs: 006FBE9A
D%|, xrefs: 006FBCA2
D%|, xrefs: 006FBDED, 006FBD91, 006FBD1B

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%|$D%|$D%|$D%|D%|
API String ID: 1385522511-1919417341
Opcode ID: c0bb3beacb4b493bfca605f3ce42163a00baf8eac437c51b9a3155336f29d56e
Instruction ID: a6a2339168449304bc59e8c2df3c7d58a01ebad32c883df4aa44af37913edcf0
Opcode Fuzzy Hash: c0bb3beacb4b493bfca605f3ce42163a00baf8eac437c51b9a3155336f29d56e
Instruction Fuzzy Hash: F9913A75A0020ACFCB18CF58C091ABAB7F2FF58310F24916EDA55AB351D775E982CB90

Function 00777B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00710242: EnterCriticalSection.KERNEL32(007C070C,007C1884,?,?,0070198B,007C2518,?,?,?,006F12F9,00000000), ref: 0071024D
Part of subcall function 00710242: LeaveCriticalSection.KERNEL32(007C070C,?,0070198B,007C2518,?,?,?,006F12F9,00000000), ref: 0071028A

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 007100A3: __onexit.LIBCMT ref: 007100A9

__Init_thread_footer.LIBCMT ref: 00777BFB

Part of subcall function 007101F8: EnterCriticalSection.KERNEL32(007C070C,?,?,00708747,007C2514), ref: 00710202
Part of subcall function 007101F8: LeaveCriticalSection.KERNEL32(007C070C,?,00708747,007C2514), ref: 00710235

Strings

G, xrefs: 00777C7F
+Tt, xrefs: 00777E2E
5, xrefs: 00777C78
Variable must be of type 'Object'., xrefs: 00777C3A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tt$5$G$Variable must be of type 'Object'.
API String ID: 535116098-3166622399
Opcode ID: 37943c79a195878e8110d8d68011cec6e8400be33c4b0dcfad77886b5a855743
Instruction ID: 4d6ec24e7cc24684db50f201b954bee1d09339f9c5f4a51c73af656a73437236
Opcode Fuzzy Hash: 37943c79a195878e8110d8d68011cec6e8400be33c4b0dcfad77886b5a855743
Instruction Fuzzy Hash: 9B916B70A04209EFCF19EF54D8959BDB7B6BF48340F10805DF81A9B292DB79AE41CB61

Function 0075C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F7620: _wcslen.LIBCMT ref: 006F7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0075C6EE
_wcslen.LIBCMT ref: 0075C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0075C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0075C7CA

Strings

0, xrefs: 0075C6AF

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 5368e4079ab8d9423ba7f7c3209f57ed79295c58ffe844f3d047dee5e68ae37f
Instruction ID: f0bf199edd7a0dd4bdb1a58e9f22ab7deddbb8a817906bcec6f903759c4797c7
Opcode Fuzzy Hash: 5368e4079ab8d9423ba7f7c3209f57ed79295c58ffe844f3d047dee5e68ae37f
Instruction Fuzzy Hash: 6E51CD716043019FD7529E28C885BAAB7E8EB49311F040A2DFD95D35E1DBB8DD088B96

Function 0077AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0077AEA3

Part of subcall function 006F7620: _wcslen.LIBCMT ref: 006F7625

GetProcessId.KERNEL32(00000000), ref: 0077AF38
CloseHandle.KERNEL32(00000000), ref: 0077AF67

Strings

<, xrefs: 0077AE6B
@, xrefs: 0077AE72

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 6821bac5a49ad100f5f1104e83f6edb16affab356ae041216db19d79ba6a8c54
Instruction ID: 36fa17f7a5a338d6470c7d7a9b1f27d5701809272e3144c651d68e628d4db51b
Opcode Fuzzy Hash: 6821bac5a49ad100f5f1104e83f6edb16affab356ae041216db19d79ba6a8c54
Instruction Fuzzy Hash: 70715870A00619EFDF14DF54C485AAEBBF1BF48314F048499E81AAB392CB78ED45CB95

Function 0075719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00757206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0075723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0075724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007572CF

Strings

DllGetClassObject, xrefs: 00757242

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ad068af2697cee50e3991c0fb82b1d0837fb1b0c4bc6d2ef4e32ed84e1f2bb8b
Instruction ID: 2500557ea6bfadbc8e8e555e8eaca64a45d0d9a33310d8dea1a93657f5d2fd55
Opcode Fuzzy Hash: ad068af2697cee50e3991c0fb82b1d0837fb1b0c4bc6d2ef4e32ed84e1f2bb8b
Instruction Fuzzy Hash: 15412FB1A04204EFDB19CF54D884ADA7BB9FF44311F2480A9BD059F20AD7F9D949DBA0

Function 00783D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00783E35
IsMenu.USER32(?), ref: 00783E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00783E92
DrawMenuBar.USER32 ref: 00783EA5

Strings

0, xrefs: 00783D89

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 0033662af6e438ea43784c621679c17f70cbe0642a08ca5f7442bd5c84dd9cf7
Instruction ID: 96cb4e19ce9829bfec9b42c85715fdb406e71f327e3ba72335bb807463959e34
Opcode Fuzzy Hash: 0033662af6e438ea43784c621679c17f70cbe0642a08ca5f7442bd5c84dd9cf7
Instruction Fuzzy Hash: 54416775A00209EFDF10EF69D884EAABBB9FF49750F148129E915A7250D738AE50CF60

Function 00751DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00751E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00751E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00751EA9

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

Strings

ListBox, xrefs: 00751E25
ComboBox, xrefs: 00751DF0

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 13775a157b45c40b38a2dacfdddb1fe3dbdf20ec011d574e4aed4c29e4ce28b6
Instruction ID: 04d357dc859e23d447d26f1c598157ec078bf2f71f30cb606fc9ea03d6214c51
Opcode Fuzzy Hash: 13775a157b45c40b38a2dacfdddb1fe3dbdf20ec011d574e4aed4c29e4ce28b6
Instruction Fuzzy Hash: 64212371A00108AADB14AB64CC4AEFFB7B9DF42392B54452DFC21A31E0DB7C490D8630

Function 00782F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00782F8D
LoadLibraryW.KERNEL32(?), ref: 00782F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00782FA9
DestroyWindow.USER32(?), ref: 00782FB1

Strings

SysAnimate32, xrefs: 00782F68

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 6bab799fbdfdc5e8477529c6bae4495a1147cea30e4ee6cf22ffffccd1257618
Instruction ID: 6ac55fad217ebeb4d56f21c5679c82e5ab2b9c5db22c1e75d9400a5f3952187c
Opcode Fuzzy Hash: 6bab799fbdfdc5e8477529c6bae4495a1147cea30e4ee6cf22ffffccd1257618
Instruction Fuzzy Hash: 6921DC71244209ABEB116F64DC84EBB37B9EF59325F204628FA10D20A2D779DC52D760

Function 00714D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00714D1E,007228E9,?,00714CBE,007228E9,007B88B8,0000000C,00714E15,007228E9,00000002), ref: 00714D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00714DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00714D1E,007228E9,?,00714CBE,007228E9,007B88B8,0000000C,00714E15,007228E9,00000002,00000000), ref: 00714DC3

Strings

CorExitProcess, xrefs: 00714D98
mscoree.dll, xrefs: 00714D86

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d79c2c11f14421247a80fe0f9c609ff4503a685a1b2fefc4b0ea11c70cf96681
Instruction ID: a60a8ddf281e321e215309b37d842430cf9265f98bafa8870bf575e69f663f40
Opcode Fuzzy Hash: d79c2c11f14421247a80fe0f9c609ff4503a685a1b2fefc4b0ea11c70cf96681
Instruction Fuzzy Hash: 50F0A430A50208BFDF115F94EC49BDDBBB5EF04712F104094F905A2190CB385A80CBD5

Function 0074D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0074D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0074D3BF
FreeLibrary.KERNEL32(00000000), ref: 0074D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0074D3B9
X64, xrefs: 0074D2A8

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 1398769871505b99b96302531416c5284ffe9f5d3739c445aaa8e42bf0f6fbbc
Instruction ID: c8ddcf0debd29f68919594a95a8c24b44f848730b5640cc1e3df3fd0def3d41b
Opcode Fuzzy Hash: 1398769871505b99b96302531416c5284ffe9f5d3739c445aaa8e42bf0f6fbbc
Instruction Fuzzy Hash: EEF055B1942620DBD3322B108C8CA693714BF02B01BA4C1A8F882E1140DBBCCC4087A3

Function 006F4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006F4EDD,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006F4EAE
FreeLibrary.KERNEL32(00000000,?,?,006F4EDD,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4EC0

Strings

kernel32.dll, xrefs: 006F4E94
Wow64DisableWow64FsRedirection, xrefs: 006F4EA8

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ebc41899d6c57628edc0fcb7bffad33162250c04a5340a5daa3dfd13d6b3d37c
Instruction ID: 73e56fe7ae25a64dd119656c15408736bece67047b2e6dc23b4b0a324607781d
Opcode Fuzzy Hash: ebc41899d6c57628edc0fcb7bffad33162250c04a5340a5daa3dfd13d6b3d37c
Instruction Fuzzy Hash: 06E08675E416265B93331B257C5CBAB6955AF81F627154115FE00D2700DF78CD0582B4

Function 006F4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00733CDE,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006F4E74
FreeLibrary.KERNEL32(00000000,?,?,00733CDE,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E87

Strings

kernel32.dll, xrefs: 006F4E5B
Wow64RevertWow64FsRedirection, xrefs: 006F4E6E

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: b381ffbad5e2b9d3c02faa571e5cf21ab09144d63e53e76d45bd37a27af63a78
Instruction ID: c9692e604211d32838d9acf19ece3a169ae7b5b5ff51c54b766ed49d9534d06e
Opcode Fuzzy Hash: b381ffbad5e2b9d3c02faa571e5cf21ab09144d63e53e76d45bd37a27af63a78
Instruction Fuzzy Hash: DFD0C271946A255747331B257C0CEDB2A1AAF81F113154210BA00A2210CF38CD0583F4

Function 00762947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00762C05
DeleteFileW.KERNEL32(?), ref: 00762C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00762C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00762CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00762CC0

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c06253b8e000fdc815e6ed33e753f3fc2c77338879e64e9d9d9171658917e3dd
Instruction ID: bb091ef65f907e9c66fd6dfebf16511a9d8047dcf5dd4e6b0cff7f00e40252f8
Opcode Fuzzy Hash: c06253b8e000fdc815e6ed33e753f3fc2c77338879e64e9d9d9171658917e3dd
Instruction Fuzzy Hash: E8B1617190051DABDF61DBA4CC89EDE77BDEF08300F1040A6FA0AE6142EA349E458F65

Function 0077A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0077A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0077A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0077A468
CloseHandle.KERNEL32(?), ref: 0077A63D

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 74c232d930dbab51590e388b167ebeb776125f3ad36ea9b93aa1e337e20a91cc
Instruction ID: ae6024d21a71c04595ed09d4d8db1b07bd000ad223ea012a7e7b2b357146a774
Opcode Fuzzy Hash: 74c232d930dbab51590e388b167ebeb776125f3ad36ea9b93aa1e337e20a91cc
Instruction Fuzzy Hash: 7CA1A171604301AFEB20DF24C886F2AB7E5AF84714F14C85DF95A9B2D2D7B4EC418B96

Function 0072BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00793700), ref: 0072BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,007C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0072BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,007C1270,000000FF,?,0000003F,00000000,?), ref: 0072BC36
_free.LIBCMT ref: 0072BB7F

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 0072BD4B

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 5a05d1af083f7069b220192268d966370d8ef0eaf0bb2faefbd774ed6f4a10d5
Instruction ID: 9eed53f748f337eaa76ec910636683ad4108499f672949787f328f0e69a60833
Opcode Fuzzy Hash: 5a05d1af083f7069b220192268d966370d8ef0eaf0bb2faefbd774ed6f4a10d5
Instruction Fuzzy Hash: B051E971900229EFCB10EF65AC85DAEB7BCFF45310B50826EE554D7192EB389D818B64

Function 0075E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0075DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0075CF22,?), ref: 0075DDFD

Part of subcall function 0075DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0075CF22,?), ref: 0075DE16

Part of subcall function 0075E199: GetFileAttributesW.KERNEL32(?,0075CF95), ref: 0075E19A

lstrcmpiW.KERNEL32(?,?), ref: 0075E473
MoveFileW.KERNEL32(?,?), ref: 0075E4AC
_wcslen.LIBCMT ref: 0075E5EB
_wcslen.LIBCMT ref: 0075E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0075E650

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: cff009c88600eec4d955c27ed19c04b06fa06fff8678f731953015826c257eb6
Instruction ID: a7d55b635211755304065c72c264fc72cafe916f4b61d4afb53b0841c8874b6b
Opcode Fuzzy Hash: cff009c88600eec4d955c27ed19c04b06fa06fff8678f731953015826c257eb6
Instruction Fuzzy Hash: 525175B24083859BC778DB94DC859DB73ECAF84341F00491EFA89D3191EF79A68C8766

Function 0077B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 0077C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077B6AE,?,?), ref: 0077C9B5
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077C9F1
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA68
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0077BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0077BB63
RegCloseKey.ADVAPI32(?,?), ref: 0077BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0077BBB3

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: fdeefa71cbd510c9f59a1e349036704e05720a3af481b0b2ab6a3a4c4a667c53
Instruction ID: 180a319158901cc6b887201ed0a7ab246a3c7714ab4f163cba5c595d83d5b0cb
Opcode Fuzzy Hash: fdeefa71cbd510c9f59a1e349036704e05720a3af481b0b2ab6a3a4c4a667c53
Instruction Fuzzy Hash: DB617B71208245AFD714DF24C890F2ABBE5BF84348F14895CF5998B2A2DB35ED45CB92

Function 00758BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00758BCD
VariantClear.OLEAUT32 ref: 00758C3E
VariantClear.OLEAUT32 ref: 00758C9D
VariantClear.OLEAUT32(?), ref: 00758D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00758D3B

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 827e5ca6c9303bc6ff938af0834c0ed8f7834f7312fe22adfbcd861f602fe01a
Instruction ID: 9ec384a3ebeb576dd78fafd3995fc531b8c8ddff02c3c5102520af8f53d90cbd
Opcode Fuzzy Hash: 827e5ca6c9303bc6ff938af0834c0ed8f7834f7312fe22adfbcd861f602fe01a
Instruction Fuzzy Hash: E1516BB5A00219DFCB10CF68C884AAAB7F4FF8D310B158559E919EB350E774E911CBA0

Function 00768AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00768BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00768BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00768C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00768C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00768C5F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: cc118e8ae90ceb9f77149e316177c614b38b9eeb310dadbe27a2d3311fdf5db6
Instruction ID: bb1f000437b6d7d6a1c8e6b4ce13c8c0900fcb92550ea5b55f74cd204fe26df1
Opcode Fuzzy Hash: cc118e8ae90ceb9f77149e316177c614b38b9eeb310dadbe27a2d3311fdf5db6
Instruction Fuzzy Hash: 7C515F35A00219DFCB15DF54C880E69BBF5FF48314F088498E94AAB3A2CB35ED45CBA5

Function 00778EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00778F40
GetProcAddress.KERNEL32(00000000,?), ref: 00778FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00778FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00779032
FreeLibrary.KERNEL32(00000000), ref: 00779052

Part of subcall function 0070F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00761043,?,7529E610), ref: 0070F6E6
Part of subcall function 0070F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0074FA64,00000000,00000000,?,?,00761043,?,7529E610,?,0074FA64), ref: 0070F70D

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 78c7c127ac93ef0e959e86cc62112db23503adabf75a89f856e4092445a81b50
Instruction ID: daf503ba6ce7d2a2e22cc7d281fa6dbe63fe805db4de97f9814f07323b0cfe61
Opcode Fuzzy Hash: 78c7c127ac93ef0e959e86cc62112db23503adabf75a89f856e4092445a81b50
Instruction Fuzzy Hash: 48515934605209DFCB55DF58C4948ADBBF2FF49354B08C0A8E90AAB362DB35ED85CB91

Function 00786B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00786C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00786C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00786C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0076AB79,00000000,00000000), ref: 00786C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00786CC7

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 570d964345d0e9ee78d61599833e15da5b42918fd3df31b23b2735bfcef1becf
Instruction ID: b600c1ba8ce794ed79b74f3f1d3ee1e094dc26ac68c43cdaeabf61ffe3d55bad
Opcode Fuzzy Hash: 570d964345d0e9ee78d61599833e15da5b42918fd3df31b23b2735bfcef1becf
Instruction Fuzzy Hash: 1541D275680104BFDB25EF28CC58FA97BA5EB09350F254268F895A72E0D379FD40CB60

Function 00722051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007220C3
_free.LIBCMT ref: 007220E3

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c0d31bad15f9bad9e99ccaa0e6b069159d30ba9f7f092f3c6dec66b7f24f04a4
Instruction ID: 95fa276194453b7b90ec21f256ff017b3896bcc17e389a3952cc418322c71436
Opcode Fuzzy Hash: c0d31bad15f9bad9e99ccaa0e6b069159d30ba9f7f092f3c6dec66b7f24f04a4
Instruction Fuzzy Hash: 7041E432A00214EFCB20DF78D884A5DB3E5EF88310F1585A8E515EB392EB35ED02CB81

Function 0070912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00709141
ScreenToClient.USER32(00000000,?), ref: 0070915E
GetAsyncKeyState.USER32(00000001), ref: 00709183
GetAsyncKeyState.USER32(00000002), ref: 0070919D

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: baedbb6c707e81f98bb3990d3258366c675dc0a190f4e33f0094e562dd9f9ccc
Instruction ID: e9213fea1769e78e6fc9cd66de0c5f2532318e194d5f80dbf54e35989c9354c5
Opcode Fuzzy Hash: baedbb6c707e81f98bb3990d3258366c675dc0a190f4e33f0094e562dd9f9ccc
Instruction Fuzzy Hash: F8415E71A0860AFBDF199F68C848BEEB7B5FF45320F208315E525A62D1D7386950CBA1

Function 00763874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007638CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00763922
TranslateMessage.USER32(?), ref: 0076394B
DispatchMessageW.USER32(?), ref: 00763955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00763966

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: b6e124582e8e73429cdc7738c4e348e68d350e54f221fc64bfb5746f4c09f09e
Instruction ID: 571e39b3d88a727d062486987327a818e76e959599fbc74a716f029654be1437
Opcode Fuzzy Hash: b6e124582e8e73429cdc7738c4e348e68d350e54f221fc64bfb5746f4c09f09e
Instruction Fuzzy Hash: EC3186705043829EEB25CB34D848FB637A8EB06308F54456DE867C21A1E7BCBA85CF25

Function 0076CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0076C21E,00000000), ref: 0076CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0076CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0076C21E,00000000), ref: 0076CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0076C21E,00000000), ref: 0076CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0076C21E,00000000), ref: 0076CFF2

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 45cd6e52bc0d15875b7448fee4fec1e99d3481e879f0c2fe6546bb092af51f06
Instruction ID: 41ceedf7a1d78b841907613ad301eeac87a939e5a20c2c3c7c40a2af6d379baa
Opcode Fuzzy Hash: 45cd6e52bc0d15875b7448fee4fec1e99d3481e879f0c2fe6546bb092af51f06
Instruction Fuzzy Hash: 49315072600205EFDB21DFA5D8889BBBBF9EB14350B10842EF957D2541D738AE41DBA0

Function 00751901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00751915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007519C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007519C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007519DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007519E2

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 40d0b1e3f0f090d47fdb9dc7fc3a058bf106a41f7e268f233033fda1744c3c12
Instruction ID: 2e12bc3336e2ac851d1299ec6147be4c5cdf95e5dc503a4e11d77a1fa1853d4c
Opcode Fuzzy Hash: 40d0b1e3f0f090d47fdb9dc7fc3a058bf106a41f7e268f233033fda1744c3c12
Instruction Fuzzy Hash: CD31A171A00259EFCB00CFA8C999BDE7BB5EB44316F108225FD21A72D1C7B4AD48CB90

Function 00785706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00785745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0078579D
_wcslen.LIBCMT ref: 007857AF
_wcslen.LIBCMT ref: 007857BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00785816

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: d57dc7572de03f6cdc492adbb04bc2717514d7928b702cea6f8d9e97245efff7
Instruction ID: be1178a80e458a69cfbd90ef8ae3c400a3c55ba75e58b52c668a9cfe1e1cffac
Opcode Fuzzy Hash: d57dc7572de03f6cdc492adbb04bc2717514d7928b702cea6f8d9e97245efff7
Instruction Fuzzy Hash: 3921A571944618DADB21AF64CC84EEDB7B8FF04320F108266E929EA1D0D7789985CF50

Function 00770930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00770951
GetForegroundWindow.USER32 ref: 00770968
GetDC.USER32(00000000), ref: 007709A4
GetPixel.GDI32(00000000,?,00000003), ref: 007709B0
ReleaseDC.USER32(00000000,00000003), ref: 007709E8

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ae3f89a5f5fb987fbb4f851b9baca70e3e7e9ba77947a53773447b18a9a7a56e
Instruction ID: 46b22ed17009eace5f1c843f2247ca18665c1d62205c75fb32093d827ac457f4
Opcode Fuzzy Hash: ae3f89a5f5fb987fbb4f851b9baca70e3e7e9ba77947a53773447b18a9a7a56e
Instruction Fuzzy Hash: 40216F39600204EFD704EF65D988AAEBBE5EF44744F14C06CE94A97352DB38AC04CBA0

Function 0072CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0072CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0072CDE9

Part of subcall function 00723820: RtlAllocateHeap.NTDLL(00000000,?,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6,?,006F1129), ref: 00723852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0072CE0F
_free.LIBCMT ref: 0072CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0072CE31

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 04e736fdd48ce85d67f75971aa359adc5a80c0dda04e653d6e5e3dced8edc837
Instruction ID: 429be7a7b10b525c4b1a50f417c68443c5c004576569970513e86a45abde40de
Opcode Fuzzy Hash: 04e736fdd48ce85d67f75971aa359adc5a80c0dda04e653d6e5e3dced8edc837
Instruction Fuzzy Hash: E701D472E012357F232316B67C8CC7F696DDED6BA1326412DF905C7201EA798D0282B5

Function 00709639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00709693
SelectObject.GDI32(?,00000000), ref: 007096A2
BeginPath.GDI32(?), ref: 007096B9
SelectObject.GDI32(?,00000000), ref: 007096E2

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 319581ca85bbb853d66ec6bac3bb432b192d21fcc18ff3809be4e09fd00ea61a
Instruction ID: dbaa2de2946830646b12492c498905508abb6eeadac6bf8d07c5c0fcb0af8f4c
Opcode Fuzzy Hash: 319581ca85bbb853d66ec6bac3bb432b192d21fcc18ff3809be4e09fd00ea61a
Instruction Fuzzy Hash: 45218370801345EBDB119F24EC08BA93BB4BB41755F608329F510971F2D37DA851CF98

Function 00755711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00755726
_memcmp.LIBVCRUNTIME ref: 00755744
_memcmp.LIBVCRUNTIME ref: 00755757
_memcmp.LIBVCRUNTIME ref: 0075576F
_memcmp.LIBVCRUNTIME ref: 00755787

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: be4ec958db2b1b73afdf5dd29b6e7982a7cf521faa86df6a68f17288d42e8073
Instruction ID: 89da64c04fe0499e7c0684927d944087d75f3ebc25e17248f5450bdb8cff6cdc
Opcode Fuzzy Hash: be4ec958db2b1b73afdf5dd29b6e7982a7cf521faa86df6a68f17288d42e8073
Instruction Fuzzy Hash: 8901B5A1681A0DFBE30865259D92FFB735D9B25396F504420FE149E281F7ACEE5483B0

Function 00722DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0071F2DE,00723863,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6), ref: 00722DFD
_free.LIBCMT ref: 00722E32
_free.LIBCMT ref: 00722E59
SetLastError.KERNEL32(00000000,006F1129), ref: 00722E66
SetLastError.KERNEL32(00000000,006F1129), ref: 00722E6F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 222914adf217712b1ec058e9415c772be87c58d9cbc3afbf674dcc82abf237b3
Instruction ID: e598fa0a8ffeb089e74afe79e2b0b274e55de3ee07774f1653f7e996a701bfa8
Opcode Fuzzy Hash: 222914adf217712b1ec058e9415c772be87c58d9cbc3afbf674dcc82abf237b3
Instruction Fuzzy Hash: 0F01F472A45620B7C61327387C4EE3B265DABD57A1B22812CF421A21D3EA7CCC036174

Function 0075000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?,?,0075035E), ref: 0075002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?), ref: 00750046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?), ref: 00750054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?), ref: 00750064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?), ref: 00750070

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 6a71fe5a7dbd12d2449a77b5ad2e49aad6949dbb5ec19bdc2085300b2c5145ff
Instruction ID: 6d98501bedabb0951514f29a081336ffe88acee2030566fe601b0126d5205fd6
Opcode Fuzzy Hash: 6a71fe5a7dbd12d2449a77b5ad2e49aad6949dbb5ec19bdc2085300b2c5145ff
Instruction Fuzzy Hash: F201A276640204BFDB114F68DC08BEA7AEDEF44762F248124FD09D6250D7B9DD449BA0

Function 0075E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0075E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0075E9A5
Sleep.KERNEL32(00000000), ref: 0075E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0075E9B7
Sleep.KERNEL32 ref: 0075E9F3

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: da69d74ec819d549aafb6adab8aa10aa576cb458c50019564a38b95bd8456e4c
Instruction ID: dbc586b762befd960b3f5954412ff26c51b9b0b9476d538485e396270321c3df
Opcode Fuzzy Hash: da69d74ec819d549aafb6adab8aa10aa576cb458c50019564a38b95bd8456e4c
Instruction Fuzzy Hash: C5018B71C0052DDBCF059BE4D8896DDBB78BB08302F004506E812B2141DB78A649C766

Function 007510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00751114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 0075112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0075114D

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 027c83c30e62edc131cc52a07d036a6af1528d0267636e51374ee90d453bb078
Instruction ID: 53f35cb447c4aa76cf2f1c5857e00bb808308d134cf807bb4cd902466a7276bf
Opcode Fuzzy Hash: 027c83c30e62edc131cc52a07d036a6af1528d0267636e51374ee90d453bb078
Instruction Fuzzy Hash: 6F016D75540609BFDB124FA8EC4DAAA3B6EEF85361B214454FA41C3350DB75DC008F70

Function 00750FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00750FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00750FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00750FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00750FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00751002

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 792d86305c0a898eb348a4211e10abe19a86dbb6934e751ffc7e7e27204cbc22
Instruction ID: 9e16706a3b0b564c0d1c33dc6e54cf227664d53a55c6879e0b16a6bdc00becfd
Opcode Fuzzy Hash: 792d86305c0a898eb348a4211e10abe19a86dbb6934e751ffc7e7e27204cbc22
Instruction Fuzzy Hash: 98F04F75241315ABD7224FA4AC8DF963BADEF89762F608414F949C6291CA78DC408B70

Function 00751014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0075102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00751036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00751045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0075104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00751062

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8c7ae80109870416e325e9f00719f9fab46d8f4095a1189bcd047c4bdaa9e84a
Instruction ID: a2c81df7585a0fb59d7d991e49399016db6aa6188ea636909bcb2000e7d389aa
Opcode Fuzzy Hash: 8c7ae80109870416e325e9f00719f9fab46d8f4095a1189bcd047c4bdaa9e84a
Instruction Fuzzy Hash: EFF04975240355ABDB225FA4EC89F963BADEF89762F604414FA49CA290CA78DC408B70

Function 0076030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 00760324
CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 00760331
CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 0076033E
CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 0076034B
CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 00760358
CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 00760365

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 06aa895cf8245d74e6d10aad370a2bf67acb0d637be2b5283b4069b0381a4559
Instruction ID: 8ba5bc33c34986b5d0abb86cb76ecdad7073291687e3a187e96d3cbd4d96ac9e
Opcode Fuzzy Hash: 06aa895cf8245d74e6d10aad370a2bf67acb0d637be2b5283b4069b0381a4559
Instruction Fuzzy Hash: 7C019872800B159FCB31AF66D880813FBF9BE602163158A3ED19752A31C3B5A999DF80

Function 0072D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0072D752

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 0072D764
_free.LIBCMT ref: 0072D776
_free.LIBCMT ref: 0072D788
_free.LIBCMT ref: 0072D79A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a0089d72e3c18a34f1913cc637b259a0b371c3bcd465a2ca001a19ae5e0449a
Instruction ID: c9c0cdcc947640fd95711c479a114dbc6050bd9d8c3aec323f24e75e81960dfe
Opcode Fuzzy Hash: 1a0089d72e3c18a34f1913cc637b259a0b371c3bcd465a2ca001a19ae5e0449a
Instruction Fuzzy Hash: 49F01232544224BB9632EB64F9C5D1677DDBB48710BE58D05F088E7612C73CFCC08A64

Function 00755C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00755C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00755C6F
MessageBeep.USER32(00000000), ref: 00755C87
KillTimer.USER32(?,0000040A), ref: 00755CA3
EndDialog.USER32(?,00000001), ref: 00755CBD

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9edb934599650149ef436f4bfad229385ad0386f78e8442a8c4286737cee4634
Instruction ID: e859462549c650e0fe9757c4e1e1a20ee326ac4c77387fe88b005c06c63d858e
Opcode Fuzzy Hash: 9edb934599650149ef436f4bfad229385ad0386f78e8442a8c4286737cee4634
Instruction Fuzzy Hash: C601AE306407059BFB215B10DD5EFE577B8BF00706F005569B553614E1DBF85948CB74

Function 007222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007222BE

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 007222D0
_free.LIBCMT ref: 007222E3
_free.LIBCMT ref: 007222F4
_free.LIBCMT ref: 00722305

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 34c9ccac74af82ff70d6e05c914ba80932fa77bdc7c8774150ccfa3e10fab61b
Instruction ID: 31e8528c0303bf53be00e64402bf2569d2e03908e681415acb510d7fe82c3619
Opcode Fuzzy Hash: 34c9ccac74af82ff70d6e05c914ba80932fa77bdc7c8774150ccfa3e10fab61b
Instruction Fuzzy Hash: 92F03A74900131EB8613AF54BC05D483BA4FB19761781C61EF460E22B3C73D9892AFEC

Function 007095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007095D4
StrokeAndFillPath.GDI32(?,?,007471F7,00000000,?,?,?), ref: 007095F0
SelectObject.GDI32(?,00000000), ref: 00709603
DeleteObject.GDI32 ref: 00709616
StrokePath.GDI32(?), ref: 00709631

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 2b2f7107f4f468c25147668410bce32c31e2ffaaa5da3a4237382462abf3a9f9
Instruction ID: e5cfd3d133caea795d15c878c0025346cb68520d4a087c7d6454f0e3e881d181
Opcode Fuzzy Hash: 2b2f7107f4f468c25147668410bce32c31e2ffaaa5da3a4237382462abf3a9f9
Instruction Fuzzy Hash: 26F03C30045648EBDB525F65ED1CBA43BA1AB02362F54C328F525590F2D73D99A1DF28

Function 00720F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007210F9
__freea.LIBCMT ref: 00721117

Part of subcall function 00721537: _free.LIBCMT ref: 0072154F

Strings

am/pm, xrefs: 0072117A
a/p, xrefs: 007211DE

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 3f98eb05d10c0ee0f2f7d74edb439dfe9f84215c41893436f32d3d0388f84700
Instruction ID: 88de4a0d9edb792b33ce053d2d9583a69f88ee557fb6997f50ca72320038290a
Opcode Fuzzy Hash: 3f98eb05d10c0ee0f2f7d74edb439dfe9f84215c41893436f32d3d0388f84700
Instruction Fuzzy Hash: 2ED13931E0022ADACB24DF68E855BFEB7B2FF25310FA44159E5019B652D33D9E81CB91

Function 007761D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00710242: EnterCriticalSection.KERNEL32(007C070C,007C1884,?,?,0070198B,007C2518,?,?,?,006F12F9,00000000), ref: 0071024D
Part of subcall function 00710242: LeaveCriticalSection.KERNEL32(007C070C,?,0070198B,007C2518,?,?,?,006F12F9,00000000), ref: 0071028A

Part of subcall function 007100A3: __onexit.LIBCMT ref: 007100A9

__Init_thread_footer.LIBCMT ref: 00776238

Part of subcall function 007101F8: EnterCriticalSection.KERNEL32(007C070C,?,?,00708747,007C2514), ref: 00710202
Part of subcall function 007101F8: LeaveCriticalSection.KERNEL32(007C070C,?,00708747,007C2514), ref: 00710235

Part of subcall function 0076359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007635E4
Part of subcall function 0076359C: LoadStringW.USER32(007C2390,?,00000FFF,?), ref: 0076360A

Strings

x#|, xrefs: 0077633A
x#|, xrefs: 00776353
x#|, xrefs: 0077636F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#|$x#|$x#|
API String ID: 1072379062-278022409
Opcode ID: 137e2ff5dc91d4a20b37b081e373fe7d4b2a6c2d0997678cd769b8142a330844
Instruction ID: 1d4789f35e981a2f965baec6ed6232159f3925f56a8e03f90c6512b4a68ef645
Opcode Fuzzy Hash: 137e2ff5dc91d4a20b37b081e373fe7d4b2a6c2d0997678cd769b8142a330844
Instruction Fuzzy Hash: 1CC18D71A00509EFCF14DF58C894EBAB7B9FF48340F148069EA099B296DB78ED55CB90

Function 00725AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOo, xrefs: 00725BA8, 00725C6C

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: JOo
API String ID: 0-681639431
Opcode ID: f82180777fa3b4b7c688f586a334411cf525c6db7ed69fc619db4395136ed896
Instruction ID: ca6690c209f3f8fb4718815a0cb6a8824bd28b4ac10d0b2378ede41cd23b57bc
Opcode Fuzzy Hash: f82180777fa3b4b7c688f586a334411cf525c6db7ed69fc619db4395136ed896
Instruction Fuzzy Hash: 7451B6B1D0062ADFCB219FA8E849FEE7BB4AF45310F140159F405A7291E77D9981CB71

Function 00728A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00728B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00728B7A
__dosmaperr.LIBCMT ref: 00728B81

Strings

.q, xrefs: 00728A63

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .q
API String ID: 2434981716-2393120612
Opcode ID: 976529eed97753042a92475f639cbd420359c2e3d7c9ae46cb68cde7905703ab
Instruction ID: fe20779c9d955d720e652727cd9c08a5612696098fe7e133be87328e067ca425
Opcode Fuzzy Hash: 976529eed97753042a92475f639cbd420359c2e3d7c9ae46cb68cde7905703ab
Instruction Fuzzy Hash: 5A41AEF0605065AFD7659F24E884E7D3FA5EB45300F28C1ADF4558B642DE3ECC028795

Function 00752716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0075B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007521D0,?,?,00000034,00000800,?,00000034), ref: 0075B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00752760

Part of subcall function 0075B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0075B3F8

Part of subcall function 0075B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0075B355
Part of subcall function 0075B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00752194,00000034,?,?,00001004,00000000,00000000), ref: 0075B365
Part of subcall function 0075B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00752194,00000034,?,?,00001004,00000000,00000000), ref: 0075B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007527CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0075281A

Strings

@, xrefs: 00752832

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e7948eee2ee038e5f5f26b654bf1c46ac40f9aa439bd5473ae934e96a50e5c55
Instruction ID: ce0d9431da33d5e7de13c70b96ec9f9c9099214f863a4e887082a2f43454c5a6
Opcode Fuzzy Hash: e7948eee2ee038e5f5f26b654bf1c46ac40f9aa439bd5473ae934e96a50e5c55
Instruction Fuzzy Hash: 0F412072900218BFDB10DFA4CD85AEEBBB8EF09700F104095FA55B7181DBB56E49CB61

Function 0072172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00721769
_free.LIBCMT ref: 00721834
_free.LIBCMT ref: 0072183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00721760, 00721767, 00721796, 007217CE

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 8c0599b914c60358fc3fd3070da68e1e62826c72ba7fdbb73094c61dcf9c1860
Instruction ID: 4b527e74e2919657ee52aad59b62369151085a38d9b1ed6f157d844fdee16423
Opcode Fuzzy Hash: 8c0599b914c60358fc3fd3070da68e1e62826c72ba7fdbb73094c61dcf9c1860
Instruction Fuzzy Hash: 9F315275A00268FFDB21DF99A885D9EBBFCFBA5310F94416AF80497211D6789E40CB90

Function 0075C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0075C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0075C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007C1990,00D95680), ref: 0075C395

Strings

0, xrefs: 0075C2DF

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 4a4e80df45833f6dc46ebfaf8b0808ad3c760871c05b06c9b8cd4b5fda9e17a5
Instruction ID: 2cb8da557222e36dcab090aae45686bcb77b8a628e43098ef4af9d4822761157
Opcode Fuzzy Hash: 4a4e80df45833f6dc46ebfaf8b0808ad3c760871c05b06c9b8cd4b5fda9e17a5
Instruction Fuzzy Hash: 5A41A0312043059FD721DF24D885BAABBE4AF85321F10861DFDA5972D1D7B8A908CB62

Function 00784416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0078CC08,00000000,?,?,?,?), ref: 007844AA
GetWindowLongW.USER32 ref: 007844C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007844D7

Strings

SysTreeView32, xrefs: 0078447C

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 269306946a2563f6d9101f9f561dd08f5ff71cc9bd61eec4e00af1a8acdfeac5
Instruction ID: 45a482801baa64e691e265f8adb48f654a95e0114970576e94007a9a080f6155
Opcode Fuzzy Hash: 269306946a2563f6d9101f9f561dd08f5ff71cc9bd61eec4e00af1a8acdfeac5
Instruction Fuzzy Hash: 0931B071250246AFDF21AE78DC45FEA77A9EB08334F204725F979921D0D7B8EC509760

Function 00756E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00756EED
VariantCopyInd.OLEAUT32(?,?), ref: 00756F08
VariantClear.OLEAUT32(?), ref: 00756F12

Strings

*ju, xrefs: 00756E8B, 00756E90, 00756EF8

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *ju
API String ID: 2173805711-1978014906
Opcode ID: a00898ec51168f60ca226b3be4beff06c03c262afcc0dadf9817fe9edfba581e
Instruction ID: c92749b3179bbcb27f7f3e26dc098ddf8970e600958b0334f45d3d0835eac328
Opcode Fuzzy Hash: a00898ec51168f60ca226b3be4beff06c03c262afcc0dadf9817fe9edfba581e
Instruction Fuzzy Hash: 5131D372A04249DFDB05AFA4E8519FD37B6FF41701B500498F9029B2E1CB789D15CBA4

Function 0077304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0077335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00773077,?,?), ref: 00773378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0077307A
_wcslen.LIBCMT ref: 0077309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00773106

Strings

255.255.255.255, xrefs: 00773095, 0077309A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 91286d521548341714790c3501999339f64f0b94e170ad3be460fa5ac05f79ec
Instruction ID: 9a8f390b125d6f6d18983749af514b8aab2454686157814772277d077dae44f6
Opcode Fuzzy Hash: 91286d521548341714790c3501999339f64f0b94e170ad3be460fa5ac05f79ec
Instruction Fuzzy Hash: C731D339204209DFCF20CF28C485EAA77E1EF14398F64C459E9198B392DB3AEE41D760

Function 00783EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00783F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00783F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00783F78

Strings

SysMonthCal32, xrefs: 00783F0B

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: dd80b6f2b9e3751c3bcbd98a9d4d5bc5437c0a4ab975a0d04f3398a328ff1e41
Instruction ID: f7db6e0b90ca82f9ab6ae010ebfe571041cf66f57526e7342256ca889f08dfeb
Opcode Fuzzy Hash: dd80b6f2b9e3751c3bcbd98a9d4d5bc5437c0a4ab975a0d04f3398a328ff1e41
Instruction Fuzzy Hash: D021BF32650219BBDF159F54CC46FEA3B75EF48714F110214FE15AB1D0D6B9A950CBA0

Function 00784653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00784705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00784713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0078471A

Strings

msctls_updown32, xrefs: 00784684

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 182281b92dad498b6b7f977e5efe9a16a9882ebad2a4cbfdec53fc09b50ee180
Instruction ID: c419f383d0b7d3855560e6dcb3bc263620c59bece1b296f0e43b8feb4e36c66d
Opcode Fuzzy Hash: 182281b92dad498b6b7f977e5efe9a16a9882ebad2a4cbfdec53fc09b50ee180
Instruction Fuzzy Hash: 4C2171B5640209AFDB11EF68DCC5DB737ADEF4A398B140059FA009B251DB74EC11CB64

Function 007595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0075961D

Strings

#notrayicon, xrefs: 007595B7
#requireadmin, xrefs: 007595D9
#OnAutoItStartRegister, xrefs: 007595F3

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 8a47216c020a174f22847963cd94753e0cc0c3421de52375cec490bd1bfe492a
Instruction ID: 6972f0aa822ece39bbf303b87b2665cb3c29e22fea81b31966d0ab54505a91e3
Opcode Fuzzy Hash: 8a47216c020a174f22847963cd94753e0cc0c3421de52375cec490bd1bfe492a
Instruction Fuzzy Hash: BC213172204210E6C731AA289806EFB7398EF91311F40402AFE4996081EB98ADADC2A5

Function 007837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00783840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00783850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00783876

Strings

Listbox, xrefs: 0078380F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 5acfcc9d94b9597c29689c7c34afb0331de29fb6096ebb372fc6346a1029ef7b
Instruction ID: 4640f91be54a9d81ed2353836670d898e3cbdf8cc3864d541c0b02d288eeb425
Opcode Fuzzy Hash: 5acfcc9d94b9597c29689c7c34afb0331de29fb6096ebb372fc6346a1029ef7b
Instruction Fuzzy Hash: 0D21A472650118BBEF119F58CC85FBB376EEF89B60F118124F9049B190CA79DC5287A0

Function 007649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00764A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00764A5C
SetErrorMode.KERNEL32(00000000,?,?,0078CC08), ref: 00764AD0

Strings

%lu, xrefs: 00764A6F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4f3a8f26f3e082323744c48c7f3625b1dc8291e086aabc831b577640f21ba952
Instruction ID: bb4bc1bcae10bb13039c236c20c1580da9ef08f85b3af3ade75e621b5fc12892
Opcode Fuzzy Hash: 4f3a8f26f3e082323744c48c7f3625b1dc8291e086aabc831b577640f21ba952
Instruction Fuzzy Hash: 81316D71A00109AFDB11DF64C885EAA7BF9EF08308F1480A9F909DB252DB75EE45CB71

Function 007841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0078424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00784264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00784271

Strings

msctls_trackbar32, xrefs: 00784226

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c1984d2438aad8fd17435b332b1baac354da215e64d6d4ea8b49495506e65a96
Instruction ID: cb98fb98040ec2ffaa304b60a43d5097e0bc8fd1a38ec8d26a68db38e8754f2a
Opcode Fuzzy Hash: c1984d2438aad8fd17435b332b1baac354da215e64d6d4ea8b49495506e65a96
Instruction Fuzzy Hash: 4D11E731284209BEEF20AF24CC05FAB37ACFF95754F114124FA55E2090D6B5D8119714

Function 00752F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

Part of subcall function 00752DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00752DC5
Part of subcall function 00752DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00752DD6
Part of subcall function 00752DA7: GetCurrentThreadId.KERNEL32 ref: 00752DDD
Part of subcall function 00752DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00752DE4

GetFocus.USER32 ref: 00752F78

Part of subcall function 00752DEE: GetParent.USER32(00000000), ref: 00752DF9

GetClassNameW.USER32(?,?,00000100), ref: 00752FC3
EnumChildWindows.USER32(?,0075303B), ref: 00752FEB

Strings

%s%d, xrefs: 00752FFF

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: a87579254928b406245b15e84c40358b31ba3587b91c1839053b4cf622617b4f
Instruction ID: d43e99d04cdd973f6cf3e088b893c913e021826e91f875c0ca4406fb826a5a40
Opcode Fuzzy Hash: a87579254928b406245b15e84c40358b31ba3587b91c1839053b4cf622617b4f
Instruction Fuzzy Hash: 3E1193B1700209ABCF557F64CC89EED376BAF84305F048079BD099B292DE7959498B70

Function 00785882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007858C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007858EE
DrawMenuBar.USER32(?), ref: 007858FD

Strings

0, xrefs: 0078588F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: fd39d73a74c98f71980e1acf5c2f4ad262ce6178b103d0b96aec8820eac50916
Instruction ID: 49c3e4c905777c72d1ee21f53c844e689dd2312e1a8cf853687978c26039a3e4
Opcode Fuzzy Hash: fd39d73a74c98f71980e1acf5c2f4ad262ce6178b103d0b96aec8820eac50916
Instruction Fuzzy Hash: 09012131540218EFDB21AF11DC48BAEBBB4FB45361F108099E849D6151DB389A94DF31

Function 0075007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e6ec9040b08522eba8c5e8ddbc4a93330fc4bb72dc67bee04ff19b0b13f0bbe
Instruction ID: 431a079e46a80d73f1a9d4a408c3a6c1e3e0304ea7d081681ed7d9b116d27632
Opcode Fuzzy Hash: 6e6ec9040b08522eba8c5e8ddbc4a93330fc4bb72dc67bee04ff19b0b13f0bbe
Instruction Fuzzy Hash: 5CC18C75A0020AEFCB14CFA4C898EAEB7B5FF48315F208598E905EB251D775ED45CB90

Function 0077342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00773459
CoUninitialize.OLE32 ref: 00773463
VariantInit.OLEAUT32(?), ref: 0077346E
VariantClear.OLEAUT32(?), ref: 0077371B

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 4dc2c401fd4722d89d67d88dc941df5c256fa9b860d4936b2c9733455e31459c
Instruction ID: 7839bfc3ae2651e83899ef4090b360fda1c2d3925f4362d5e4eed2160ae297b2
Opcode Fuzzy Hash: 4dc2c401fd4722d89d67d88dc941df5c256fa9b860d4936b2c9733455e31459c
Instruction Fuzzy Hash: A1A13775204204DFCB10DF28C485A2AB7E5FF88764F04885DF98A9B362DB74EE05DB96

Function 00750436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0078FC08,?), ref: 007505F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0078FC08,?), ref: 00750608
CLSIDFromProgID.OLE32(?,?,00000000,0078CC40,000000FF,?,00000000,00000800,00000000,?,0078FC08,?), ref: 0075062D
_memcmp.LIBVCRUNTIME ref: 0075064E

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 7cd24c2d37cd3b0922fead89ce9d3f7f91183708100d3f4e3d5031340d24d750
Instruction ID: 0c8c0bad1a983f0b0213bd27aacb8bfc6c4e968d3f56c936660cca3cccdbb1f0
Opcode Fuzzy Hash: 7cd24c2d37cd3b0922fead89ce9d3f7f91183708100d3f4e3d5031340d24d750
Instruction Fuzzy Hash: BD810F75A00109EFCB04DF94C984DEEB7B9FF89315F204558F916AB250DB75AE0ACBA0

Function 0077A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0077A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0077A6BA

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0077A79C
CloseHandle.KERNEL32(00000000), ref: 0077A7AB

Part of subcall function 0070CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00733303,?), ref: 0070CE8A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d4a63a52e8b93f50a72b2261eea4e51641c1a84192713fc0b7d2ebf75f442901
Instruction ID: 0a4e5afe323936c47d33e8e5b58b0e28b1ba3142daede14c4763f9ef1b90379e
Opcode Fuzzy Hash: d4a63a52e8b93f50a72b2261eea4e51641c1a84192713fc0b7d2ebf75f442901
Instruction Fuzzy Hash: 9C517E71508304AFD754DF24C886A6FBBE8FF89754F00892DF58997291EB34D904CBA6

Function 00731391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007314C0

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ef49b274c1a92f10165eac5abd35c31fc32865bb54a369c1cc197f6456ca8348
Instruction ID: 8f414d17bcd0175247f649ef1d8fd032a5eba0e3db79f2e780d0ca9cf81c8019
Opcode Fuzzy Hash: ef49b274c1a92f10165eac5abd35c31fc32865bb54a369c1cc197f6456ca8348
Instruction Fuzzy Hash: EE410B32A00550EBFB217BBD9C4AAEE3BA5FF41370F544225F419D61D3E63C88815761

Function 00786278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007862E2
ScreenToClient.USER32(?,?), ref: 00786315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00786382

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7bca6a6e8f80011a57f45f3997bd4c2953fd2874bc131a1980e7236731785dc8
Instruction ID: 87dc0b852e28d56d271e801730911f9c4ca36857c98732ef059cadfd8cbbb7c5
Opcode Fuzzy Hash: 7bca6a6e8f80011a57f45f3997bd4c2953fd2874bc131a1980e7236731785dc8
Instruction Fuzzy Hash: 5D515D75A40249EFDF10EF68D880AAE7BB6FF45360F208169F9159B6A0D734ED81CB50

Function 00771AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00771AFD
WSAGetLastError.WSOCK32 ref: 00771B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00771B8A
WSAGetLastError.WSOCK32 ref: 00771B94

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 6f730f023631e9c9da43f3243a0c296ca14e11a17447717bfc420f70a67976c8
Instruction ID: 0ec666044a26d78160548ca81de3fb847b4c03903057d021d62e3130fa91b486
Opcode Fuzzy Hash: 6f730f023631e9c9da43f3243a0c296ca14e11a17447717bfc420f70a67976c8
Instruction Fuzzy Hash: 43419F74640200AFEB20AF24C886F3977E5AB45718F54C54CFA1A9F2D3D776DD418B94

Function 0072B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9958f815267fdd8253084730f23cceff9ee29f9e653cbe25d79b5be22a9aa195
Instruction ID: 1b5179fd2918e3e4d5b7dd6381921ab687a94490e85bd180172198250a1fadde
Opcode Fuzzy Hash: 9958f815267fdd8253084730f23cceff9ee29f9e653cbe25d79b5be22a9aa195
Instruction Fuzzy Hash: 6F411972A00764FFD724AF38DC45BAABBE9EB88710F10452EF541DB282D779A9418780

Function 007656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00765783
GetLastError.KERNEL32(?,00000000), ref: 007657A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007657CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007657FA

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 12813c70534475150bb93372330311b0adb51db8612a7451a41e8cd0828c40de
Instruction ID: f7a8f14ff1771a03a4b04f031de0565da1aada420834d0be48fca3c4cfaeedeb
Opcode Fuzzy Hash: 12813c70534475150bb93372330311b0adb51db8612a7451a41e8cd0828c40de
Instruction Fuzzy Hash: 93413D35600615DFCB11DF15C544A6EBBE2EF89320B18C488ED4AAB362CB78FD04DB95

Function 0072D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00716D71,00000000,00000000,007182D9,?,007182D9,?,00000001,00716D71,?,00000001,007182D9,007182D9), ref: 0072D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0072D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0072D9AB
__freea.LIBCMT ref: 0072D9B4

Part of subcall function 00723820: RtlAllocateHeap.NTDLL(00000000,?,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6,?,006F1129), ref: 00723852

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f3e53d62f5053dee805ae30722829f664be73d72866e7324918ef98dec5d1420
Instruction ID: 5eb8125fc9ec0252ca648dba69a9e7127912a83b4274c4bc5df6cdeb2726a070
Opcode Fuzzy Hash: f3e53d62f5053dee805ae30722829f664be73d72866e7324918ef98dec5d1420
Instruction Fuzzy Hash: E431D272A0022AABDF25DF64EC85EAE7BA5EB40310F154168FC44D7251E739DD90CBA0

Function 007852C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00785352
GetWindowLongW.USER32(?,000000F0), ref: 00785375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00785382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007853A8

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 3545b93e875afb8efbfbbfd293a7c22f00dcc3ba0a177da2f935eb39f502263a
Instruction ID: 5ff7c37a3361df2b3ea55eed432de1ee0310043cd5a6f2b01151785e35ab83d9
Opcode Fuzzy Hash: 3545b93e875afb8efbfbbfd293a7c22f00dcc3ba0a177da2f935eb39f502263a
Instruction Fuzzy Hash: 2331E230AD5A08FFEB31AA14CC05FE83762AB05399F984111FA10969E1C7BCAE40DB51

Function 0075AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0075ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0075AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0075AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0075ACC6

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 309841f5b7e108ec087205e7b4da54b30e3487caa2611a249a8b71e438991525
Instruction ID: 86d1e761ac69f01c5d49fe0aa9fec1c772cad49324bd372209d35ee0349d7ff2
Opcode Fuzzy Hash: 309841f5b7e108ec087205e7b4da54b30e3487caa2611a249a8b71e438991525
Instruction Fuzzy Hash: 9E312830A40258BFFF35CB648C09BFA7BA5AB45312F14433AE885561D0D3BD89898772

Function 00787674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0078769A
GetWindowRect.USER32(?,?), ref: 00787710
PtInRect.USER32(?,?,00788B89), ref: 00787720
MessageBeep.USER32(00000000), ref: 0078778C

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 61c364a29707985c7d32e5788469a1d3a5fc50d65ef1743a07585604a733412f
Instruction ID: d91ca01fc6d240100f911c4362f14800cbbfa14ae2fea32c1faa27abe77a1a26
Opcode Fuzzy Hash: 61c364a29707985c7d32e5788469a1d3a5fc50d65ef1743a07585604a733412f
Instruction Fuzzy Hash: 4641BD34A45254DFCB09EF58C894EA9B7F4FF4A310F6980A8E816DB261D338E941CF90

Function 007816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007816EB

Part of subcall function 00753A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00753A57
Part of subcall function 00753A3D: GetCurrentThreadId.KERNEL32 ref: 00753A5E
Part of subcall function 00753A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007525B3), ref: 00753A65

GetCaretPos.USER32(?), ref: 007816FF
ClientToScreen.USER32(00000000,?), ref: 0078174C
GetForegroundWindow.USER32 ref: 00781752

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 7b2fd5ae4ded9da36dc0b362641f06f776533ad81a691cd8f49558cb75e00636
Instruction ID: 00ad1d572a144d61433844798911821e88520df2afb897644a656559f45c07ac
Opcode Fuzzy Hash: 7b2fd5ae4ded9da36dc0b362641f06f776533ad81a691cd8f49558cb75e00636
Instruction Fuzzy Hash: 86312F75D00149AFCB00EFA9C985CAEBBFDEF88304B5480ADE515E7211DB359E45CBA4

Function 00788FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

GetCursorPos.USER32(?), ref: 00789001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00747711,?,?,?,?,?), ref: 00789016
GetCursorPos.USER32(?), ref: 0078905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00747711,?,?,?), ref: 00789094

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e43b81fcfbf480eb0b3bfe085a53fed04a6ec2c88b37ea6a4bd7853dc901825e
Instruction ID: 3e083a3d84baa744aa380cf1ce58de19a66d2436346eef735bed078f716347d5
Opcode Fuzzy Hash: e43b81fcfbf480eb0b3bfe085a53fed04a6ec2c88b37ea6a4bd7853dc901825e
Instruction Fuzzy Hash: 2421B535640018EFCB169F94CC58EFA7BB9EF4A360F284169FA0657161D339AD50DB60

Function 0075D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0078CB68), ref: 0075D2FB
GetLastError.KERNEL32 ref: 0075D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0075D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0078CB68), ref: 0075D376

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: acb0f251e594dd0949d1b357dedf75f4d2899d403254ae5cc5a4ab70794fff3a
Instruction ID: 44cb0ba6a8f67ec93c3de6bb1f8b923378372b743e779906ab1757e889dcc886
Opcode Fuzzy Hash: acb0f251e594dd0949d1b357dedf75f4d2899d403254ae5cc5a4ab70794fff3a
Instruction Fuzzy Hash: 58219170509201DF8720DF24C8818AAB7E4AE55365F104A1DF899C72A1E775DD49CBA7

Function 00751571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00751014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0075102A
Part of subcall function 00751014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00751036
Part of subcall function 00751014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00751045
Part of subcall function 00751014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0075104C
Part of subcall function 00751014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00751062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007515BE
_memcmp.LIBVCRUNTIME ref: 007515E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00751617
HeapFree.KERNEL32(00000000), ref: 0075161E

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: b1723950eb9573ae058ed65e78720f77251a3b9e8f852fb7b2952994cb309738
Instruction ID: 03e27e1cc36eeedd6de6fadb2cc625aa3b5cc8ac41d85c5dffc7705440baccbb
Opcode Fuzzy Hash: b1723950eb9573ae058ed65e78720f77251a3b9e8f852fb7b2952994cb309738
Instruction Fuzzy Hash: A421B671D40108EFDF00DFA4C949BEEB7B4EF44346F598459E851A7241E778AE09CBA0

Function 00782782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0078280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00782824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00782832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00782840

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: a55fe8e7d1322c9b14bf6eab27133712bc04ae4fd2d741d0bcd73b809a029a4a
Instruction ID: 87e31613947ced55257bb62719568c56d29bc7fc757c4f16cb487eb582c16901
Opcode Fuzzy Hash: a55fe8e7d1322c9b14bf6eab27133712bc04ae4fd2d741d0bcd73b809a029a4a
Instruction Fuzzy Hash: 0B210331244111AFDB14AB24C844FAA7B96EF85325F248158F9268B6E3CB79FC42C790

Function 007578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00758D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0075790A,?,000000FF,?,00758754,00000000,?,0000001C,?,?), ref: 00758D8C
Part of subcall function 00758D7D: lstrcpyW.KERNEL32(00000000,?,?,0075790A,?,000000FF,?,00758754,00000000,?,0000001C,?,?,00000000), ref: 00758DB2
Part of subcall function 00758D7D: lstrcmpiW.KERNEL32(00000000,?,0075790A,?,000000FF,?,00758754,00000000,?,0000001C,?,?), ref: 00758DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00758754,00000000,?,0000001C,?,?,00000000), ref: 00757923
lstrcpyW.KERNEL32(00000000,?,?,00758754,00000000,?,0000001C,?,?,00000000), ref: 00757949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00758754,00000000,?,0000001C,?,?,00000000), ref: 00757984

Strings

cdecl, xrefs: 0075797B

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 710c71d1bf6848dec45f13a1b593d58e236101d8e6f59331973fda1ab4a32eab
Instruction ID: 5ff49e2dbab2aa342a3d6fef28945c2bbba55a32c379b0adc74225efa94d658b
Opcode Fuzzy Hash: 710c71d1bf6848dec45f13a1b593d58e236101d8e6f59331973fda1ab4a32eab
Instruction Fuzzy Hash: 9011067A200341ABCB159F35D848EBA77E9FF85351B10802AFD42C72A4EF799805C761

Function 00787CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00787D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00787D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00787D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0076B7AD,00000000), ref: 00787D6B

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 2c3ba8409381a1cf1ad9027184b6b3bd962460b1fc35db3d598597fc823232f2
Instruction ID: 43a8f396fd760dccfafccad827f87ec50173415a6d7a77cf638fdde4472bc817
Opcode Fuzzy Hash: 2c3ba8409381a1cf1ad9027184b6b3bd962460b1fc35db3d598597fc823232f2
Instruction Fuzzy Hash: 3611D5312446149FCB15AF28CC04E663BA4AF463A0B358728F836DB1F0E738D910DB60

Function 00785660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007856BB
_wcslen.LIBCMT ref: 007856CD
_wcslen.LIBCMT ref: 007856D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00785816

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b6627942f31b925df62d3d5446ff353e830e843c7ff6a2b32436a60ddd34f0e1
Instruction ID: 2be81b405a793be1b70784bf413d459981ad9ee484a43968fe8b832c6829c129
Opcode Fuzzy Hash: b6627942f31b925df62d3d5446ff353e830e843c7ff6a2b32436a60ddd34f0e1
Instruction Fuzzy Hash: 9211D375680608E6DF20AF65CC85EEE77ACEF11760B50806AF919D6081EB7CDA84CB64

Function 00721D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a6881c7407456f708a86c6b8d609eed7ccf97e38918b5d666a2716f7ac2019
Instruction ID: 8c6f4d8a2747fb520198841afdae24d57720cec023d1e33c1938f09d729afb71
Opcode Fuzzy Hash: f6a6881c7407456f708a86c6b8d609eed7ccf97e38918b5d666a2716f7ac2019
Instruction Fuzzy Hash: A301ADB270962ABEF62126787CC4F27661CEF613B8F750329F521A11D2DB789C414270

Function 00751A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00751A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00751A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00751A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00751A8A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ef05b518b8867575bb346e6c294ad4ec1972ebaed688cc29f6d0486c73c28d89
Instruction ID: af5a2c52cc8e159807f09e9245f4ad2b86f27c246c79a99381aafa01e2ccca38
Opcode Fuzzy Hash: ef05b518b8867575bb346e6c294ad4ec1972ebaed688cc29f6d0486c73c28d89
Instruction Fuzzy Hash: 7C11393AD01219FFEB11DBA4CD85FEDBB78EB08751F2040A1EA00B7290D6B16E50DB94

Function 0075E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0075E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0075E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0075E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0075E24D

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 8776b3630f413d5b09ca3d2777935fb93d46cae1737e16e9848e853ed4691001
Instruction ID: 304f99212652fcc4ea62f516679d06d014ceee0f83f8ef4cc2a5a3403ce978cb
Opcode Fuzzy Hash: 8776b3630f413d5b09ca3d2777935fb93d46cae1737e16e9848e853ed4691001
Instruction Fuzzy Hash: A2112B72D04258BBC7069FA8AC09EDE7FACEB45315F108269F824D3291D6BCCE0487B4

Function 0071D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0071CFF9,00000000,00000004,00000000), ref: 0071D218
GetLastError.KERNEL32 ref: 0071D224
__dosmaperr.LIBCMT ref: 0071D22B
ResumeThread.KERNEL32(00000000), ref: 0071D249

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 5189e154abd4f66573b33ebb79c8bcb8721f10cfc2117d27e2ba749fd0186123
Instruction ID: ccaf17442de9a497717cac03095dc00cb490307e6eb8505ae2efb2dcf3cf0f29
Opcode Fuzzy Hash: 5189e154abd4f66573b33ebb79c8bcb8721f10cfc2117d27e2ba749fd0186123
Instruction Fuzzy Hash: 6D01C476805108BBC7225BA9DC09AEE7A69EF85730F204219F925921D0DB79CD818BA1

Function 00789EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

GetClientRect.USER32(?,?), ref: 00789F31
GetCursorPos.USER32(?), ref: 00789F3B
ScreenToClient.USER32(?,?), ref: 00789F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00789F7A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 304a169a470ff309b5ec3631301b09fde8074b9da684a7f4fd240e678c886ecd
Instruction ID: 7d734d11a873d61fa75190eb1570077520c78b08ee7418eff9f88581a5db30f8
Opcode Fuzzy Hash: 304a169a470ff309b5ec3631301b09fde8074b9da684a7f4fd240e678c886ecd
Instruction Fuzzy Hash: CA11663294011AEBDB06EFA8C8499FE77B8EB05311F244465FA02E3041D338BA81CBA5

Function 006F600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006F604C
GetStockObject.GDI32(00000011), ref: 006F6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 006F606A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 44608ea8bd92b73afaea6dc24602e9b4141a004e35fbcfced2e8ff29ed5d0b6b
Instruction ID: b6c85bf739246e5d067f71194d81bf259657181f035cb94cc9481683f89f61bb
Opcode Fuzzy Hash: 44608ea8bd92b73afaea6dc24602e9b4141a004e35fbcfced2e8ff29ed5d0b6b
Instruction Fuzzy Hash: 24116D7250154CBFEF124FA4DD44EFABB6AEF093A4F244215FB1552120DB36AC60DBA4

Function 00713B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00713B56

Part of subcall function 00713AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00713AD2
Part of subcall function 00713AA3: ___AdjustPointer.LIBCMT ref: 00713AED

_UnwindNestedFrames.LIBCMT ref: 00713B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00713B7C
CallCatchBlock.LIBVCRUNTIME ref: 00713BA4

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: e330a0ce04d16a86dde7fc47603fdfc785dda7154b2c0e26658552db3fd92dd4
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D3012972100148BBDF125E99CC46EEB3B7AEF48754F044014FE4856161D73AE9A1DBA0

Function 00723073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006F13C6,00000000,00000000,?,0072301A,006F13C6,00000000,00000000,00000000,?,0072328B,00000006,FlsSetValue), ref: 007230A5
GetLastError.KERNEL32(?,0072301A,006F13C6,00000000,00000000,00000000,?,0072328B,00000006,FlsSetValue,00792290,FlsSetValue,00000000,00000364,?,00722E46), ref: 007230B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0072301A,006F13C6,00000000,00000000,00000000,?,0072328B,00000006,FlsSetValue,00792290,FlsSetValue,00000000), ref: 007230BF

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5b9fc3981b6cabdb5e86aadd45fdefb6c95c500d6a8146406cc2ed8285de2ee0
Instruction ID: 6b59bb926341b039240141048fb239854f2a39b912506118a589008b3630b35a
Opcode Fuzzy Hash: 5b9fc3981b6cabdb5e86aadd45fdefb6c95c500d6a8146406cc2ed8285de2ee0
Instruction Fuzzy Hash: 2401F732741236ABCB314B78BC44A577B9AAF05B61B204724F905E3180C73DD901C7F4

Function 00757464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0075747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00757497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007574AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007574CA

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: e1e81a9f9a63251125aea3a759be7b5b5955b3ecea3fa7a533d51ca5f7d7d603
Instruction ID: ea7ba2e04fdcba9ed86b73dd06867fc315951752134a6979e9dc5b8ba65f1438
Opcode Fuzzy Hash: e1e81a9f9a63251125aea3a759be7b5b5955b3ecea3fa7a533d51ca5f7d7d603
Instruction Fuzzy Hash: CC11ADB1245354ABE7208F64EC08FD27FFCEB00B11F20856DAE1AD6191D7B8E948DB61

Function 0075B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0075ACD3,?,00008000), ref: 0075B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0075ACD3,?,00008000), ref: 0075B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0075ACD3,?,00008000), ref: 0075B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0075ACD3,?,00008000), ref: 0075B126

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b027597f82e9a64ec3c7f6c0088e78ecb1585437c4e97bb2b7986eeedbae20b4
Instruction ID: 5d2045d5d5d4a3266daaac6ba9d2f20cc8129f921701c0efc372af23108ba61a
Opcode Fuzzy Hash: b027597f82e9a64ec3c7f6c0088e78ecb1585437c4e97bb2b7986eeedbae20b4
Instruction Fuzzy Hash: 5F115E71C0191CD7CF00AFE5D9996FEFB78FF09712F108485D941B2185CB7859548B65

Function 00787E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00787E33
ScreenToClient.USER32(?,?), ref: 00787E4B
ScreenToClient.USER32(?,?), ref: 00787E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00787E8A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 273b1a41405d2dc12d11bd39cd0512bbaaa05d995fa4b61d01eabc71b9df9387
Instruction ID: e5064b12436316ac91fe12d8d39b7cef09e4715eca08047c72d455afb0bcee6b
Opcode Fuzzy Hash: 273b1a41405d2dc12d11bd39cd0512bbaaa05d995fa4b61d01eabc71b9df9387
Instruction Fuzzy Hash: 9B1156B9D4020AAFDB41DF98C884AEEBBF5FF08310F509066E925E3210D735AA54CF64

Function 00752DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00752DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00752DD6
GetCurrentThreadId.KERNEL32 ref: 00752DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00752DE4

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 3b25bfb77ac10cdd46b5295eb4a09ed51b4f85a20b665f19002c13f18db81901
Instruction ID: 69f8fb2c72b36ec55fd624ea9a50d7efff5b1cfb79804acfe02a7ce8aa57fcc6
Opcode Fuzzy Hash: 3b25bfb77ac10cdd46b5295eb4a09ed51b4f85a20b665f19002c13f18db81901
Instruction Fuzzy Hash: FAE06D717412247AD7211B62AC0EEEB3E6CEB43BA2F104129B905D1081AAA88845C7B0

Function 00788863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00709639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00709693
Part of subcall function 00709639: SelectObject.GDI32(?,00000000), ref: 007096A2
Part of subcall function 00709639: BeginPath.GDI32(?), ref: 007096B9
Part of subcall function 00709639: SelectObject.GDI32(?,00000000), ref: 007096E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00788887
LineTo.GDI32(?,?,?), ref: 00788894
EndPath.GDI32(?), ref: 007888A4
StrokePath.GDI32(?), ref: 007888B2

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: cf4b0c09a2ee47a0a9aa2d25f423ad98db07257fa899a5ec2a49d707814d3c48
Instruction ID: d4a57d03e518349938dab92611434c85751988583d17f85b15c00e0988fc838e
Opcode Fuzzy Hash: cf4b0c09a2ee47a0a9aa2d25f423ad98db07257fa899a5ec2a49d707814d3c48
Instruction Fuzzy Hash: 8DF03A36081258FADB136F94AC0DFCA3B59AF06310F54C100FA11651E2C7BD5511CBAA

Function 007098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007098CC
SetTextColor.GDI32(?,?), ref: 007098D6
SetBkMode.GDI32(?,00000001), ref: 007098E9
GetStockObject.GDI32(00000005), ref: 007098F1

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: dcf42aa885ce6f6e31261f4dbc348c8345ccaa9cde90f9ba86a7f5719530cdc8
Instruction ID: 2d44e467c294ca82ff32dce8ccd5c6483c2c7bc153ed6dafed0c869fa10476d9
Opcode Fuzzy Hash: dcf42aa885ce6f6e31261f4dbc348c8345ccaa9cde90f9ba86a7f5719530cdc8
Instruction Fuzzy Hash: 73E06531684284AEDB225B74BC0DBE83F50AB51335F24C21AF6F5580E1C3795650DB20

Function 0075162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00751634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007511D9), ref: 0075163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007511D9), ref: 00751648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007511D9), ref: 0075164F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: d30c35ce191b1d8c4d15bd5001bc5868e14d8048c938605e71d14d9140120230
Instruction ID: d5c745ec970576229feb63880fa658f9395888e111579d40669378b632b0fe26
Opcode Fuzzy Hash: d30c35ce191b1d8c4d15bd5001bc5868e14d8048c938605e71d14d9140120230
Instruction Fuzzy Hash: 50E04632682211ABD7201BB0AE0DB863B68EF45792F258808F645C9080EA7C84458B68

Function 0074D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0074D858
GetDC.USER32(00000000), ref: 0074D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0074D882
ReleaseDC.USER32(?), ref: 0074D8A3

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3255e7e443eea519cb39a1cc242ea1e7bd93a1b7068f4d644cdcb34db8883c10
Instruction ID: 56f5a30472aae1272f1ebe147607e402c867ded5498c3124b3651fe35ca56779
Opcode Fuzzy Hash: 3255e7e443eea519cb39a1cc242ea1e7bd93a1b7068f4d644cdcb34db8883c10
Instruction Fuzzy Hash: 39E0E5B4940205DFCB529FA0990866DBBB6AB48310B208019E946E7250D73C8941AF64

Function 0074D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0074D86C
GetDC.USER32(00000000), ref: 0074D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0074D882
ReleaseDC.USER32(?), ref: 0074D8A3

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ea56c4c0e4aeedb9c11374d5b412bd79ad65010534a3ee79a146edc52259039f
Instruction ID: 4643a37c0bc07ca13512a55016dd2464aa990dc81c05aecdfe1cfc970f13e1ac
Opcode Fuzzy Hash: ea56c4c0e4aeedb9c11374d5b412bd79ad65010534a3ee79a146edc52259039f
Instruction Fuzzy Hash: 9CE01A74940204DFCB529FB0D80C66DBBB1BF48310B208018E90AE7250D73C5901AF64

Function 00764D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 006F7620: _wcslen.LIBCMT ref: 006F7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00764ED4

Strings

*, xrefs: 00764E10
LPT, xrefs: 00764DFB

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: e038636f6d2d60557d676aa0ef0cad201e8dfa5130f395bf33718069a8088310
Instruction ID: d383e2fe538a24a4c1d5d2249b273548a26fc82ae679d0f33c6229738d650efb
Opcode Fuzzy Hash: e038636f6d2d60557d676aa0ef0cad201e8dfa5130f395bf33718069a8088310
Instruction Fuzzy Hash: A4915F75A00204EFCB15DF58C484EAABBF1BF44304F198099E80A9F7A2D779ED85CB91

Function 0071E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0071E30D

Strings

pow, xrefs: 0071E2E5, 0071E302

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: b42a4ecd2aabf9cea015c29ddee2e7de089606cd43d7e6c48305691733360a1c
Instruction ID: 91167cbfd3a463042467c8fda818d589fb533292bd455fc2292a0536138d58fb
Opcode Fuzzy Hash: b42a4ecd2aabf9cea015c29ddee2e7de089606cd43d7e6c48305691733360a1c
Instruction Fuzzy Hash: 75518E71E0C11296CB19772CDE453FA3BA4AB40740F348999F8E5422E9DB3C8CD6DA46

Function 00777771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0074569E,00000000,?,0078CC08,?,00000000,00000000), ref: 007778DD

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

CharUpperBuffW.USER32(0074569E,00000000,?,0078CC08,00000000,?,00000000,00000000), ref: 0077783B

Strings

<s{, xrefs: 007777C8

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s{
API String ID: 3544283678-301287271
Opcode ID: 6719f870636f53a3c6e272fc7290de26718f972dd7d508b2d20b451f2b5753d9
Instruction ID: e483a468d747201b1b3baae5540988588b72a628f9d4dd3fdebdc62204fce7b4
Opcode Fuzzy Hash: 6719f870636f53a3c6e272fc7290de26718f972dd7d508b2d20b451f2b5753d9
Instruction Fuzzy Hash: 7F618E7291412DEACF49EBE4CC91DFDB3B9BF14340B448129F646A3191EF786A05CBA4

Function 0070E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0070E1B1

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 49d3492254f016313b93ce9be4060c8f30d83c519899b90b617336ac0c4c50b6
Instruction ID: 0410a97a82fd05092d3171cff1e694c284727fd56b00374382e8dc45164c8898
Opcode Fuzzy Hash: 49d3492254f016313b93ce9be4060c8f30d83c519899b90b617336ac0c4c50b6
Instruction Fuzzy Hash: AC513435504246DFDB16DF28C481ABA7BA9FF56330F248569E8919B2D0D7389D42CBA0

Function 0070F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0070F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0070F2BB

Strings

@, xrefs: 0070F2AF

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c883d120f5e57437ac7df5c652845beb63cc2d7d0311a0155d5c734de9acddc5
Instruction ID: 66ef7ae9b329c51ea612c22491c379b0f4d6b99de9102c6666f20d956c379886
Opcode Fuzzy Hash: c883d120f5e57437ac7df5c652845beb63cc2d7d0311a0155d5c734de9acddc5
Instruction Fuzzy Hash: 2B5159724087499BD360AF14D886BABB7F9FFC5310F81884CF29941195EB309929CB6B

Function 00775745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007757E0
_wcslen.LIBCMT ref: 007757EC

Strings

CALLARGARRAY, xrefs: 007757E6, 007757EB

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 6df4aac7b09c6aae4f9f46df85311c0aa5560beaad6cb2dcd653f1aaebe4d4d3
Instruction ID: 7ff0f57b164704633ed4e64aa35c8140ef7df73f00a9e0bd4d1d21ca5377a551
Opcode Fuzzy Hash: 6df4aac7b09c6aae4f9f46df85311c0aa5560beaad6cb2dcd653f1aaebe4d4d3
Instruction Fuzzy Hash: 3D41AE31A00109DFCF04DFA9C8859BEBBF5EF59360F10812DE509A7291E7B89D81CBA1

Function 0076D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0076D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0076D13A

Strings

|, xrefs: 0076D10B

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: d3080ff34bcb481abb6b84613b94076541950a783c3dcfbc6f757b85f1b8356a
Instruction ID: 8d6c4078c6ef35019dc2f122fa3f68e527fa4f782b3de6a61e6082c658812a0c
Opcode Fuzzy Hash: d3080ff34bcb481abb6b84613b94076541950a783c3dcfbc6f757b85f1b8356a
Instruction Fuzzy Hash: 7C315D71D0020DABCF15EFA4CC85AEEBFBAFF05304F000019F915A6166E775AA46CB64

Function 0078356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00783621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0078365C

Strings

static, xrefs: 007835BC

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: c2f30d4cabf23b14f7f7fcf373cc4a95c5faee7eea18b8a86a47c1dfde7bb958
Instruction ID: c3976b93149dc125e4aee49a041253abcf105fc0cdb2454945df15241d77a5f7
Opcode Fuzzy Hash: c2f30d4cabf23b14f7f7fcf373cc4a95c5faee7eea18b8a86a47c1dfde7bb958
Instruction Fuzzy Hash: ED319071250604AEDB10EF38DC40EFB73A9FF88B24F10961DF9A597280DA38AD91C764

Function 00784537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0078461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00784634

Strings

', xrefs: 0078458E

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 658b9ff75a239a4643c11bdfc031616327a25b5d21ecd856e520122db5712c20
Instruction ID: 2dcbd0c393df0b1bfc2597b2ef4031e9df6af9f24593fc3373ed96ac4dd1660c
Opcode Fuzzy Hash: 658b9ff75a239a4643c11bdfc031616327a25b5d21ecd856e520122db5712c20
Instruction Fuzzy Hash: EC312774A4030A9FDB14DFA9C980BDE7BB5FF09300F10406AE904AB341E7B4A951CF90

Function 007831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0078327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00783287

Strings

Combobox, xrefs: 00783249

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6b87a1649fd9727f1afe3267e7f016c29647d5c9c6967b29feecc4de6c7512b5
Instruction ID: 99a8914bad8c50bad32b98e5f18d604d2b14637ca974e9c2777e7c1b926749b8
Opcode Fuzzy Hash: 6b87a1649fd9727f1afe3267e7f016c29647d5c9c6967b29feecc4de6c7512b5
Instruction Fuzzy Hash: 8D11B271340208BFEF25AE58DC84EBB376AFB94764F104128F91897291D6799D518760

Function 00783710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 006F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006F604C
Part of subcall function 006F600E: GetStockObject.GDI32(00000011), ref: 006F6060
Part of subcall function 006F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006F606A

GetWindowRect.USER32(00000000,?), ref: 0078377A
GetSysColor.USER32(00000012), ref: 00783794

Strings

static, xrefs: 00783757

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 06e2fdaa1422d8d5c2b205f930648e98db9f1ab19e17d82af2c65c8c7be4f162
Instruction ID: 9f5357150616abc03d2e5765ec316f314ab26ffd469303633ce635ec71e54dae
Opcode Fuzzy Hash: 06e2fdaa1422d8d5c2b205f930648e98db9f1ab19e17d82af2c65c8c7be4f162
Instruction Fuzzy Hash: 3E1129B2650209AFDF01EFA8CC45EEA7BB8EB08714F104529FD55E2250E739E8619B60

Function 0076CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0076CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0076CDA6

Strings

<local>, xrefs: 0076CD66

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 0b55d7701ecca1ef2914678d3a075c5bc2cd2822ae712453bd9e7b50944e9205
Instruction ID: 67bd6136b752a70edd36401d3e80f8dd6a237814fef0f416e742a7c067b4d473
Opcode Fuzzy Hash: 0b55d7701ecca1ef2914678d3a075c5bc2cd2822ae712453bd9e7b50944e9205
Instruction Fuzzy Hash: 1D11C6713456317AD7365B66CC45FF7BE6CEF127A4F104226B98A83180D7789844D6F0

Function 00783429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007834AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007834BA

Strings

edit, xrefs: 0078348F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e389512837dd767b1b972fd0149bba8ff70a9b1046c65f68a1e25d8e21065130
Instruction ID: 7141d69cf47c511868b448d363e23210d397a8bd89dedb18fe758bbfc44c46e4
Opcode Fuzzy Hash: e389512837dd767b1b972fd0149bba8ff70a9b1046c65f68a1e25d8e21065130
Instruction Fuzzy Hash: 0D11BF71140148ABEF12AE68DC44EBB376AEF05B74F604324F969931D0C779DC519764

Function 00756C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00756CB6
_wcslen.LIBCMT ref: 00756CC2

Strings

STOP, xrefs: 00756CBC, 00756CC1

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 1e48383b53c833ce5f19963ab48e2fe49b2cb56ded1fdc9ed15b55c0ef4e27e0
Instruction ID: 13b603b1187050a0d659314a4e1452284de9a49996a55b8cde78962689b384e4
Opcode Fuzzy Hash: 1e48383b53c833ce5f19963ab48e2fe49b2cb56ded1fdc9ed15b55c0ef4e27e0
Instruction Fuzzy Hash: 2A01C8327005268ACB11AFBDDC909FF77B5EA617117900938ED5297190FA79E948C660

Function 00751CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00751D4C

Strings

ListBox, xrefs: 00751D16
ComboBox, xrefs: 00751CEB

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ef4c1721e1cc7ba1fecf84831474a3139decb0f6acdf048ec6a6c1ad627bc7a2
Instruction ID: 1243e8a75853b7085b90d1d093c14b6b50bc85f5642c5feba2ff5ee4c0bce514
Opcode Fuzzy Hash: ef4c1721e1cc7ba1fecf84831474a3139decb0f6acdf048ec6a6c1ad627bc7a2
Instruction Fuzzy Hash: E501F571700218AB8B08EFA0CC15EFE7379EB02391B440919EC32572D1EAB9590C8770

Function 00751BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00751C46

Strings

ListBox, xrefs: 00751C10
ComboBox, xrefs: 00751BE5

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b0c0dd4e83c6db74a1ea21d513fe1bc5eb5bfb3f538197c51ede744f20e1dcf7
Instruction ID: 7c88677a5f12c0ff4e2275a8397d32a60535798ed7eae981bf3976d84561d2c8
Opcode Fuzzy Hash: b0c0dd4e83c6db74a1ea21d513fe1bc5eb5bfb3f538197c51ede744f20e1dcf7
Instruction Fuzzy Hash: 3F01F7B178010866CB08EB90C951FFF77A99F11381F540419ED16632C1EA699E0CC7B5

Function 00751C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00751CC8

Strings

ListBox, xrefs: 00751C94
ComboBox, xrefs: 00751C69

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 99f99da586f160a5e9acda3c5638dca7fee63a28026bdbc6e87258bf2e85adc3
Instruction ID: dece8c5489ca8dfcae47e106f26f7934f48cdfda77a362464623f77ef50a452a
Opcode Fuzzy Hash: 99f99da586f160a5e9acda3c5638dca7fee63a28026bdbc6e87258bf2e85adc3
Instruction Fuzzy Hash: FE01D6B178011867CB04EBA0CA01FFF77A99B11382F540419BD12B3281EAAA9F0CC675

Function 0070A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0070A529

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Strings

,%|, xrefs: 0070A509
3yt, xrefs: 0070A545, 0070A54D, 0070A552

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%|$3yt
API String ID: 2551934079-1591345639
Opcode ID: 789fba31d43808a9438e07c0edcc13d8bfdf659a3c6ab62208efb23251899907
Instruction ID: 3768b4f49599296e34803b94261fc9612887b597df9df3b82a02bc598b678fa0
Opcode Fuzzy Hash: 789fba31d43808a9438e07c0edcc13d8bfdf659a3c6ab62208efb23251899907
Instruction Fuzzy Hash: 4401F731600714EBC604F76CAC1BFAD3394AB05710F40416CF601971C3EE9C5D5286EB

Function 00751D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00751DD3

Strings

ListBox, xrefs: 00751DA0
ComboBox, xrefs: 00751D75

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e8a45ec233144292f552c917e4b77eb8697a254143ad8cfed4d41f88c8c80e21
Instruction ID: 61924066aaa9245fc29dd5f40e6b493fe6e64aa6756ec28eb61dd4537eba5568
Opcode Fuzzy Hash: e8a45ec233144292f552c917e4b77eb8697a254143ad8cfed4d41f88c8c80e21
Instruction Fuzzy Hash: 46F081B1B4121866DB08ABA4CC56BFF7779AB01391F440D19B922A32C1EAB8590C8274

Function 00788172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007C3018,007C305C), ref: 007881BF
CloseHandle.KERNEL32 ref: 007881D1

Strings

\0|, xrefs: 0078818A

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0|
API String ID: 3712363035-470943010
Opcode ID: 6ab5b54c3bec86a7619f093e2609d8ac4c67657ac015ef7f8e9169ed884786b4
Instruction ID: aa65a3927f2667dcc8ac90ecc3e8b8751875e79f2d03ecdc48b44725a8acb87f
Opcode Fuzzy Hash: 6ab5b54c3bec86a7619f093e2609d8ac4c67657ac015ef7f8e9169ed884786b4
Instruction Fuzzy Hash: 0CF05EB2680304BAF3206765AC49FB77B5DEB04750F00C42ABB08D51A2D67D8A9193BD

Function 0077747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00777493
_wcslen.LIBCMT ref: 007774B9

Strings

3, 3, 16, 1, xrefs: 00777483

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 7fa269c251b996290601bfb87b49826693274def5a30accb7a2248093b5115ec
Instruction ID: 0cb12d338ba3f6a1fa8e00480540d7c9835fb195bce548dead3605ffb9bd5292
Opcode Fuzzy Hash: 7fa269c251b996290601bfb87b49826693274def5a30accb7a2248093b5115ec
Instruction Fuzzy Hash: C7E02B422043A060D739127E9CC5ABF56C9DFC67D0714182BF989C22B6EA9C9DD1D3A0

Function 00750B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00750B23

Strings

AutoIt, xrefs: 00750B17
Error allocating memory., xrefs: 00750B1C

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 5527284cfa4751c4e6b11cb7b00690a474e24fd1d73d55eb5426df08f1842d0c
Instruction ID: 6b6871812618797b7cb7562406240b5568663a3c2b0ae4c831d3c1843fcaf6c4
Opcode Fuzzy Hash: 5527284cfa4751c4e6b11cb7b00690a474e24fd1d73d55eb5426df08f1842d0c
Instruction Fuzzy Hash: 87E0D831284308A6D2213754BC07FC97AC48F05B11F10046AFB58555C38AF9349007FD

Function 00710D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0070F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00710D71,?,?,?,006F100A), ref: 0070F7CE

IsDebuggerPresent.KERNEL32(?,?,?,006F100A), ref: 00710D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006F100A), ref: 00710D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00710D7F

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 5d35166e9283a77e5ec1727a5f97d12b23f8f7ac17581a158b6cb4a3e6e9e35a
Instruction ID: 4f13f48cd4a90567d8cdb55e92d644a0565f38c9e48c4aff408d1d0292f2742b
Opcode Fuzzy Hash: 5d35166e9283a77e5ec1727a5f97d12b23f8f7ac17581a158b6cb4a3e6e9e35a
Instruction Fuzzy Hash: 64E0ED742407518BD371AFBCE8087967BE4BB04754F40893DE486C6696DBFDE4848BE1

Function 0070E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0070E3D5

Strings

0%|, xrefs: 0070E3B5
8%|, xrefs: 0070E3CA

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%|$8%|
API String ID: 1385522511-3928261334
Opcode ID: 55bff640fe5a1e6e9e1e694bf3e3efe16dd808021726ad50c557c75a1ce1f7c8
Instruction ID: c6d4a37fa0425a0ebfae5eaeafbd3433dbde2f85a7451e4d7de3cea8fc2f6aa1
Opcode Fuzzy Hash: 55bff640fe5a1e6e9e1e694bf3e3efe16dd808021726ad50c557c75a1ce1f7c8
Instruction Fuzzy Hash: 51E0863141CD24CBC704971CB859E8AB795AB05320B5056FDE5128B1D3DF7C68939699

Function 00763017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0076302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00763044

Strings

aut, xrefs: 00763038

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 388c00feb5ca1c5320decb6d079f9dc6da30c6788a9d15babce374b143e695b1
Instruction ID: 33bacde795180c024392a8a37cd13a8db337cd1044f3cd63bfb9c697224baad4
Opcode Fuzzy Hash: 388c00feb5ca1c5320decb6d079f9dc6da30c6788a9d15babce374b143e695b1
Instruction Fuzzy Hash: 40D05EB254032867DA20A7A4AC0EFCB3A6CEB04750F0042A1B655E60D1DAB89984CBE4

Function 0074D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0074D220

Strings

%.3d, xrefs: 0074D22B
X64, xrefs: 0074D2A8

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 6a231facb3843b8d589d8ce19a057fb9ffe84698279d9c04f7db43dc8f84c914
Instruction ID: 0de362657688f016c366f9bc15a50280d84dd782c9030731a775ac7e45e68a87
Opcode Fuzzy Hash: 6a231facb3843b8d589d8ce19a057fb9ffe84698279d9c04f7db43dc8f84c914
Instruction Fuzzy Hash: 5ED012B1848109EACBB096E0CC499B9B3BCBB08301F608452F946D2080D77CCD08AB61

Function 00782356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0078236C
PostMessageW.USER32(00000000), ref: 00782373

Part of subcall function 0075E97B: Sleep.KERNEL32 ref: 0075E9F3

Strings

Shell_TrayWnd, xrefs: 00782365

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7918eddf8ddc1e6ae2bdfd5101d47f23381fb99fe38c727f1c64d7dbf0ba3112
Instruction ID: 71eaa579474b2401ca21985e2e4f73b2df15fa84576313957bbb72439ff76ea2
Opcode Fuzzy Hash: 7918eddf8ddc1e6ae2bdfd5101d47f23381fb99fe38c727f1c64d7dbf0ba3112
Instruction Fuzzy Hash: E6D0C9723C1310BAE669A7709C0FFC666159B05B11F2089667745AA1D1D9F8B8058B68

Function 00782322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0078232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0078233F

Part of subcall function 0075E97B: Sleep.KERNEL32 ref: 0075E9F3

Strings

Shell_TrayWnd, xrefs: 00782325

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fed24e6dfb4d65d3aa564f062a5950afeefe86a92e971ea8ed4851eb7069e19f
Instruction ID: 84f4b904db9a54796ee05e59dc96ccaa7df417918b0bd68d6baef7b94ab387a9
Opcode Fuzzy Hash: fed24e6dfb4d65d3aa564f062a5950afeefe86a92e971ea8ed4851eb7069e19f
Instruction Fuzzy Hash: 1DD012763D4310B7E668B770DC1FFC67A159B00B11F2089667745AA1D1D9FCB805CB68

Function 0072BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0072BE93
GetLastError.KERNEL32 ref: 0072BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0072BEFC

Memory Dump Source

Source File: 00000000.00000002.2200353512.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.2200320227.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200494550.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200999363.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201039362.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 23620dc3265a691af2eaa83414b5d0a6ed95ffcde37288324160b8dadb05b186
Instruction ID: f1e991aa2af569d0ee693de2440ef7f69c78bbac431be9bf4b8ac43f20e10afe
Opcode Fuzzy Hash: 23620dc3265a691af2eaa83414b5d0a6ed95ffcde37288324160b8dadb05b186
Instruction Fuzzy Hash: 60412D35A00226EFCF218F64ED88AFA7BA5EF41320F25416DF959571E1DB388D01CB61

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2233067443.000002787EC1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2343637995.000002787DF0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2312307477.000002787EE9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337872276.000002787EE96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2323532812.000002787EE96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2323775468.000002787EBD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2335229273.00000278750C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315158478.000002787AB8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2323775468.000002787EBD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2335229273.00000278750C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315158478.000002787AB8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2388605131.0000027874C19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341842655.0000027874C17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2349090459.00000278740EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2312307477.000002787EE9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337872276.000002787EE96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2323532812.000002787EE96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2203383418.0000027874167000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2323775468.000002787EBD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2335229273.00000278750C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2323775468.000002787EBD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2335229273.00000278750C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315158478.000002787AB8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2325771665.000002787649C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364533799.00000278764AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3383977149.0000020656503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2325771665.000002787649C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364533799.00000278764AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3383977149.0000020656503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2325771665.000002787649C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364533799.00000278764AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3383977149.0000020656503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2312307477.000002787EE96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337872276.000002787EE96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2323532812.000002787EE96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2388605131.0000027874C19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2389829751.0000027874747000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341842655.0000027874C17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2321939236.00002B70BB903000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2312307477.000002787EE9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337872276.000002787EE96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2389829751.0000027874747000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2362509064.000002787DF39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324748395.000002787DF38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2393473782.0000027873870000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2352256814.0000027873859000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358346579.00000278738C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49881 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_62509f46-f36d-43f4-b484-92eecbcf07b2.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_62509f46-f36d-43f4-b484-92eecbcf07b2.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre