Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1560660
MD5:	51357ae78c6b77c5901de126fcb38df3
SHA1:	5b94c30c47960dcc2fe2972dfa54e8e96171410d
SHA256:	2b1dfc50f7374f9cef49b0a56e9aff668ed419dc9a435ba4e03585fab9caf12d
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6564 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 51357AE78C6B77C5901DE126FCB38DF3)

taskkill.exe (PID: 7064 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3176 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6524 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1480 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3924 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7056 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6192 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6004 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6468 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0bfec4f-8bcf-4d6f-b626-04387efa2974} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 13a2f46eb10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7704 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4204 -parentBuildID 20230927232528 -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b10031ad-d078-474c-8684-1fba315fc059} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 13a3efea410 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8124 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3756 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3700 -prefMapHandle 4944 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d12597e1-e262-4865-b922-edddb2660612} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 13a419efd10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6564	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0047EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0047EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0047ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0047EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0046AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00499576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00499576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f3f472be-8
Source: file.exe, 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bc5c11ea-e
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e1238373-9
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7393fbb7-0

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000020AC7EE2B77 NtQuerySystemInformation,		17_2_0000020AC7EE2B77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000020AC7F1AA32 NtQuerySystemInformation,		17_2_0000020AC7F1AA32

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0046D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00461201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00461201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0046E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BF40	0_2_0040BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00472046	0_2_00472046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408060	0_2_00408060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00468298	0_2_00468298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043E4FF	0_2_0043E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043676B	0_2_0043676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00494873	0_2_00494873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040CAF0	0_2_0040CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042CAA0	0_2_0042CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CC39	0_2_0041CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00436DD9	0_2_00436DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041B119	0_2_0041B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004091C0	0_2_004091C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421394	0_2_00421394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421706	0_2_00421706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042781B	0_2_0042781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041997D	0_2_0041997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407920	0_2_00407920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004219B0	0_2_004219B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00427A4A	0_2_00427A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421C77	0_2_00421C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00427CA7	0_2_00427CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048BE44	0_2_0048BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00439EEE	0_2_00439EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421F32	0_2_00421F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000020AC7EE2B77	17_2_0000020AC7EE2B77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000020AC7F1AA32	17_2_0000020AC7F1AA32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000020AC7F1B15C	17_2_0000020AC7F1B15C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000020AC7F1AA72	17_2_0000020AC7F1AA72

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00420A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0041F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00409CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/33@64/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004737B5 GetLastError,FormatMessageW,

0_2_004737B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004610BF AdjustTokenPrivileges,CloseHandle,		0_2_004610BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004616C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004751CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0046D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0047648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004042A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2255018632.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214894847.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258341105.0000013A42A49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300869379.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254656877.0000013A4AF0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329470600.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364027539.0000013A4ACC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347982931.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2255018632.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214894847.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300869379.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329470600.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364027539.0000013A4ACC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347982931.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2255018632.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214894847.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300869379.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329470600.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364027539.0000013A4ACC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347982931.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2255018632.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214894847.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300869379.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329470600.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364027539.0000013A4ACC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347982931.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2249259870.0000013A4B456000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2255018632.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214894847.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300869379.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329470600.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364027539.0000013A4ACC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347982931.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2255018632.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214894847.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300869379.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329470600.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364027539.0000013A4ACC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347982931.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2255018632.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214894847.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300869379.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329470600.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364027539.0000013A4ACC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347982931.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2255018632.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214894847.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300869379.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329470600.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364027539.0000013A4ACC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347982931.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2255018632.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214894847.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300869379.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329470600.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364027539.0000013A4ACC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347982931.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe	Virustotal: Detection: 48%
Source: file.exe	ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0bfec4f-8bcf-4d6f-b626-04387efa2974} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 13a2f46eb10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4204 -parentBuildID 20230927232528 -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b10031ad-d078-474c-8684-1fba315fc059} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 13a3efea410 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3756 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3700 -prefMapHandle 4944 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d12597e1-e262-4865-b922-edddb2660612} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 13a419efd10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0bfec4f-8bcf-4d6f-b626-04387efa2974} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 13a2f46eb10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4204 -parentBuildID 20230927232528 -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b10031ad-d078-474c-8684-1fba315fc059} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 13a3efea410 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3756 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3700 -prefMapHandle 4944 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d12597e1-e262-4865-b922-edddb2660612} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 13a419efd10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2226972111.0000013A3CBAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2226972111.0000013A3CBAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2226204580.0000013A3CBA8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2224344139.0000013A3CBAD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2226204580.0000013A3CBA8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2224344139.0000013A3CBAD000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004042DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00420A76 push ecx; ret

0_2_00420A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0041F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00491C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00491C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96193

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000020AC7EE2B77 rdtsc

17_2_0000020AC7EE2B77

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C2A2 FindFirstFileExW,	0_2_0043C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004768EE FindFirstFileW,FindClose,	0_2_004768EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0047698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0046D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0046D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00479642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00479642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0047979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00479B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00479B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00475C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00475C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004042DE

Source: firefox.exe, 00000011.00000002.3347291552.0000020AC767A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW _
Source: firefox.exe, 00000011.00000002.3355036134.0000020AC8000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/)\|
Source: firefox.exe, 00000010.00000002.3356017992.000002CB4C740000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3349789412.000002CB4BFCA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3355036134.0000020AC8000000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3347452791.0000018FF6CCA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3354149203.0000018FF7100000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3354769956.000002CB4C31A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.3355036134.0000020AC8000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
Source: firefox.exe, 00000010.00000002.3356017992.000002CB4C740000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr/
Source: firefox.exe, 00000010.00000002.3349789412.000002CB4BFCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW08
Source: firefox.exe, 00000010.00000002.3356017992.000002CB4C740000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3349789412.000002CB4BFCA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3355036134.0000020AC8000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000020AC7EE2B77 rdtsc

17_2_0000020AC7EE2B77

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047EAA2 BlockInput,

0_2_0047EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00432622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00432622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004042DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00424CE8 mov eax, dword ptr fs:[00000030h]

0_2_00424CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00460B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00460B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00432622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00432622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004209D5 SetUnhandledExceptionFilter,	0_2_004209D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00420C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00420C21

Source: C:\Users\user\Desktop\file.exe

0_2_00461201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00442BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00442BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046B226 SendInput,keybd_event,

0_2_0046B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004822DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00460B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00461663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00461663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00420698 cpuid

0_2_00420698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00478195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00478195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0045D27A GetUserNameW,

0_2_0045D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0043B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0043B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004042DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6564, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6564, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00481204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00481204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00481806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00481806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	49%	Virustotal		Browse
file.exe	37%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.1	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.1.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.142	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	142.250.181.46	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.1.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	firefox.exe, 0000000E.00000003.2303180149.0000013A4176F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3350416786.0000018FF70C3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2337660363.0000013A3F232000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2215367135.0000013A4703D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313962473.0000013A4703E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2342752136.0000013A4704E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2330256796.0000013A4704D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2167482141.0000013A47323000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2169407402.0000013A4731D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3350338576.000002CB4C1E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3349266217.0000020AC79EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3354455428.0000018FF7203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3349266217.0000020AC7986000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3350416786.0000018FF708E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2312565215.0000013A475F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372225260.0000013A475F8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2339880738.0000013A3EC64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177342700.0000013A3FE64000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2214697764.0000013A4B3BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2346871579.0000013A4B2AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251249847.0000013A4B2A8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2370304976.0000013A3F09C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2367525996.0000013A400DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2332999777.0000013A400D9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2146358783.0000013A3F51D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146964883.0000013A3F58A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146831112.0000013A3F56F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146685348.0000013A3F553000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146531091.0000013A3F538000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146164608.0000013A3F300000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2367970797.0000013A3FDDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316552839.0000013A4148B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324206757.0000013A414A5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2255018632.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214894847.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300869379.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329470600.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347982931.0000013A4ACAD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2326434221.0000013A40EBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146531091.0000013A3F538000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146164608.0000013A3F300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2215088981.0000013A470D7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com/	firefox.exe, 0000000E.00000003.2370410417.0000013A3F095000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2146358783.0000013A3F51D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146831112.0000013A3F56F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146685348.0000013A3F553000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146531091.0000013A3F538000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146164608.0000013A3F300000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.2334177536.0000013A42A49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343012012.0000013A42AE0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2338060027.0000013A3EED6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2312565215.0000013A475F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372225260.0000013A475F8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2348070347.0000013A4AC2B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ok.ru/	firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2248971904.0000013A4B9BA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://fpn.firefox.com	firefox.exe, 0000000E.00000003.2369961265.0000013A3F0DA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2253498080.0000013A4B038000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2368294180.0000013A3FDBD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2248971904.0000013A4B9BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3349266217.0000020AC7903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3350416786.0000018FF700C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2191409355.0000013A4017E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191785623.0000013A4017E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2365307432.0000013A47549000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2348856672.0000013A47545000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2339880738.0000013A3EC64000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2348249535.0000013A4AC11000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3350416786.0000018FF70C3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2372094426.0000013A47833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337299253.0000013A3F254000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2191409355.0000013A4017E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191785623.0000013A4017E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2348338542.0000013A4A8EE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2215367135.0000013A4702A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314071306.0000013A47024000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2339880738.0000013A3ECB7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2363138945.0000013A4AF24000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3350338576.000002CB4C1E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3349266217.0000020AC79EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3354455428.0000018FF7203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3350338576.000002CB4C1E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3349266217.0000020AC79EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3354455428.0000018FF7203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2253498080.0000013A4B038000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000012.00000002.3350416786.0000018FF7013000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2339880738.0000013A3EC64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3348801621.0000018FF6D80000.00000004.00000020.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2299098151.0000013A419A3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2374916649.0000013A40E82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2352043666.0000013A40E82000.00000004.00000800.00020000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000E.00000003.2370186957.0000013A3F0C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337713117.0000013A3F0C3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListenerUseOfReleaseEventsWarningUse	firefox.exe, 0000000E.00000003.2253498080.0000013A4B038000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2328325094.0000013A3FAC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2327294496.0000013A3FC2E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337713117.0000013A3F0DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254781543.0000013A473D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2151414121.0000013A3F662000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2150868494.0000013A3F65E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2275048570.0000013A473E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311160137.0000013A4185D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269978177.0000013A41A2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269978177.0000013A41A28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2327665039.0000013A3FA8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212152780.0000013A4B958000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269391461.0000013A416C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2338322460.0000013A3EE28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2260348380.0000013A3FA83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2213443141.0000013A4B4AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2260377179.0000013A429B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297752441.0000013A41F97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2353403048.0000013A40662000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2169355183.0000013A473B3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://youtube.com/	firefox.exe, 0000000E.00000003.2255708917.0000013A4978E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2339351547.0000013A3EDA3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2260377179.0000013A429A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2368294180.0000013A3FDBD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2260377179.0000013A429A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2368294180.0000013A3FDBD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2374916649.0000013A40E82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2352043666.0000013A40E82000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2169407402.0000013A4731D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2177342700.0000013A3FE64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326434221.0000013A40E9C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2249855000.0000013A4B40F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2337713117.0000013A3F0C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2369961265.0000013A3F0D4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2302381526.0000013A417EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345275409.0000013A417F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2298392964.0000013A417E2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2296034650.0000013A478AC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2191409355.0000013A4017E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191785623.0000013A4017E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2337713117.0000013A3F0C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2369961265.0000013A3F0D4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.	firefox.exe, 0000000E.00000003.2184378008.0000013A415ED000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2348249535.0000013A4AC11000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2368294180.0000013A3FD4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3353919782.000002CB4C200000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353227058.0000020AC7E60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3349878681.0000018FF6E80000.00000002.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
142.250.181.142	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560660
Start date and time:	2024-11-22 05:15:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/33@64/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 95% Number of executed functions: 40 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.80.238.59, 52.12.64.98, 35.164.125.63, 23.218.208.109, 172.217.17.42, 172.217.17.74, 172.217.17.78, 88.221.134.155, 88.221.134.209
Excluded domains from analysis (whitelisted): shavar.prod.mozaws.net, fs.microsoft.com, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, e16604.g.akamaiedge.net, safebrowsing.googleapis.com, prod.fs.microsoft.com.akadns.net, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 6004 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:16:15	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://365214tesauppeortbasd132.z26.web.core.windows.net/#	Get hash	malicious	TechSupportScam	Browse	151.101.193.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	88a4dd8-Contract Agreement-Final378208743.pdf	Get hash	malicious	Unknown	Browse	151.101.193.140
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.116.198.130
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.17.245.196
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.77.218.96

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cc892ae5-8467-4b84-b8a5-41b0e58678f4.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.17802293760965
Encrypted:	false
SSDEEP:	192:fgKMX4a1cbhbVbTbfbRbObtbyEl7n4rkJA6wnSrDtTkd/SF:4PBcNhnzFSJYr3jnSrDhkd/I
MD5:	B3C44C51273F8EC53606726404FEC946
SHA1:	1FCE6445A1B1BFF0DF32BB9378D1E5890E649187
SHA-256:	98202F6C63BAC2169A4A0A6346663D685D54A41A50528BA595C68C2024E3D23B
SHA-512:	0A4E4453A3F851FFB578605FF33A3CEDF36F3C41CD14280272391B3D938A983DC4736B24B3B34ECC01EDE36460899E73583ECD0DA8238C3F4E419516C46E36A5
Malicious:	false
Preview:	{"type":"uninstall","id":"cc892ae5-8467-4b84-b8a5-41b0e58678f4","creationDate":"2024-11-22T06:04:13.314Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cc892ae5-8467-4b84-b8a5-41b0e58678f4.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.17802293760965
Encrypted:	false
SSDEEP:	192:fgKMX4a1cbhbVbTbfbRbObtbyEl7n4rkJA6wnSrDtTkd/SF:4PBcNhnzFSJYr3jnSrDhkd/I
MD5:	B3C44C51273F8EC53606726404FEC946
SHA1:	1FCE6445A1B1BFF0DF32BB9378D1E5890E649187
SHA-256:	98202F6C63BAC2169A4A0A6346663D685D54A41A50528BA595C68C2024E3D23B
SHA-512:	0A4E4453A3F851FFB578605FF33A3CEDF36F3C41CD14280272391B3D938A983DC4736B24B3B34ECC01EDE36460899E73583ECD0DA8238C3F4E419516C46E36A5
Malicious:	false
Preview:	{"type":"uninstall","id":"cc892ae5-8467-4b84-b8a5-41b0e58678f4","creationDate":"2024-11-22T06:04:13.314Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927911102311711
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNJ9Mxeln:8S+OVPUFRbOdwNIOdYpjvY1Q6LSG8P
MD5:	143D2DE3E297157E971B2106B0E3B96D
SHA1:	51483CA6B2367E347AE183659969A6F2C6073603
SHA-256:	537FB05E49B0BEEFF6BE80ED9BD9E0CB0581545BA3691F88B13FDD43CA775B42
SHA-512:	650939030B6CAF1C03BDC47DC8378A523B7CFDC1297816612115C2648E49464225959E5881D04FCA9A79D0E747B601245F1A2A278025BDB452D89695C01F9F52
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927911102311711
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNJ9Mxeln:8S+OVPUFRbOdwNIOdYpjvY1Q6LSG8P
MD5:	143D2DE3E297157E971B2106B0E3B96D
SHA1:	51483CA6B2367E347AE183659969A6F2C6073603
SHA-256:	537FB05E49B0BEEFF6BE80ED9BD9E0CB0581545BA3691F88B13FDD43CA775B42
SHA-512:	650939030B6CAF1C03BDC47DC8378A523B7CFDC1297816612115C2648E49464225959E5881D04FCA9A79D0E747B601245F1A2A278025BDB452D89695C01F9F52
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07330224853718327
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkidn:DLhesh7Owd4+ji5
MD5:	7693E7187D459A3F3FD954E9540E0553
SHA1:	2781212D347286F85DFA1AFBF281E829E7B3AFFE
SHA-256:	56C980A74937E7B1F836BE41A4318DDB67CC5C84CFFF382DFDC8601B783EBFEF
SHA-512:	17383EFD7A8926A2762AF365BE1C76257099A51C803CBE40FEA2BCB52C5BBC1B2C6CFBC833D1678B62973B1A6251BC3036775DCE24D4772E07BA293DB117B788
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstF9XZylt1F7To/3lstF9XZylt1F7L/x89//alEl:GtWtCvpo3WtCvx/x89XuM
MD5:	15349B1AC6409890500174D4D63464D3
SHA1:	32B596CFF5B434BFCA8D79EF7A1D9C5DF8D1BDD1
SHA-256:	4EB61C5A3AE4D31561E0C47BD1207C9E3B40B4FB4459CEC8E70C9CE3425B2FFD
SHA-512:	22904CB2AD6BD27C1E46DA8C2EAD3BF48695092E531CA568BDFC432A86A17623E331ED60FC426874EBDEB2170D469E8C87AE4EAC822DE14F4BADB0F0AEED4973
Malicious:	false
Preview:	..-.......................W...[....V.0...\|./..-.......................W...[....V.0...\|./........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03972939710481977
Encrypted:	false
SSDEEP:	3:Ol1+pz8AaIYR/f+h9kxV+lX7l8rEXsxdwhml8XW3R2:Kod8GkxVarl8dMhm93w
MD5:	C25561CE80D206A90620F2D84F2D10CF
SHA1:	A35AFA32F20CA1B4BFDA26D70DB44FC2562169EA
SHA-256:	2702C66591BC50BBDC125D470A1E9847D760F667BA6D32A80DF0071793D64CF7
SHA-512:	808D79705EDC9F42DC1B5E938F1697D773B685EF3E7B3B87F07F5901D335E8A6B91BBD3FB231BFA525B8E9900C4C9F4FF13A3D5CE484C96CF615591A73D18221
Malicious:	false
Preview:	7....-..........[....V....nY...........[....V...*...W................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477524055880121
Encrypted:	false
SSDEEP:	192:AKnPOeRnLYbBp6JJ0aX+r6SEXKZ3NKZ5RHWNBw8dZSl:ZDegJU+MdWHEwW0
MD5:	5C340B139C0FE8BC9CAF0627784CF349
SHA1:	B0CA8F635297373B3D5FB02A9439CACDE756393B
SHA-256:	69A92B89C3612AD4E77DB59C76CAE29FBC3EB6F21AFFE96B5476CAA6B9417286
SHA-512:	A9493C68EDE43E33B3FE2EC5A051E599B695E4E699542C8A7D4D4E4A3F5B2BA8CD773E5BD3C5AF2D3C58BD0E1083126D6175E48A574F19507A0BCDBCD65FA260
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732255423);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732255423);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732255423);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173225

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477524055880121
Encrypted:	false
SSDEEP:	192:AKnPOeRnLYbBp6JJ0aX+r6SEXKZ3NKZ5RHWNBw8dZSl:ZDegJU+MdWHEwW0
MD5:	5C340B139C0FE8BC9CAF0627784CF349
SHA1:	B0CA8F635297373B3D5FB02A9439CACDE756393B
SHA-256:	69A92B89C3612AD4E77DB59C76CAE29FBC3EB6F21AFFE96B5476CAA6B9417286
SHA-512:	A9493C68EDE43E33B3FE2EC5A051E599B695E4E699542C8A7D4D4E4A3F5B2BA8CD773E5BD3C5AF2D3C58BD0E1083126D6175E48A574F19507A0BCDBCD65FA260
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732255423);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732255423);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732255423);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173225

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	6.33718107247592
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSkmELXnIr2/pnxQwRcWT5sKmgb0D3eHVpjO+GamhujJwO2c0TiVm0w:GUpOx5nnRcoegq3erjxG4Jwc3zBtNm
MD5:	54F18DE2B06501B401C1DA184BCAC854
SHA1:	C07D174D9728B90C6BD7FC3006C34676D4A67D4B
SHA-256:	8CA731DAD25615506E92AF7EDE9C3333FC04223C73E6E1037C2CEDA1B72B3B16
SHA-512:	3B1A7A4D864830E5C296C185AABECEC2775C52A8169D7DC0CC7494CD26DB788F08B1CC585984556560A631B7BA7CB536E3DCC250AC82F0B0647EC6584AD9BD1F
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{c0469960-e982-432c-965a-e4d1a4ddab2c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732255414106,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..`393029...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....397709,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	6.33718107247592
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSkmELXnIr2/pnxQwRcWT5sKmgb0D3eHVpjO+GamhujJwO2c0TiVm0w:GUpOx5nnRcoegq3erjxG4Jwc3zBtNm
MD5:	54F18DE2B06501B401C1DA184BCAC854
SHA1:	C07D174D9728B90C6BD7FC3006C34676D4A67D4B
SHA-256:	8CA731DAD25615506E92AF7EDE9C3333FC04223C73E6E1037C2CEDA1B72B3B16
SHA-512:	3B1A7A4D864830E5C296C185AABECEC2775C52A8169D7DC0CC7494CD26DB788F08B1CC585984556560A631B7BA7CB536E3DCC250AC82F0B0647EC6584AD9BD1F
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{c0469960-e982-432c-965a-e4d1a4ddab2c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732255414106,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..`393029...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....397709,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029452873446563
Encrypted:	false
SSDEEP:	96:yclMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:sTEr5NX0z3DhRe
MD5:	9544B78BB40CBB6A2A43622126685D47
SHA1:	3BF7575CB5B0FCA1677F4BA33EA52B67F2295194
SHA-256:	6F5C90DFAE25CEF7CF52A0D98BD3324FD6066BBAE01889B0DD996F8547E88C60
SHA-512:	C5CBCA48AD64CD994E43DD9B87B23009D4510EBCFA64FF5B6F7072ED5C3993F021C708771D1441A088217DC18C76E01F72B723A3E3BDE912238A756A70DD82DC
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-22T06:03:21.868Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029452873446563
Encrypted:	false
SSDEEP:	96:yclMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:sTEr5NX0z3DhRe
MD5:	9544B78BB40CBB6A2A43622126685D47
SHA1:	3BF7575CB5B0FCA1677F4BA33EA52B67F2295194
SHA-256:	6F5C90DFAE25CEF7CF52A0D98BD3324FD6066BBAE01889B0DD996F8547E88C60
SHA-512:	C5CBCA48AD64CD994E43DD9B87B23009D4510EBCFA64FF5B6F7072ED5C3993F021C708771D1441A088217DC18C76E01F72B723A3E3BDE912238A756A70DD82DC
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-22T06:03:21.868Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.592738293732515
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'624 bytes
MD5:	51357ae78c6b77c5901de126fcb38df3
SHA1:	5b94c30c47960dcc2fe2972dfa54e8e96171410d
SHA256:	2b1dfc50f7374f9cef49b0a56e9aff668ed419dc9a435ba4e03585fab9caf12d
SHA512:	1bae6e269d1d01c05962ec997e11e2316b4e5bc85f54c2472ec2e261b708e3aa67d3cd7f3bfb9fab48550eed01322c3c4c0cdf3f646eb7a9e5f022bf0d86adb4
SSDEEP:	12288:8qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga6Tn:8qDEvCTbMWu7rQYlBQcBiT6rprG8aKn
TLSH:	9E159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67400401 [Fri Nov 22 04:09:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FAEF4EA7DF3h
jmp 00007FAEF4EA76FFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FAEF4EA78DDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FAEF4EA78AAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FAEF4EAA49Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FAEF4EAA4E8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FAEF4EAA4D1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa9b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa9b8	0xaa00	d2057fbc960f9a4e66a828a274286b20	False	0.3771829044117647	data	5.6533396361675505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1c7e	data			1.0015080888401426
RT_GROUP_ICON	0xde438	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde4b0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde4c4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde4d8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde4ec	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde5c8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 05:16:12.994677067 CET	49710	443	192.168.2.5	35.190.72.216
Nov 22, 2024 05:16:12.994731903 CET	443	49710	35.190.72.216	192.168.2.5
Nov 22, 2024 05:16:12.994966030 CET	49710	443	192.168.2.5	35.190.72.216
Nov 22, 2024 05:16:12.999787092 CET	49710	443	192.168.2.5	35.190.72.216
Nov 22, 2024 05:16:12.999811888 CET	443	49710	35.190.72.216	192.168.2.5
Nov 22, 2024 05:16:13.812468052 CET	49711	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:13.812498093 CET	443	49711	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:13.813698053 CET	49711	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:13.815299988 CET	49711	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:13.815321922 CET	443	49711	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:13.916954994 CET	49712	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:13.917072058 CET	443	49712	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:13.917541981 CET	49712	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:13.919030905 CET	49712	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:13.919068098 CET	443	49712	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:14.096936941 CET	49713	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:14.216623068 CET	80	49713	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:14.216865063 CET	49713	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:14.217147112 CET	49713	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:14.271372080 CET	443	49710	35.190.72.216	192.168.2.5
Nov 22, 2024 05:16:14.271467924 CET	49710	443	192.168.2.5	35.190.72.216
Nov 22, 2024 05:16:14.282023907 CET	49710	443	192.168.2.5	35.190.72.216
Nov 22, 2024 05:16:14.282046080 CET	443	49710	35.190.72.216	192.168.2.5
Nov 22, 2024 05:16:14.282171965 CET	49710	443	192.168.2.5	35.190.72.216
Nov 22, 2024 05:16:14.282622099 CET	443	49710	35.190.72.216	192.168.2.5
Nov 22, 2024 05:16:14.282850027 CET	49710	443	192.168.2.5	35.190.72.216
Nov 22, 2024 05:16:14.336651087 CET	80	49713	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:14.866352081 CET	49715	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:14.866374969 CET	443	49715	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:14.871165991 CET	49715	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:14.872786045 CET	49715	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:14.872802019 CET	443	49715	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:15.045917988 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:15.045943022 CET	443	49716	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:15.046367884 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:15.046525955 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:15.046531916 CET	443	49716	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:15.047102928 CET	49717	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:15.047111034 CET	443	49717	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:15.047384977 CET	49717	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:15.048846006 CET	49717	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:15.048857927 CET	443	49717	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:15.348102093 CET	80	49713	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:15.359586000 CET	49718	443	192.168.2.5	34.160.144.191
Nov 22, 2024 05:16:15.359635115 CET	443	49718	34.160.144.191	192.168.2.5
Nov 22, 2024 05:16:15.359800100 CET	49718	443	192.168.2.5	34.160.144.191
Nov 22, 2024 05:16:15.359970093 CET	49718	443	192.168.2.5	34.160.144.191
Nov 22, 2024 05:16:15.359985113 CET	443	49718	34.160.144.191	192.168.2.5
Nov 22, 2024 05:16:15.403794050 CET	49713	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:15.531517029 CET	49719	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:15.569499016 CET	443	49711	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:15.569868088 CET	49711	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:15.570905924 CET	443	49711	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:15.571078062 CET	49711	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:15.575639963 CET	49711	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:15.575651884 CET	443	49711	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:15.575766087 CET	49711	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:15.575906038 CET	443	49711	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:15.575965881 CET	49711	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:15.620764971 CET	443	49712	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:15.621766090 CET	443	49712	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:15.622742891 CET	49712	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:15.622778893 CET	443	49712	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:15.628412962 CET	49712	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:15.628431082 CET	443	49712	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:15.628585100 CET	49712	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:15.628639936 CET	443	49712	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:15.628705025 CET	49712	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:15.629082918 CET	49720	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:15.629120111 CET	443	49720	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:15.629374981 CET	49720	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:15.630786896 CET	49720	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:15.630805016 CET	443	49720	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:15.651148081 CET	80	49719	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:15.651254892 CET	49719	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:15.651442051 CET	49719	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:15.770920992 CET	80	49719	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:16.143383980 CET	443	49715	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:16.143476009 CET	49715	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:16.148929119 CET	49715	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:16.148936033 CET	443	49715	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:16.149085045 CET	49715	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:16.149183989 CET	443	49715	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:16.149267912 CET	49715	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:16.149528027 CET	49721	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:16.149553061 CET	443	49721	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:16.150054932 CET	49721	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:16.151460886 CET	49721	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:16.151475906 CET	443	49721	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:16.269198895 CET	443	49716	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:16.269277096 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:16.272882938 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:16.272891045 CET	443	49716	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:16.273293018 CET	443	49716	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:16.276175976 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:16.276281118 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:16.276344061 CET	443	49716	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:16.276431084 CET	49716	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:16.277842999 CET	49713	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:16.281733990 CET	49723	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:16.542792082 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:16.691739082 CET	49713	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:16.788503885 CET	80	49719	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:16.788583040 CET	80	49723	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:16.788677931 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:16.788878918 CET	80	49713	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:16.789329052 CET	49723	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:16.789381027 CET	49713	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:16.789403915 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:16.789669037 CET	49719	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:16.789737940 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:16.799335003 CET	443	49717	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:16.803035021 CET	49717	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:16.806881905 CET	443	49718	34.160.144.191	192.168.2.5
Nov 22, 2024 05:16:16.807503939 CET	49717	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:16.807513952 CET	443	49717	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:16.807590008 CET	49717	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:16.807712078 CET	443	49717	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:16.811266899 CET	80	49713	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:16.811348915 CET	443	49718	34.160.144.191	192.168.2.5
Nov 22, 2024 05:16:16.817981005 CET	49718	443	192.168.2.5	34.160.144.191
Nov 22, 2024 05:16:16.821002960 CET	49718	443	192.168.2.5	34.160.144.191
Nov 22, 2024 05:16:16.821017027 CET	443	49718	34.160.144.191	192.168.2.5
Nov 22, 2024 05:16:16.821638107 CET	443	49718	34.160.144.191	192.168.2.5
Nov 22, 2024 05:16:16.822995901 CET	49718	443	192.168.2.5	34.160.144.191
Nov 22, 2024 05:16:16.823141098 CET	49718	443	192.168.2.5	34.160.144.191
Nov 22, 2024 05:16:16.823379993 CET	443	49718	34.160.144.191	192.168.2.5
Nov 22, 2024 05:16:16.824374914 CET	49717	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:16.824421883 CET	49718	443	192.168.2.5	34.160.144.191
Nov 22, 2024 05:16:16.824455023 CET	49718	443	192.168.2.5	34.160.144.191
Nov 22, 2024 05:16:16.824455023 CET	49718	443	192.168.2.5	34.160.144.191
Nov 22, 2024 05:16:16.825545073 CET	49725	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:16.825561047 CET	443	49725	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:16.825829029 CET	49726	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:16.825839996 CET	443	49726	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:16.825850010 CET	49725	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:16.825915098 CET	49726	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:16.827198029 CET	49725	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:16.827208996 CET	443	49725	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:16.828619003 CET	49726	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:16.828630924 CET	443	49726	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:16.828980923 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:16.829020023 CET	443	49727	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:16.829144955 CET	49728	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:16.829220057 CET	443	49728	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:16.829657078 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:16.829758883 CET	49728	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:16.829807043 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:16.829822063 CET	443	49727	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:16.831299067 CET	49728	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:16.831346035 CET	443	49728	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:16.909183979 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:16.909625053 CET	80	49719	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:16.913789988 CET	49719	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:17.095495939 CET	49729	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:17.095556021 CET	443	49729	34.107.243.93	192.168.2.5
Nov 22, 2024 05:16:17.095925093 CET	49729	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:17.097383022 CET	49729	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:17.097404957 CET	443	49729	34.107.243.93	192.168.2.5
Nov 22, 2024 05:16:17.330451012 CET	443	49720	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:17.330539942 CET	49720	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:17.331460953 CET	443	49720	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:17.331547022 CET	49720	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:17.335068941 CET	49720	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:17.335099936 CET	443	49720	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:17.335125923 CET	49720	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:17.335349083 CET	443	49720	142.250.181.142	192.168.2.5
Nov 22, 2024 05:16:17.340162992 CET	49720	443	192.168.2.5	142.250.181.142
Nov 22, 2024 05:16:17.824582100 CET	443	49721	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:17.824863911 CET	49721	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:17.842983007 CET	49721	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:17.842997074 CET	443	49721	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:17.843082905 CET	49721	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:17.843174934 CET	443	49721	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:17.844006062 CET	49721	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:17.875880957 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:17.934689045 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:18.053628922 CET	443	49728	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:18.053714991 CET	49728	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:18.093305111 CET	443	49727	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:18.093416929 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:18.094887018 CET	443	49726	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:18.094950914 CET	49726	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:18.097454071 CET	443	49725	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:18.097522974 CET	49725	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:18.112175941 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:18.112198114 CET	443	49727	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:18.112966061 CET	443	49727	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:18.113785982 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:18.118166924 CET	49728	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:18.118199110 CET	443	49728	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:18.118262053 CET	49728	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:18.118374109 CET	49725	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:18.118385077 CET	443	49725	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:18.118446112 CET	49725	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:18.118746996 CET	49726	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:18.118757963 CET	443	49726	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:18.118782043 CET	443	49728	34.117.188.166	192.168.2.5
Nov 22, 2024 05:16:18.118794918 CET	49726	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:18.118870974 CET	443	49725	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:18.118985891 CET	443	49726	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:18.119107008 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:18.119107008 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:18.119525909 CET	443	49727	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:18.119736910 CET	49728	443	192.168.2.5	34.117.188.166
Nov 22, 2024 05:16:18.119745970 CET	49725	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:18.119759083 CET	49726	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:18.119782925 CET	49727	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:18.233442068 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:18.233546019 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:18.233784914 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:18.353279114 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:18.377310991 CET	443	49729	34.107.243.93	192.168.2.5
Nov 22, 2024 05:16:18.377404928 CET	49729	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:18.381516933 CET	49729	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:18.381555080 CET	443	49729	34.107.243.93	192.168.2.5
Nov 22, 2024 05:16:18.381599903 CET	49729	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:18.381810904 CET	443	49729	34.107.243.93	192.168.2.5
Nov 22, 2024 05:16:18.381917953 CET	49729	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:18.761756897 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:18.881685019 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:19.076948881 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:19.122354031 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:19.412250996 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:19.463011980 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:20.367791891 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:20.399662971 CET	49733	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:20.399677992 CET	443	49733	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:20.400952101 CET	49733	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:20.401077032 CET	49733	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:20.401087999 CET	443	49733	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:20.487371922 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:20.497839928 CET	49734	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:20.497853041 CET	443	49734	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:20.498050928 CET	49735	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:20.498061895 CET	443	49735	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:20.498313904 CET	49734	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:20.498332977 CET	49735	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:20.499757051 CET	49734	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:20.499771118 CET	443	49734	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:20.500022888 CET	49735	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:20.500035048 CET	443	49735	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:20.691715956 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:20.740583897 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:21.661201954 CET	443	49733	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:21.661366940 CET	49733	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:21.664612055 CET	49733	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:21.664618015 CET	443	49733	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:21.664849043 CET	443	49733	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:21.668890953 CET	49733	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:21.669008970 CET	49733	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:21.669011116 CET	443	49733	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:21.669022083 CET	443	49733	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:21.669167995 CET	49733	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:21.758554935 CET	443	49734	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:21.761233091 CET	443	49735	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:21.763798952 CET	49734	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:21.765362024 CET	49735	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:21.775110006 CET	49735	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:21.775122881 CET	443	49735	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:21.775934935 CET	443	49735	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:21.821477890 CET	49734	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:21.821496964 CET	443	49734	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:21.821576118 CET	49734	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:21.821738958 CET	443	49734	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:21.821943998 CET	49735	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:21.822434902 CET	49734	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:21.822540045 CET	443	49735	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:21.822776079 CET	49735	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:23.424182892 CET	49735	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:23.424201012 CET	443	49735	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:23.424472094 CET	49723	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:23.544447899 CET	80	49723	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:23.544519901 CET	49723	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:27.264981031 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:27.384515047 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:27.558760881 CET	49752	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:27.558775902 CET	443	49752	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:27.563811064 CET	49752	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:27.565443993 CET	49752	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:27.565455914 CET	443	49752	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:27.579587936 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:27.633361101 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:28.282310009 CET	49753	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:28.282330036 CET	443	49753	34.107.243.93	192.168.2.5
Nov 22, 2024 05:16:28.284858942 CET	49753	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:28.875298023 CET	443	49752	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:28.875391960 CET	49752	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:29.119299889 CET	49753	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:29.119328022 CET	443	49753	34.107.243.93	192.168.2.5
Nov 22, 2024 05:16:29.121793032 CET	49752	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:29.121802092 CET	443	49752	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:29.121865034 CET	49752	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:29.122268915 CET	443	49752	34.120.208.123	192.168.2.5
Nov 22, 2024 05:16:29.125315905 CET	49752	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:16:29.707668066 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:29.827140093 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:30.031563044 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:30.087776899 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:30.093869925 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:30.207340002 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:30.348763943 CET	443	49753	34.107.243.93	192.168.2.5
Nov 22, 2024 05:16:30.348858118 CET	49753	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:30.402633905 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:30.457242012 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:31.283592939 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:31.284389019 CET	49753	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:31.284416914 CET	443	49753	34.107.243.93	192.168.2.5
Nov 22, 2024 05:16:31.284467936 CET	49753	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:31.285092115 CET	443	49753	34.107.243.93	192.168.2.5
Nov 22, 2024 05:16:31.285461903 CET	49753	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:31.403166056 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:31.607502937 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:31.660783052 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:31.748339891 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:31.867835999 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:32.063183069 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:32.115364075 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:32.606601954 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:32.726174116 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:32.930788040 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:32.980251074 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:41.634572029 CET	49785	443	192.168.2.5	35.190.72.216
Nov 22, 2024 05:16:41.634634972 CET	443	49785	35.190.72.216	192.168.2.5
Nov 22, 2024 05:16:41.634963036 CET	49785	443	192.168.2.5	35.190.72.216
Nov 22, 2024 05:16:41.636487961 CET	49785	443	192.168.2.5	35.190.72.216
Nov 22, 2024 05:16:41.636527061 CET	443	49785	35.190.72.216	192.168.2.5
Nov 22, 2024 05:16:41.654844999 CET	49786	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:41.654869080 CET	443	49786	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:41.657959938 CET	49786	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:41.658097982 CET	49786	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:41.658123970 CET	443	49786	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:41.794792891 CET	49787	443	192.168.2.5	35.201.103.21
Nov 22, 2024 05:16:41.794811010 CET	443	49787	35.201.103.21	192.168.2.5
Nov 22, 2024 05:16:41.796264887 CET	49787	443	192.168.2.5	35.201.103.21
Nov 22, 2024 05:16:41.797691107 CET	49787	443	192.168.2.5	35.201.103.21
Nov 22, 2024 05:16:41.797704935 CET	443	49787	35.201.103.21	192.168.2.5
Nov 22, 2024 05:16:41.801615000 CET	49788	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:41.801650047 CET	443	49788	34.107.243.93	192.168.2.5
Nov 22, 2024 05:16:41.801858902 CET	49788	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:41.803232908 CET	49788	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:41.803261995 CET	443	49788	34.107.243.93	192.168.2.5
Nov 22, 2024 05:16:41.857156992 CET	49789	443	192.168.2.5	151.101.1.91
Nov 22, 2024 05:16:41.857187033 CET	443	49789	151.101.1.91	192.168.2.5
Nov 22, 2024 05:16:41.857403994 CET	49789	443	192.168.2.5	151.101.1.91
Nov 22, 2024 05:16:41.857503891 CET	49789	443	192.168.2.5	151.101.1.91
Nov 22, 2024 05:16:41.857512951 CET	443	49789	151.101.1.91	192.168.2.5
Nov 22, 2024 05:16:42.038337946 CET	49790	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:42.038434982 CET	443	49790	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:42.038765907 CET	49790	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:42.038899899 CET	49790	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:42.038949013 CET	443	49790	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:42.075666904 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:42.195173979 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:42.918771029 CET	443	49785	35.190.72.216	192.168.2.5
Nov 22, 2024 05:16:42.918884993 CET	49785	443	192.168.2.5	35.190.72.216
Nov 22, 2024 05:16:42.919538975 CET	443	49786	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:42.919626951 CET	49786	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:42.924201965 CET	49786	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:42.924218893 CET	443	49786	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:42.924593925 CET	443	49786	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:42.927936077 CET	49785	443	192.168.2.5	35.190.72.216
Nov 22, 2024 05:16:42.927963972 CET	443	49785	35.190.72.216	192.168.2.5
Nov 22, 2024 05:16:42.928086042 CET	49785	443	192.168.2.5	35.190.72.216
Nov 22, 2024 05:16:42.928174019 CET	443	49785	35.190.72.216	192.168.2.5
Nov 22, 2024 05:16:42.928442001 CET	49786	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:42.928561926 CET	49786	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:42.928704977 CET	443	49786	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:42.929070950 CET	49792	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:42.929112911 CET	443	49792	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:42.929763079 CET	49785	443	192.168.2.5	35.190.72.216
Nov 22, 2024 05:16:42.929763079 CET	49786	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:42.929801941 CET	49792	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:42.929970980 CET	49792	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:42.929997921 CET	443	49792	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:42.932089090 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:42.947125912 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:43.051738024 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:43.066621065 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:43.132128954 CET	443	49788	34.107.243.93	192.168.2.5
Nov 22, 2024 05:16:43.132334948 CET	49788	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:43.134182930 CET	443	49789	151.101.1.91	192.168.2.5
Nov 22, 2024 05:16:43.134421110 CET	49789	443	192.168.2.5	151.101.1.91
Nov 22, 2024 05:16:43.134917021 CET	443	49787	35.201.103.21	192.168.2.5
Nov 22, 2024 05:16:43.135319948 CET	49787	443	192.168.2.5	35.201.103.21
Nov 22, 2024 05:16:43.140692949 CET	49789	443	192.168.2.5	151.101.1.91
Nov 22, 2024 05:16:43.140714884 CET	443	49789	151.101.1.91	192.168.2.5
Nov 22, 2024 05:16:43.141474962 CET	443	49789	151.101.1.91	192.168.2.5
Nov 22, 2024 05:16:43.145566940 CET	49788	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:43.145617008 CET	443	49788	34.107.243.93	192.168.2.5
Nov 22, 2024 05:16:43.145869970 CET	49788	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:43.146024942 CET	49787	443	192.168.2.5	35.201.103.21
Nov 22, 2024 05:16:43.146038055 CET	443	49787	35.201.103.21	192.168.2.5
Nov 22, 2024 05:16:43.146069050 CET	443	49788	34.107.243.93	192.168.2.5
Nov 22, 2024 05:16:43.146151066 CET	49787	443	192.168.2.5	35.201.103.21
Nov 22, 2024 05:16:43.146249056 CET	443	49787	35.201.103.21	192.168.2.5
Nov 22, 2024 05:16:43.146645069 CET	49789	443	192.168.2.5	151.101.1.91
Nov 22, 2024 05:16:43.146704912 CET	49789	443	192.168.2.5	151.101.1.91
Nov 22, 2024 05:16:43.147135973 CET	443	49789	151.101.1.91	192.168.2.5
Nov 22, 2024 05:16:43.147804976 CET	49788	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:16:43.147810936 CET	49787	443	192.168.2.5	35.201.103.21
Nov 22, 2024 05:16:43.147833109 CET	49789	443	192.168.2.5	151.101.1.91
Nov 22, 2024 05:16:43.158163071 CET	49793	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:43.158205986 CET	443	49793	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:43.158730030 CET	49793	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:43.158890009 CET	49793	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:43.158900023 CET	443	49793	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:43.160741091 CET	49794	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:43.160789013 CET	443	49794	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:43.162133932 CET	49794	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:43.163501978 CET	49794	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:43.163516998 CET	443	49794	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:43.164444923 CET	49795	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:43.164453983 CET	443	49795	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:43.165005922 CET	49795	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:43.165167093 CET	49795	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:43.165173054 CET	443	49795	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:43.172775030 CET	49796	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:43.172799110 CET	443	49796	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:43.173022032 CET	49796	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:43.173161983 CET	49796	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:43.173172951 CET	443	49796	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:43.246501923 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:43.249836922 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:43.280623913 CET	443	49790	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:43.280740023 CET	49790	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:43.284631968 CET	49790	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:43.284651041 CET	443	49790	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:43.284989119 CET	443	49790	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:43.287412882 CET	49790	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:43.287529945 CET	49790	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:43.287599087 CET	443	49790	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:43.287743092 CET	49790	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:43.290946007 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:43.369473934 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:43.410494089 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:43.573741913 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:43.606758118 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:43.613934994 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:43.664854050 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:43.733643055 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:43.938086987 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:43.981347084 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:44.347345114 CET	443	49792	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:44.347461939 CET	49792	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:44.350491047 CET	49792	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:44.350521088 CET	443	49792	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:44.351393938 CET	443	49792	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:44.352744102 CET	49792	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:44.352838039 CET	49792	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:44.352930069 CET	443	49792	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:44.354331970 CET	49792	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:44.356189013 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:44.475697041 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:44.511240005 CET	443	49795	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:44.511343002 CET	49795	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:44.514238119 CET	49795	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:44.514250040 CET	443	49795	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:44.514571905 CET	443	49795	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:44.516486883 CET	49795	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:44.516588926 CET	49795	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:44.516673088 CET	443	49795	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:44.516767025 CET	49795	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:44.538276911 CET	443	49793	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:44.538356066 CET	49793	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:44.539201975 CET	443	49794	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:44.541073084 CET	49793	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:44.541080952 CET	443	49793	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:44.541292906 CET	49794	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:44.541328907 CET	443	49793	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:44.543741941 CET	49794	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:44.543759108 CET	443	49794	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:44.544054031 CET	443	49794	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:44.546021938 CET	49793	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:44.546117067 CET	49793	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:44.546176910 CET	443	49793	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:44.547055960 CET	49794	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:44.547123909 CET	49794	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:44.547234058 CET	443	49794	35.244.181.201	192.168.2.5
Nov 22, 2024 05:16:44.551418066 CET	49793	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:44.551440001 CET	49794	443	192.168.2.5	35.244.181.201
Nov 22, 2024 05:16:44.557952881 CET	443	49796	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:44.558032990 CET	49796	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:44.560792923 CET	49796	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:44.560801029 CET	443	49796	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:44.561113119 CET	443	49796	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:44.562791109 CET	49796	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:44.562868118 CET	49796	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:44.562939882 CET	443	49796	34.149.100.209	192.168.2.5
Nov 22, 2024 05:16:44.563016891 CET	49796	443	192.168.2.5	34.149.100.209
Nov 22, 2024 05:16:44.671132088 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:44.673916101 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:44.714617014 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:44.793445110 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:44.998125076 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:45.037631989 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:54.681106091 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:54.800558090 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:16:54.997558117 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:16:55.117121935 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:03.389542103 CET	49843	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:17:03.389580011 CET	443	49843	34.107.243.93	192.168.2.5
Nov 22, 2024 05:17:03.390140057 CET	49843	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:17:03.391637087 CET	49843	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:17:03.391649008 CET	443	49843	34.107.243.93	192.168.2.5
Nov 22, 2024 05:17:04.668045998 CET	443	49843	34.107.243.93	192.168.2.5
Nov 22, 2024 05:17:04.668315887 CET	49843	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:17:04.673696995 CET	49843	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:17:04.673705101 CET	443	49843	34.107.243.93	192.168.2.5
Nov 22, 2024 05:17:04.673810959 CET	49843	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:17:04.673914909 CET	443	49843	34.107.243.93	192.168.2.5
Nov 22, 2024 05:17:04.674608946 CET	49843	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:17:04.677097082 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:04.796565056 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:04.996217012 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:05.000266075 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:05.041943073 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:05.119724035 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:05.324230909 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:05.374147892 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:12.172797918 CET	49864	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:12.172910929 CET	443	49864	34.120.208.123	192.168.2.5
Nov 22, 2024 05:17:12.172924995 CET	49865	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:12.172970057 CET	443	49865	34.120.208.123	192.168.2.5
Nov 22, 2024 05:17:12.173363924 CET	49864	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:12.173553944 CET	49865	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:12.173562050 CET	49864	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:12.173598051 CET	443	49864	34.120.208.123	192.168.2.5
Nov 22, 2024 05:17:12.173659086 CET	49865	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:12.173672915 CET	443	49865	34.120.208.123	192.168.2.5
Nov 22, 2024 05:17:13.401994944 CET	443	49864	34.120.208.123	192.168.2.5
Nov 22, 2024 05:17:13.411362886 CET	443	49864	34.120.208.123	192.168.2.5
Nov 22, 2024 05:17:13.417620897 CET	49864	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:13.421617031 CET	49864	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:13.421639919 CET	443	49864	34.120.208.123	192.168.2.5
Nov 22, 2024 05:17:13.422591925 CET	443	49864	34.120.208.123	192.168.2.5
Nov 22, 2024 05:17:13.423681021 CET	49864	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:13.423808098 CET	49864	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:13.424062967 CET	443	49864	34.120.208.123	192.168.2.5
Nov 22, 2024 05:17:13.428014994 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:13.428586006 CET	49864	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:13.428586960 CET	49864	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:13.433696032 CET	443	49865	34.120.208.123	192.168.2.5
Nov 22, 2024 05:17:13.434468985 CET	49865	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:13.437263966 CET	49865	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:13.437278986 CET	443	49865	34.120.208.123	192.168.2.5
Nov 22, 2024 05:17:13.437612057 CET	443	49865	34.120.208.123	192.168.2.5
Nov 22, 2024 05:17:13.440879107 CET	49865	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:13.441004992 CET	49865	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:13.441076040 CET	443	49865	34.120.208.123	192.168.2.5
Nov 22, 2024 05:17:13.442678928 CET	49865	443	192.168.2.5	34.120.208.123
Nov 22, 2024 05:17:13.547502995 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:13.743122101 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:13.749511003 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:13.787547112 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:13.869086981 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:14.073220015 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:14.119669914 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:23.767333031 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:23.886779070 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:24.083986998 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:24.203469038 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:33.896155119 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:34.015604973 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:34.212580919 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:34.332813025 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:44.024784088 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:44.144239902 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:44.341136932 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:44.460572004 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:45.451945066 CET	49940	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:17:45.451967955 CET	443	49940	34.107.243.93	192.168.2.5
Nov 22, 2024 05:17:45.454118967 CET	49940	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:17:45.455663919 CET	49940	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:17:45.455676079 CET	443	49940	34.107.243.93	192.168.2.5
Nov 22, 2024 05:17:46.783982038 CET	443	49940	34.107.243.93	192.168.2.5
Nov 22, 2024 05:17:46.787945032 CET	49940	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:17:46.793005943 CET	49940	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:17:46.793011904 CET	443	49940	34.107.243.93	192.168.2.5
Nov 22, 2024 05:17:46.793128014 CET	49940	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:17:46.793633938 CET	443	49940	34.107.243.93	192.168.2.5
Nov 22, 2024 05:17:46.794249058 CET	49940	443	192.168.2.5	34.107.243.93
Nov 22, 2024 05:17:46.796386003 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:46.915821075 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:47.111082077 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:47.115787983 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:47.165052891 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:47.235266924 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:47.439455032 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:47.497190952 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:57.123807907 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:57.243350029 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:17:57.462666988 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:17:57.582215071 CET	80	49731	34.107.221.82	192.168.2.5
Nov 22, 2024 05:18:07.253285885 CET	49724	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:18:07.372869968 CET	80	49724	34.107.221.82	192.168.2.5
Nov 22, 2024 05:18:07.591795921 CET	49731	80	192.168.2.5	34.107.221.82
Nov 22, 2024 05:18:07.711261034 CET	80	49731	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 05:16:12.996032000 CET	57408	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:13.344697952 CET	53	57408	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:13.384629011 CET	53608	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:13.621503115 CET	53	53608	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:13.673351049 CET	57700	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:13.673649073 CET	57313	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:13.811275959 CET	53	57313	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:13.813657045 CET	65203	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:13.813752890 CET	57797	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:13.951814890 CET	53	65203	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:13.955143929 CET	53	57797	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:13.956479073 CET	64141	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:13.956990957 CET	61531	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:14.093422890 CET	53	64141	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:14.097237110 CET	53	61531	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:14.279301882 CET	62474	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:14.416393995 CET	53	62474	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:14.867063046 CET	53968	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:14.908165932 CET	58036	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:15.003860950 CET	53	53968	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:15.005074978 CET	51780	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:15.045475006 CET	53	58036	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:15.046133995 CET	50806	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:15.047301054 CET	49830	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:15.142014027 CET	53	51780	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:15.184045076 CET	53	50806	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:15.185102940 CET	53	49830	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:15.185281992 CET	54451	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:15.185722113 CET	61249	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:15.221132994 CET	51584	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:15.323026896 CET	53	54451	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:15.323060989 CET	53	61249	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:15.358306885 CET	53	51584	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:15.360021114 CET	64914	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:15.382388115 CET	59813	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:15.392086983 CET	58466	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:15.392999887 CET	63150	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:15.497977972 CET	53	64914	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:15.502687931 CET	64885	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:15.520524979 CET	53	59813	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:15.528786898 CET	53	58466	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:15.640738964 CET	53	64885	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:15.748635054 CET	58734	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:16.225323915 CET	53421	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:16.451471090 CET	53111	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:16.805496931 CET	53	53421	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:16.806200981 CET	53	53111	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:16.818968058 CET	54241	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:16.826164961 CET	55481	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:16.955950975 CET	53	54241	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:16.957433939 CET	57915	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:16.962867975 CET	53	55481	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:16.965210915 CET	62380	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:17.028692007 CET	53	54405	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:17.030081987 CET	54813	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:17.094355106 CET	53	57915	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:17.102819920 CET	53	62380	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:17.167504072 CET	53	54813	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:17.281845093 CET	53490	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:17.418713093 CET	53	53490	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:20.362050056 CET	55998	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:20.499233007 CET	53	55998	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:20.500766993 CET	62721	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:20.638261080 CET	53	62721	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:20.639162064 CET	55692	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:20.779623032 CET	63217	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:20.779824018 CET	61509	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:20.916623116 CET	53	63217	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:20.916893005 CET	53	61509	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:20.917597055 CET	61516	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:20.918718100 CET	51118	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:20.945256948 CET	53	55692	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:20.946012020 CET	63228	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:21.056247950 CET	53	61516	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:21.056282997 CET	53	51118	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:21.057141066 CET	63873	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:21.057157040 CET	54705	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:21.084086895 CET	53	63228	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:21.085130930 CET	55575	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:21.194108009 CET	53	54705	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:21.194235086 CET	53	63873	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:21.196842909 CET	53670	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:21.197233915 CET	56764	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:21.333569050 CET	53	53670	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:21.334110022 CET	53	56764	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:21.334522009 CET	60944	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:21.335144043 CET	63034	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:21.397342920 CET	53	55575	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:21.398166895 CET	63339	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:21.471927881 CET	53	63034	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:21.475749969 CET	49617	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:21.549489975 CET	53	60944	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:21.550467014 CET	59530	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:21.612576008 CET	53	49617	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:21.627270937 CET	53	63339	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:21.768162966 CET	53	59530	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:27.559473038 CET	63666	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:27.697231054 CET	53	63666	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:28.282660007 CET	51739	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:28.420723915 CET	53	51739	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:41.625020981 CET	61377	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:41.655388117 CET	52781	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:41.793456078 CET	53	52781	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:41.795253038 CET	65030	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:41.802253962 CET	57026	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:41.856239080 CET	53	61377	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:41.857372999 CET	54653	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:41.932503939 CET	53	65030	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:41.933512926 CET	61179	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:41.939444065 CET	53	57026	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:41.996550083 CET	53	54653	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:41.997385979 CET	54966	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:42.039499998 CET	51530	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:16:42.070668936 CET	53	61179	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:42.135308027 CET	53	54966	1.1.1.1	192.168.2.5
Nov 22, 2024 05:16:42.176892042 CET	53	51530	1.1.1.1	192.168.2.5
Nov 22, 2024 05:17:03.154891014 CET	59252	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:17:03.388140917 CET	53	59252	1.1.1.1	192.168.2.5
Nov 22, 2024 05:17:03.390074968 CET	64615	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:17:03.527118921 CET	53	64615	1.1.1.1	192.168.2.5
Nov 22, 2024 05:17:12.173281908 CET	59564	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:17:12.310308933 CET	53	59564	1.1.1.1	192.168.2.5
Nov 22, 2024 05:17:13.428497076 CET	55617	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:17:45.452353001 CET	65160	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:17:45.589647055 CET	53	65160	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 22, 2024 05:16:12.996032000 CET	192.168.2.5	1.1.1.1	0x4a2c	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:13.384629011 CET	192.168.2.5	1.1.1.1	0x41e4	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 05:16:13.673351049 CET	192.168.2.5	1.1.1.1	0xe1fd	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:13.673649073 CET	192.168.2.5	1.1.1.1	0xddd3	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:13.813657045 CET	192.168.2.5	1.1.1.1	0xc457	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:13.813752890 CET	192.168.2.5	1.1.1.1	0x34f3	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:13.956479073 CET	192.168.2.5	1.1.1.1	0xcb5	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 05:16:13.956990957 CET	192.168.2.5	1.1.1.1	0xc604	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 22, 2024 05:16:14.279301882 CET	192.168.2.5	1.1.1.1	0x84fe	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:14.867063046 CET	192.168.2.5	1.1.1.1	0x369f	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:14.908165932 CET	192.168.2.5	1.1.1.1	0xca86	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.005074978 CET	192.168.2.5	1.1.1.1	0xf5ae	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 05:16:15.046133995 CET	192.168.2.5	1.1.1.1	0x3418	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.047301054 CET	192.168.2.5	1.1.1.1	0x175a	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.185281992 CET	192.168.2.5	1.1.1.1	0xc744	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 05:16:15.185722113 CET	192.168.2.5	1.1.1.1	0xae2d	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 05:16:15.221132994 CET	192.168.2.5	1.1.1.1	0x4724	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.360021114 CET	192.168.2.5	1.1.1.1	0xb9cf	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.382388115 CET	192.168.2.5	1.1.1.1	0xee85	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.392086983 CET	192.168.2.5	1.1.1.1	0x4057	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.392999887 CET	192.168.2.5	1.1.1.1	0x46c6	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.502687931 CET	192.168.2.5	1.1.1.1	0x5e2b	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 05:16:15.748635054 CET	192.168.2.5	1.1.1.1	0xcbf3	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:16.225323915 CET	192.168.2.5	1.1.1.1	0x951d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:16.451471090 CET	192.168.2.5	1.1.1.1	0xe8b0	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:16.818968058 CET	192.168.2.5	1.1.1.1	0xd41a	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:16.826164961 CET	192.168.2.5	1.1.1.1	0x1bb0	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:16.957433939 CET	192.168.2.5	1.1.1.1	0x7940	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 05:16:16.965210915 CET	192.168.2.5	1.1.1.1	0x82df	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 05:16:17.030081987 CET	192.168.2.5	1.1.1.1	0xeb41	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:17.281845093 CET	192.168.2.5	1.1.1.1	0x4a51	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 05:16:20.362050056 CET	192.168.2.5	1.1.1.1	0xbd6a	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.500766993 CET	192.168.2.5	1.1.1.1	0xc7e4	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.639162064 CET	192.168.2.5	1.1.1.1	0x18bf	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 05:16:20.779623032 CET	192.168.2.5	1.1.1.1	0x3649	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.779824018 CET	192.168.2.5	1.1.1.1	0x6ee8	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.917597055 CET	192.168.2.5	1.1.1.1	0x9d74	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.918718100 CET	192.168.2.5	1.1.1.1	0xb199	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.946012020 CET	192.168.2.5	1.1.1.1	0xacc1	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.057141066 CET	192.168.2.5	1.1.1.1	0x3866	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 22, 2024 05:16:21.057157040 CET	192.168.2.5	1.1.1.1	0x64c8	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 22, 2024 05:16:21.085130930 CET	192.168.2.5	1.1.1.1	0x24c4	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.196842909 CET	192.168.2.5	1.1.1.1	0x4ad9	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.197233915 CET	192.168.2.5	1.1.1.1	0x62a0	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.334522009 CET	192.168.2.5	1.1.1.1	0xfa2a	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.335144043 CET	192.168.2.5	1.1.1.1	0x82a7	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.398166895 CET	192.168.2.5	1.1.1.1	0xc135	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 22, 2024 05:16:21.475749969 CET	192.168.2.5	1.1.1.1	0xe6c5	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 22, 2024 05:16:21.550467014 CET	192.168.2.5	1.1.1.1	0xf6b5	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 22, 2024 05:16:27.559473038 CET	192.168.2.5	1.1.1.1	0xb562	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 05:16:28.282660007 CET	192.168.2.5	1.1.1.1	0xe930	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 05:16:41.625020981 CET	192.168.2.5	1.1.1.1	0x787e	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:41.655388117 CET	192.168.2.5	1.1.1.1	0xf140	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:41.795253038 CET	192.168.2.5	1.1.1.1	0xcd19	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:41.802253962 CET	192.168.2.5	1.1.1.1	0x4314	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 05:16:41.857372999 CET	192.168.2.5	1.1.1.1	0xb1a7	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:41.933512926 CET	192.168.2.5	1.1.1.1	0x35d3	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 05:16:41.997385979 CET	192.168.2.5	1.1.1.1	0x2b40	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 22, 2024 05:16:42.039499998 CET	192.168.2.5	1.1.1.1	0x49f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 22, 2024 05:17:03.154891014 CET	192.168.2.5	1.1.1.1	0x50d5	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:17:03.390074968 CET	192.168.2.5	1.1.1.1	0x92fb	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 05:17:12.173281908 CET	192.168.2.5	1.1.1.1	0x5970	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 22, 2024 05:17:13.428497076 CET	192.168.2.5	1.1.1.1	0xe1f9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:17:45.452353001 CET	192.168.2.5	1.1.1.1	0xc497	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 22, 2024 05:16:12.986881971 CET	1.1.1.1	192.168.2.5	0x6061	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:13.344697952 CET	1.1.1.1	192.168.2.5	0x4a2c	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:13.811275959 CET	1.1.1.1	192.168.2.5	0xddd3	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:13.811364889 CET	1.1.1.1	192.168.2.5	0xe1fd	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:13.811364889 CET	1.1.1.1	192.168.2.5	0xe1fd	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:13.951814890 CET	1.1.1.1	192.168.2.5	0xc457	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:13.955143929 CET	1.1.1.1	192.168.2.5	0x34f3	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:14.093422890 CET	1.1.1.1	192.168.2.5	0xcb5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 22, 2024 05:16:14.097237110 CET	1.1.1.1	192.168.2.5	0xc604	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 22, 2024 05:16:14.416393995 CET	1.1.1.1	192.168.2.5	0x84fe	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.003860950 CET	1.1.1.1	192.168.2.5	0x369f	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.044907093 CET	1.1.1.1	192.168.2.5	0xeb44	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:15.044907093 CET	1.1.1.1	192.168.2.5	0xeb44	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.045475006 CET	1.1.1.1	192.168.2.5	0xca86	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:15.045475006 CET	1.1.1.1	192.168.2.5	0xca86	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.184045076 CET	1.1.1.1	192.168.2.5	0x3418	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.185102940 CET	1.1.1.1	192.168.2.5	0x175a	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.358306885 CET	1.1.1.1	192.168.2.5	0x4724	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:15.358306885 CET	1.1.1.1	192.168.2.5	0x4724	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:15.358306885 CET	1.1.1.1	192.168.2.5	0x4724	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.497977972 CET	1.1.1.1	192.168.2.5	0xb9cf	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.520524979 CET	1.1.1.1	192.168.2.5	0xee85	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.528786898 CET	1.1.1.1	192.168.2.5	0x4057	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.528786898 CET	1.1.1.1	192.168.2.5	0x4057	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.530631065 CET	1.1.1.1	192.168.2.5	0x46c6	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:15.530631065 CET	1.1.1.1	192.168.2.5	0x46c6	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:15.640738964 CET	1.1.1.1	192.168.2.5	0x5e2b	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 22, 2024 05:16:16.156119108 CET	1.1.1.1	192.168.2.5	0xcbf3	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:16.805496931 CET	1.1.1.1	192.168.2.5	0x951d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:16.806164026 CET	1.1.1.1	192.168.2.5	0x8639	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:16.806200981 CET	1.1.1.1	192.168.2.5	0xe8b0	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:16.806200981 CET	1.1.1.1	192.168.2.5	0xe8b0	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:16.806596994 CET	1.1.1.1	192.168.2.5	0xb3fb	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:16.806596994 CET	1.1.1.1	192.168.2.5	0xb3fb	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:16.955950975 CET	1.1.1.1	192.168.2.5	0xd41a	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:16.962867975 CET	1.1.1.1	192.168.2.5	0x1bb0	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:17.167504072 CET	1.1.1.1	192.168.2.5	0xeb41	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.496856928 CET	1.1.1.1	192.168.2.5	0xe673	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.499233007 CET	1.1.1.1	192.168.2.5	0xbd6a	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:20.499233007 CET	1.1.1.1	192.168.2.5	0xbd6a	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:20.499233007 CET	1.1.1.1	192.168.2.5	0xbd6a	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.638261080 CET	1.1.1.1	192.168.2.5	0xc7e4	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.916623116 CET	1.1.1.1	192.168.2.5	0x3649	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:20.916623116 CET	1.1.1.1	192.168.2.5	0x3649	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.916893005 CET	1.1.1.1	192.168.2.5	0x6ee8	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:20.916893005 CET	1.1.1.1	192.168.2.5	0x6ee8	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.916893005 CET	1.1.1.1	192.168.2.5	0x6ee8	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.916893005 CET	1.1.1.1	192.168.2.5	0x6ee8	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.916893005 CET	1.1.1.1	192.168.2.5	0x6ee8	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.916893005 CET	1.1.1.1	192.168.2.5	0x6ee8	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.916893005 CET	1.1.1.1	192.168.2.5	0x6ee8	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.916893005 CET	1.1.1.1	192.168.2.5	0x6ee8	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.916893005 CET	1.1.1.1	192.168.2.5	0x6ee8	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.916893005 CET	1.1.1.1	192.168.2.5	0x6ee8	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.916893005 CET	1.1.1.1	192.168.2.5	0x6ee8	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.916893005 CET	1.1.1.1	192.168.2.5	0x6ee8	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:20.916893005 CET	1.1.1.1	192.168.2.5	0x6ee8	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.056247950 CET	1.1.1.1	192.168.2.5	0x9d74	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.056282997 CET	1.1.1.1	192.168.2.5	0xb199	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.056282997 CET	1.1.1.1	192.168.2.5	0xb199	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.056282997 CET	1.1.1.1	192.168.2.5	0xb199	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.056282997 CET	1.1.1.1	192.168.2.5	0xb199	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.056282997 CET	1.1.1.1	192.168.2.5	0xb199	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.056282997 CET	1.1.1.1	192.168.2.5	0xb199	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.056282997 CET	1.1.1.1	192.168.2.5	0xb199	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.056282997 CET	1.1.1.1	192.168.2.5	0xb199	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.056282997 CET	1.1.1.1	192.168.2.5	0xb199	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.056282997 CET	1.1.1.1	192.168.2.5	0xb199	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.056282997 CET	1.1.1.1	192.168.2.5	0xb199	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.056282997 CET	1.1.1.1	192.168.2.5	0xb199	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.056282997 CET	1.1.1.1	192.168.2.5	0xb199	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.084086895 CET	1.1.1.1	192.168.2.5	0xacc1	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:21.084086895 CET	1.1.1.1	192.168.2.5	0xacc1	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.194108009 CET	1.1.1.1	192.168.2.5	0x64c8	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 22, 2024 05:16:21.194108009 CET	1.1.1.1	192.168.2.5	0x64c8	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 22, 2024 05:16:21.194108009 CET	1.1.1.1	192.168.2.5	0x64c8	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 22, 2024 05:16:21.194108009 CET	1.1.1.1	192.168.2.5	0x64c8	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 22, 2024 05:16:21.194235086 CET	1.1.1.1	192.168.2.5	0x3866	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 22, 2024 05:16:21.333569050 CET	1.1.1.1	192.168.2.5	0x4ad9	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:21.333569050 CET	1.1.1.1	192.168.2.5	0x4ad9	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.333569050 CET	1.1.1.1	192.168.2.5	0x4ad9	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.333569050 CET	1.1.1.1	192.168.2.5	0x4ad9	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.333569050 CET	1.1.1.1	192.168.2.5	0x4ad9	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.334110022 CET	1.1.1.1	192.168.2.5	0x62a0	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.334110022 CET	1.1.1.1	192.168.2.5	0x62a0	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.334110022 CET	1.1.1.1	192.168.2.5	0x62a0	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.334110022 CET	1.1.1.1	192.168.2.5	0x62a0	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.397342920 CET	1.1.1.1	192.168.2.5	0x24c4	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.471927881 CET	1.1.1.1	192.168.2.5	0x82a7	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.549489975 CET	1.1.1.1	192.168.2.5	0xfa2a	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.549489975 CET	1.1.1.1	192.168.2.5	0xfa2a	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.549489975 CET	1.1.1.1	192.168.2.5	0xfa2a	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.549489975 CET	1.1.1.1	192.168.2.5	0xfa2a	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:21.627270937 CET	1.1.1.1	192.168.2.5	0xc135	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 22, 2024 05:16:41.793456078 CET	1.1.1.1	192.168.2.5	0xf140	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:41.793456078 CET	1.1.1.1	192.168.2.5	0xf140	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:41.856239080 CET	1.1.1.1	192.168.2.5	0x787e	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:41.856239080 CET	1.1.1.1	192.168.2.5	0x787e	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:41.856239080 CET	1.1.1.1	192.168.2.5	0x787e	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:41.856239080 CET	1.1.1.1	192.168.2.5	0x787e	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:41.932503939 CET	1.1.1.1	192.168.2.5	0xcd19	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:41.996550083 CET	1.1.1.1	192.168.2.5	0xb1a7	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:41.996550083 CET	1.1.1.1	192.168.2.5	0xb1a7	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:41.996550083 CET	1.1.1.1	192.168.2.5	0xb1a7	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:41.996550083 CET	1.1.1.1	192.168.2.5	0xb1a7	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:42.037312984 CET	1.1.1.1	192.168.2.5	0xa95c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:42.037312984 CET	1.1.1.1	192.168.2.5	0xa95c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:16:42.135308027 CET	1.1.1.1	192.168.2.5	0x2b40	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 22, 2024 05:16:42.135308027 CET	1.1.1.1	192.168.2.5	0x2b40	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 22, 2024 05:16:42.135308027 CET	1.1.1.1	192.168.2.5	0x2b40	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 22, 2024 05:16:42.135308027 CET	1.1.1.1	192.168.2.5	0x2b40	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 22, 2024 05:16:45.382553101 CET	1.1.1.1	192.168.2.5	0x2ddb	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:16:45.382553101 CET	1.1.1.1	192.168.2.5	0x2ddb	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:17:03.388140917 CET	1.1.1.1	192.168.2.5	0x50d5	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:17:12.167902946 CET	1.1.1.1	192.168.2.5	0xca44	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:17:13.823389053 CET	1.1.1.1	192.168.2.5	0xe1f9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 05:17:13.823389053 CET	1.1.1.1	192.168.2.5	0xe1f9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	6004	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 05:16:14.217147112 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 05:16:15.348102093 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 77877 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49719	34.107.221.82	80	6004	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 05:16:15.651442051 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 05:16:16.788503885 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 08:54:35 GMT Age: 69701 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49724	34.107.221.82	80	6004	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 05:16:16.789737940 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 05:16:17.875880957 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 77879 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 05:16:18.761756897 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 05:16:19.076948881 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 77880 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 05:16:27.264981031 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 05:16:27.579587936 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 77889 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 05:16:30.087776899 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 05:16:30.402633905 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 77892 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 05:16:31.748339891 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 05:16:32.063183069 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 77893 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 05:16:42.075666904 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 05:16:42.932089090 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 05:16:43.246501923 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 77905 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 05:16:43.290946007 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 05:16:43.606758118 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 77905 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 05:16:44.356189013 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 05:16:44.671132088 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 77906 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 05:16:54.681106091 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 05:17:04.677097082 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 05:17:04.996217012 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 77926 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 05:17:13.428014994 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 05:17:13.743122101 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 77935 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 05:17:23.767333031 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 05:17:33.896155119 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 05:17:44.024784088 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 05:17:46.796386003 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 22, 2024 05:17:47.111082077 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 77968 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 22, 2024 05:17:57.123807907 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 05:18:07.253285885 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49731	34.107.221.82	80	6004	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 05:16:18.233784914 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 05:16:19.412250996 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 08:54:35 GMT Age: 69704 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 05:16:20.367791891 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 05:16:20.691715956 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 08:54:35 GMT Age: 69705 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 05:16:29.707668066 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 05:16:30.031563044 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 08:54:35 GMT Age: 69714 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 05:16:31.283592939 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 05:16:31.607502937 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 08:54:35 GMT Age: 69716 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 05:16:32.606601954 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 05:16:32.930788040 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 08:54:35 GMT Age: 69717 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 05:16:42.947125912 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 05:16:43.249836922 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 05:16:43.573741913 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 08:54:35 GMT Age: 69728 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 05:16:43.613934994 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 05:16:43.938086987 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 08:54:35 GMT Age: 69728 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 05:16:44.673916101 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 05:16:44.998125076 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 08:54:35 GMT Age: 69729 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 05:16:54.997558117 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 05:17:05.000266075 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 05:17:05.324230909 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 08:54:35 GMT Age: 69750 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 05:17:13.749511003 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 05:17:14.073220015 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 08:54:35 GMT Age: 69758 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 05:17:24.083986998 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 05:17:34.212580919 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 05:17:44.341136932 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 05:17:47.115787983 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 22, 2024 05:17:47.439455032 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 08:54:35 GMT Age: 69792 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 22, 2024 05:17:57.462666988 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 22, 2024 05:18:07.591795921 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	23:16:06
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	922'624 bytes
MD5 hash:	51357AE78C6B77C5901DE126FCB38DF3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:16:06
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xbd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:16:06
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:16:08
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xbd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:16:08
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:16:08
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xbd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:16:08
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:16:09
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xbd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:16:09
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:16:09
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xbd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:16:09
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:16:09
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:16:09
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	23:16:09
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	23:16:10
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0bfec4f-8bcf-4d6f-b626-04387efa2974} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 13a2f46eb10 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	23:16:12
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4204 -parentBuildID 20230927232528 -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b10031ad-d078-474c-8684-1fba315fc059} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 13a3efea410 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	23:16:15
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3756 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3700 -prefMapHandle 4944 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d12597e1-e262-4865-b922-edddb2660612} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 13a419efd10 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.7%
Total number of Nodes:	1558
Total number of Limit Nodes:	58

Executed Functions

Function 004042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0040430D

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

GetCurrentProcess.KERNEL32(?,0049CB64,00000000,?,?), ref: 00404422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00404429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00404454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00404474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0040447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004044A0

Strings

GetNativeSystemInfo, xrefs: 00404460
|O, xrefs: 004436F8
kernel32.dll, xrefs: 0040444F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 4793c8f21a9c9181553e3ecf3aeeacc2caea5ab6ebcc57d422027d341fcf7de5
Instruction ID: f2db94d72f8a0dd2313c2dbe6fb09547a999aedd017194ba44beff19de37ffa5
Opcode Fuzzy Hash: 4793c8f21a9c9181553e3ecf3aeeacc2caea5ab6ebcc57d422027d341fcf7de5
Instruction Fuzzy Hash: 1AA1B6A190B2D0FFF711CB69BC815957FA5AB76700B1844BBDC81A3B72D2384515CB2E

Function 004042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004050AA,?,?,00000000,00000000), ref: 004042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004050AA,?,?,00000000,00000000), ref: 004042C9
LoadResource.KERNEL32(?,00000000,?,?,004050AA,?,?,00000000,00000000,?,?,?,?,?,?,00404F20), ref: 004435BE
SizeofResource.KERNEL32(?,00000000,?,?,004050AA,?,?,00000000,00000000,?,?,?,?,?,?,00404F20), ref: 004435D3
LockResource.KERNEL32(004050AA,?,?,004050AA,?,?,00000000,00000000,?,?,?,?,?,?,00404F20,?), ref: 004435E6

Strings

SCRIPT, xrefs: 004042BF

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: bd63ab4ad02e2fe76dd7d434f9685d8d36af1090133f144fb2420f10bad9b318
Instruction ID: 7b141b112ae088f56cf646199b51eb6980b8c393c86a64e8297b8a0f16958f52
Opcode Fuzzy Hash: bd63ab4ad02e2fe76dd7d434f9685d8d36af1090133f144fb2420f10bad9b318
Instruction Fuzzy Hash: 96117CB0600700BFEB218B65DC88F277BB9EBD5B91F2041BEF502D6290DB71E8008675

Function 00442BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00402B6B

Part of subcall function 00403A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004D1418,?,00402E7F,?,?,?,00000000), ref: 00403A78

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,004C2224), ref: 00442C10
ShellExecuteW.SHELL32(00000000,?,?,004C2224), ref: 00442C17

Strings

runas, xrefs: 00442C0B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 9ca2d1149a4d49b8a3a70e9419e3a04f6a5a117f3ee67759a6eeeec0b4df9aad
Instruction ID: f5f6d1560cde91b349b40d05329fa9bcbf1412b573ea30ffcf12cb2e0bd517e4
Opcode Fuzzy Hash: 9ca2d1149a4d49b8a3a70e9419e3a04f6a5a117f3ee67759a6eeeec0b4df9aad
Instruction Fuzzy Hash: 4C1102312082416AC704FF61D996A7E7BA8AB90749F44443FB842221E3CF7C9A49C71E

Function 0046D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0046D501
Process32FirstW.KERNEL32(00000000,?), ref: 0046D50F
Process32NextW.KERNEL32(00000000,?), ref: 0046D52F
CloseHandle.KERNELBASE(00000000), ref: 0046D5DC

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e68adc7a23f85812f23babb59a56f3755b6430aae0afbbbe77a2191eb9b5aaa7
Instruction ID: 1e1dc077c6455b88d8ec1c9876a89db7f789963d91dc58c9a99f723df26bd887
Opcode Fuzzy Hash: e68adc7a23f85812f23babb59a56f3755b6430aae0afbbbe77a2191eb9b5aaa7
Instruction Fuzzy Hash: 5331B571508300AFD300EF55C881AAFBBF8EF99348F14093EF582922A1EB759944CB97

Function 0046DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00445222), ref: 0046DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0046DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0046DBEE
FindClose.KERNEL32(00000000), ref: 0046DBFA

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 6fa4ac448b5ec19a81878dd5603f9d89d54fa5849c42d184b22fb049997efb24
Instruction ID: 70a6eeb17e27ba3ac066058be58d8c683c8c8675871e312be0d5d0824ac0dfae
Opcode Fuzzy Hash: 6fa4ac448b5ec19a81878dd5603f9d89d54fa5849c42d184b22fb049997efb24
Instruction Fuzzy Hash: 24F0A030C1091857C220AB78AC4D8AB376C9E01334B544763F836C21E0FBB5599586DE

Function 00424CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004328E9,?,00424CBE,004328E9,004C88B8,0000000C,00424E15,004328E9,00000002,00000000,?,004328E9), ref: 00424D09
TerminateProcess.KERNEL32(00000000,?,00424CBE,004328E9,004C88B8,0000000C,00424E15,004328E9,00000002,00000000,?,004328E9), ref: 00424D10
ExitProcess.KERNEL32 ref: 00424D22

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5d8ae118f18770bba33106c795b06a97d98750d4dba6e5fd75aa60012db170f6
Instruction ID: fe90fd950eb08efbe530349c79327dd63b2599f04b4284c9dcc21481306f286a
Opcode Fuzzy Hash: 5d8ae118f18770bba33106c795b06a97d98750d4dba6e5fd75aa60012db170f6
Instruction Fuzzy Hash: 53E0B631110158AFCF21AF55EE4AA593B69EB95B85F50402AFC098B222CB39DD42CA98

Function 0040BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#M, xrefs: 004507CE

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#M
API String ID: 3964851224-494205710
Opcode ID: f71ca73f124f596037a7ee3d12fcbea4c185d27e6051377ae86fceca43943155
Instruction ID: 3e22cf882efccef595a0682dd0d20a6a23e92b948fe06f8badcd25310555a476
Opcode Fuzzy Hash: f71ca73f124f596037a7ee3d12fcbea4c185d27e6051377ae86fceca43943155
Instruction Fuzzy Hash: 67A26B74608301DFD720DF15C480B6AB7E1BF89304F14896EE89A9B392D779EC45CB9A

Function 0048AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0048B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0048B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0048B1D4
_wcslen.LIBCMT ref: 0048B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0048B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0048B236
_wcslen.LIBCMT ref: 0048B332

Part of subcall function 004705A7: GetStdHandle.KERNEL32(000000F6), ref: 004705C6

_wcslen.LIBCMT ref: 0048B34B
_wcslen.LIBCMT ref: 0048B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0048B3B6
GetLastError.KERNEL32(00000000), ref: 0048B407
CloseHandle.KERNEL32(?), ref: 0048B439
CloseHandle.KERNEL32(00000000), ref: 0048B44A
CloseHandle.KERNEL32(00000000), ref: 0048B45C
CloseHandle.KERNEL32(00000000), ref: 0048B46E
CloseHandle.KERNEL32(?), ref: 0048B4E3

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 1f4b549f8334bad7b25c57cf673b2bf6549d84ec43af60a481348019e1361c0d
Instruction ID: bb510aeb41faed9d03c7259fc64420f109ae724ee6bccea42d6d47e6be20ccfc
Opcode Fuzzy Hash: 1f4b549f8334bad7b25c57cf673b2bf6549d84ec43af60a481348019e1361c0d
Instruction Fuzzy Hash: BDF18C315043009FC714EF25C891A6FBBE0EF85718F14896EF8955B2A2CB39EC45CB9A

Function 0040D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0040D807
timeGetTime.WINMM ref: 0040DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040DB28
TranslateMessage.USER32(?), ref: 0040DB7B
DispatchMessageW.USER32(?), ref: 0040DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040DB9F
Sleep.KERNELBASE(0000000A), ref: 0040DBB1

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 1290f51fce9d30a6a0e2c961ea8031091a33123a2be9b8be488e84fa6d153608
Instruction ID: 4c09e840e3574fd92d1257d7f9367f6878cad7d9768aa2736193bcb7d24aef7f
Opcode Fuzzy Hash: 1290f51fce9d30a6a0e2c961ea8031091a33123a2be9b8be488e84fa6d153608
Instruction Fuzzy Hash: 7342E270A04241AFD725CF64C984BAAB7E0BF46304F14456FE855973E2D7B8E84DCB8A

Function 00402CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00402D07
RegisterClassExW.USER32(00000030), ref: 00402D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00402D42
InitCommonControlsEx.COMCTL32(?), ref: 00402D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00402D6F
LoadIconW.USER32(000000A9), ref: 00402D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00402D94

Strings

AutoIt v3 GUI, xrefs: 00402D23
+, xrefs: 00402CF0
TaskbarCreated, xrefs: 00402D37
0, xrefs: 00402CE9

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cd8d14c0ebef9928fdd3d13a22045c689fd9971fe87f714c84563d368b3f35de
Instruction ID: 68500bc772f0f6273025a355d775a2daaef7a78e7c89274bad8ffdcdfee80e8b
Opcode Fuzzy Hash: cd8d14c0ebef9928fdd3d13a22045c689fd9971fe87f714c84563d368b3f35de
Instruction Fuzzy Hash: A021C5B5912219AFEB00DFE4E899BDDBBB4FB08700F10817BF911A62A0D7B54544CF99

Function 0044065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0044039A: CreateFileW.KERNELBASE(00000000,00000000,?,00440704,?,?,00000000,?,00440704,00000000,0000000C), ref: 004403B7

GetLastError.KERNEL32 ref: 0044076F
__dosmaperr.LIBCMT ref: 00440776
GetFileType.KERNELBASE(00000000), ref: 00440782
GetLastError.KERNEL32 ref: 0044078C
__dosmaperr.LIBCMT ref: 00440795
CloseHandle.KERNEL32(00000000), ref: 004407B5
CloseHandle.KERNEL32(?), ref: 004408FF
GetLastError.KERNEL32 ref: 00440931
__dosmaperr.LIBCMT ref: 00440938

Strings

H, xrefs: 004408BD

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 7e821adffe91cbc9713f8d52b49a87b3260336805fc21dec40f5ae5b36cdbdbf
Instruction ID: 0e080a019c9861a23bdbb9aa90aa9b2b7a8dbc6c0bc5328ec41012dbdd50e36c
Opcode Fuzzy Hash: 7e821adffe91cbc9713f8d52b49a87b3260336805fc21dec40f5ae5b36cdbdbf
Instruction Fuzzy Hash: C8A11832A041148FEF19AF68D851BAE7BB0EB06324F14016FF915DB391D7399D22CB99

Function 0040344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00403A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004D1418,?,00402E7F,?,?,?,00000000), ref: 00403A78

Part of subcall function 00403357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00403379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0040356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0044318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004431CE
RegCloseKey.ADVAPI32(?), ref: 00443210
_wcslen.LIBCMT ref: 00443277
_wcslen.LIBCMT ref: 00443286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00403560
\, xrefs: 0044328C
\Include\, xrefs: 00403527
Include, xrefs: 00443184, 004431C5

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: ffd9248e2e7002275e7dcb883360f194d9c979fc0b3449fe6e459fab984e5a07
Instruction ID: 6b06cd0ec7865beb68f8dca776b2102844a6d920aa240daec9c92be3ad86e6c7
Opcode Fuzzy Hash: ffd9248e2e7002275e7dcb883360f194d9c979fc0b3449fe6e459fab984e5a07
Instruction Fuzzy Hash: 4B719C715053009ED304EF66ED8195BBBE8FFA5744F40443FF945932A0DBB89A48CB69

Function 00402B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00402B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00402B9D
LoadIconW.USER32(00000063), ref: 00402BB3
LoadIconW.USER32(000000A4), ref: 00402BC5
LoadIconW.USER32(000000A2), ref: 00402BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00402BEF
RegisterClassExW.USER32(?), ref: 00402C40

Part of subcall function 00402CD4: GetSysColorBrush.USER32(0000000F), ref: 00402D07
Part of subcall function 00402CD4: RegisterClassExW.USER32(00000030), ref: 00402D31
Part of subcall function 00402CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00402D42
Part of subcall function 00402CD4: InitCommonControlsEx.COMCTL32(?), ref: 00402D5F
Part of subcall function 00402CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00402D6F
Part of subcall function 00402CD4: LoadIconW.USER32(000000A9), ref: 00402D85
Part of subcall function 00402CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00402D94

Strings

AutoIt v3, xrefs: 00402C2F
0, xrefs: 00402C0F
#, xrefs: 00402C16

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 605ed9f92788a8b989f3a8f1d18a629d4d47fb207dfd681377a2d45831cf429d
Instruction ID: fdf1f53ea2b3c6eff9ac3e4012a176caf8033a6cfb4dfa18940d773588615557
Opcode Fuzzy Hash: 605ed9f92788a8b989f3a8f1d18a629d4d47fb207dfd681377a2d45831cf429d
Instruction Fuzzy Hash: E121F870A02314BBEB109FE5EC99A997FB4FB48B50F40417BED05A66B0D7B505408F98

Function 00403170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0040316A,?,?), ref: 004031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0040316A,?,?), ref: 00403204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00403227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0040316A,?,?), ref: 00403232
CreatePopupMenu.USER32 ref: 00403246
PostQuitMessage.USER32(00000000), ref: 00403267

Strings

TaskbarCreated, xrefs: 0040322D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: ec50a49f3c4e78ba4ed2476494e554e31324f43fdaa3d7f4eb6b25fae865172e
Instruction ID: ab42f81a9c9e9540a8207aca63c2d886ba16079ae50bf9410dd7680181aa4467
Opcode Fuzzy Hash: ec50a49f3c4e78ba4ed2476494e554e31324f43fdaa3d7f4eb6b25fae865172e
Instruction Fuzzy Hash: BC411435200200B7EB141FA89D69B7A3E1DEB5A306F0441BBFD01A93E1C7BC9E41976E

Function 00401410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401459
CoUninitialize.COMBASE ref: 004014F8
UnregisterHotKey.USER32(?), ref: 004016DD
DestroyWindow.USER32(?), ref: 004424B9
FreeLibrary.KERNEL32(?), ref: 0044251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0044254B

Strings

close all, xrefs: 00401454

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d9bd28e4e59393d54e77b8c2271651177376bb3bf130fcdaf9cc18213e7c77d9
Instruction ID: 1b622f8cca6128ea30bf35ea39827fa5fc47dd8eb3ad01c4cafdaef943526809
Opcode Fuzzy Hash: d9bd28e4e59393d54e77b8c2271651177376bb3bf130fcdaf9cc18213e7c77d9
Instruction Fuzzy Hash: 48D19D317012129FDB19EF15C995A29F7A0BF05304F5441AFE84A7B3A2DB38AD12CF59

Function 00402C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00402C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00402CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00401CAD,?), ref: 00402CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00401CAD,?), ref: 00402CCF

Strings

edit, xrefs: 00402CAC
AutoIt v3, xrefs: 00402C89, 00402C8E, 00402C8F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 51e6fecc8764636b7c090a873b3b3bfe5ef2308d8e38334be490cb02b7739a6f
Instruction ID: 7a34e4d0998ca0875f1963070f5042042a7a4deb83dd047b3e3833309c86b5c1
Opcode Fuzzy Hash: 51e6fecc8764636b7c090a873b3b3bfe5ef2308d8e38334be490cb02b7739a6f
Instruction Fuzzy Hash: FBF0B2B56412907BFB211B27AC48E772FBDD7CAF60B10407BFD04A25B0C6651850DAB8

Function 00403B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00403B0F,SwapMouseButtons,00000004,?), ref: 00403B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00403B0F,SwapMouseButtons,00000004,?), ref: 00403B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00403B0F,SwapMouseButtons,00000004,?), ref: 00403B83

Strings

Control Panel\Mouse, xrefs: 00403B3E

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0959b0ddec1cba643f577c19215e0075b7e0a6184c558c9dd6fb4a3c2268b19c
Instruction ID: ca195ead4528b8a23fc7ba3cfd62d337cdc7e86e54e9894420a49c809fb6550f
Opcode Fuzzy Hash: 0959b0ddec1cba643f577c19215e0075b7e0a6184c558c9dd6fb4a3c2268b19c
Instruction Fuzzy Hash: 74112AB5510208FFDB208FA5DC85EAFBBBCEF04749B10447BA805E7251D235AE449768

Function 00403923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004433A2

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00403A04

Strings

Line: , xrefs: 004433EB

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 7d128d3df15a82c4a358750137bf652b887cfa9c7dfb85890cec34e191ef9638
Instruction ID: 95e8adabefa257a8f7af2925cc6c9b09992a5e55aac9b429686e6934987c3a86
Opcode Fuzzy Hash: 7d128d3df15a82c4a358750137bf652b887cfa9c7dfb85890cec34e191ef9638
Instruction Fuzzy Hash: E531E471509300AAD320EF21DC45BDB77DCAB40719F10453FF999A21E1DB789A59C7CA

Function 00402DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00442C8C

Part of subcall function 00403AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00403A97,?,?,00402E7F,?,?,?,00000000), ref: 00403AC2

Part of subcall function 00402DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00402DC4

Strings

X, xrefs: 00442C5A
`eL, xrefs: 00442C85

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eL
API String ID: 779396738-3458601479
Opcode ID: 53279ed98f1ddc25463a3aaae1be568034c592c7089aa2f432b11dc7424c8d05
Instruction ID: d7505428e9ad4803d3038fd71ae32b29c9b5e60610abb9b6b42f20f38915c3d6
Opcode Fuzzy Hash: 53279ed98f1ddc25463a3aaae1be568034c592c7089aa2f432b11dc7424c8d05
Instruction Fuzzy Hash: 55218471A00258AADB41EF95D849BDE7BBC9F49304F00806FE405B7281DBFC59898BA9

Function 0041FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00420668

Part of subcall function 004232A4: RaiseException.KERNEL32(?,?,?,0042068A,?,004D1444,?,?,?,?,?,?,0042068A,00401129,004C8738,00401129), ref: 00423304

__CxxThrowException@8.LIBVCRUNTIME ref: 00420685

Strings

Unknown exception, xrefs: 00420692

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 1c93af01848794445a72bfb2431dcf9a77b0a1dc333af1f5d66624383cff65e0
Instruction ID: d7484763414f49eec336292b0164322d8bc8fec0ec74b040b8fefe003bdda1d4
Opcode Fuzzy Hash: 1c93af01848794445a72bfb2431dcf9a77b0a1dc333af1f5d66624383cff65e0
Instruction Fuzzy Hash: 83F0F434B0021CB3CB00BA65F846D9E7BAC5E00304BA0413BB81481592EF3CDA6A858C

Function 004010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00401BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00401BF4
Part of subcall function 00401BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00401BFC
Part of subcall function 00401BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00401C07
Part of subcall function 00401BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00401C12
Part of subcall function 00401BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00401C1A
Part of subcall function 00401BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00401C22

Part of subcall function 00401B4A: RegisterWindowMessageW.USER32(00000004,?,004012C4), ref: 00401BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040136A
OleInitialize.OLE32 ref: 00401388
CloseHandle.KERNEL32(00000000,00000000), ref: 004424AB

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 2788a5f17dfce30f7ea457f143d889562bcc6293fdf668e8f7567f7b2ebf2c39
Instruction ID: 9218da4dd06aac80b2a3e4a20ff6e351540835b2827a8609de6440eb1ad28d82
Opcode Fuzzy Hash: 2788a5f17dfce30f7ea457f143d889562bcc6293fdf668e8f7567f7b2ebf2c39
Instruction Fuzzy Hash: 67718CB4A02240BFC784EFBAB9656553BE1AB88344754823FE80AD73B2E7384440CF4D

Function 0046C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00403923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00403A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0046C259
KillTimer.USER32(?,00000001,?,?), ref: 0046C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0046C270

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: ff87761ef5608e01a23afa0530a3a6b17c3bb96a0f2286e350739f4f7349fdfb
Instruction ID: 3616edfd0f9b9956b1415c4759171af038c9ec0ff38f4a67b9aee57e0f52cf4c
Opcode Fuzzy Hash: ff87761ef5608e01a23afa0530a3a6b17c3bb96a0f2286e350739f4f7349fdfb
Instruction Fuzzy Hash: 13318470904344AFEB229F648895BE7BBEC9B16308F0004DFD9DA97241D7785A85CB5A

Function 004386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,004385CC,?,004C8CC8,0000000C), ref: 00438704
GetLastError.KERNEL32(?,004385CC,?,004C8CC8,0000000C), ref: 0043870E
__dosmaperr.LIBCMT ref: 00438739

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 14c91f73b7e8728a63fd2ff290d3386d89c4791c173d7cbfc75140c6a9c44d3b
Instruction ID: 54c826ec21bc7476881363d740667dd6ea227f9d6439bed2f6130f9786f14060
Opcode Fuzzy Hash: 14c91f73b7e8728a63fd2ff290d3386d89c4791c173d7cbfc75140c6a9c44d3b
Instruction Fuzzy Hash: 2A016B3260532016C6306334684677FA7694B9A778F38212FFC158B2D2DEAC8C81819C

Function 0040DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0040DB7B
DispatchMessageW.USER32(?), ref: 0040DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040DB9F
Sleep.KERNELBASE(0000000A), ref: 0040DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00451CC9

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: e3caacd5bdcbfccc0dc66784f27effe679ca482f55206b97475c948bf9e0b975
Instruction ID: e534938654b745502bfb2ec802b617e1de4fe48cdba57a020021fc9b0972681c
Opcode Fuzzy Hash: e3caacd5bdcbfccc0dc66784f27effe679ca482f55206b97475c948bf9e0b975
Instruction Fuzzy Hash: 0EF030306043419BE730D7A08C85FAA73A9AB84311F10453BEA19931D0DB38A4489B1D

Function 00411310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004117F6

Strings

CALL, xrefs: 004117C6

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 039c750221f15a57b435f81617aac16454664f8231c0a9023a21a923384168a9
Instruction ID: 3a11a2c25e4a2b88b0940f904a25a0b9512868a59723bf3808024743d2e72fba
Opcode Fuzzy Hash: 039c750221f15a57b435f81617aac16454664f8231c0a9023a21a923384168a9
Instruction Fuzzy Hash: 9F229E706083019FC714DF15C490B6ABBF1BF85318F54892EF9968B3A2D779E885CB4A

Function 00403837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00403908

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f5e233034e8d0db968148a175afd9fd6f4b66e1cfcf9280c7e33d67df1eb66df
Instruction ID: c15524de2a5edb241e5e4553c1a1057d1caf3c26ebd884dd8025bc14ccf80c9a
Opcode Fuzzy Hash: f5e233034e8d0db968148a175afd9fd6f4b66e1cfcf9280c7e33d67df1eb66df
Instruction Fuzzy Hash: 1231C0B16047009FE320EF25D884797BBE8FB49709F00097FF99993290E775AA04CB5A

Function 0041F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0041F661

Part of subcall function 0040D730: GetInputState.USER32 ref: 0040D807

Sleep.KERNEL32(00000000), ref: 0045F2DE

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 3507c0b290d247337bf2c23eded3a9249fff2d6037e3f924bb9171347cab62db
Instruction ID: 379ce928c00561c306ae7a4d91e2ea2e3a68d95ca47e1be568bc09b5aeb14bb0
Opcode Fuzzy Hash: 3507c0b290d247337bf2c23eded3a9249fff2d6037e3f924bb9171347cab62db
Instruction Fuzzy Hash: CEF05831280205AFD310EB7AD849B6AB7E8FB59765F00007AE859D72A1DB70A8058B99

Function 00404ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00404E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00404EDD,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404E9C
Part of subcall function 00404E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404EAE
Part of subcall function 00404E90: FreeLibrary.KERNEL32(00000000,?,?,00404EDD,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404EFD

Part of subcall function 00404E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00443CDE,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404E62
Part of subcall function 00404E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404E74
Part of subcall function 00404E59: FreeLibrary.KERNEL32(00000000,?,?,00443CDE,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404E87

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 53ea1024ee23cb54af83a7b3f0f59538f8b07e604ded17d68e83c2d35b9ac5ad
Instruction ID: 9ddf9b0cf780d360c7e3f13162c1e43e97f16f0071030faff16c96ba16bc1859
Opcode Fuzzy Hash: 53ea1024ee23cb54af83a7b3f0f59538f8b07e604ded17d68e83c2d35b9ac5ad
Instruction Fuzzy Hash: 1C112B72600205AADF10BF61DC42FAD77A49F80B15F10843FF642B61C1DEB89A059B58

Function 00438402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00438440

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ba8e134145e456105cead83cb153e0ce4948047da74c30acfbb64a8666414d61
Instruction ID: c3d8c7451d02fb9a076c18d9f90c3490fe791393346c0fda1f754169ca2211fe
Opcode Fuzzy Hash: ba8e134145e456105cead83cb153e0ce4948047da74c30acfbb64a8666414d61
Instruction Fuzzy Hash: 1B111C7590420AAFCF15DF58E94199BBBF5EF48314F14405AF808AB311E731DA11CB69

Function 00435000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00434C7D: RtlAllocateHeap.NTDLL(00000008,00401129,00000000,?,00432E29,00000001,00000364,?,?,?,0042F2DE,00433863,004D1444,?,0041FDF5,?), ref: 00434CBE

_free.LIBCMT ref: 0043506C

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 40aca46b703f2a43d6ecd2bbb0191be73fcfb51e44ff699261211fb973284b72
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: C10149B22047046BE3358F65D881A9AFBECFB8D370F25051EE184932C0EA75A805C7B8

Function 0042E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1b4d6980a134d3e695ccbb1325e41b93a735e5c084c39a27a01622c5a8040a66
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 69F0F932711A30D6C6313A67AD05B5737989F62379F90071FF420922D2DB7C940285AD

Function 00434C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00401129,00000000,?,00432E29,00000001,00000364,?,?,?,0042F2DE,00433863,004D1444,?,0041FDF5,?), ref: 00434CBE

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5dabace6e67e0c06eac08d1222056b7d28e40e59750a7cb9768306d93d03743a
Instruction ID: d0801a08dd9eb2a549b4597277b611120f47e6b3ca7546de7ffd0a5e0a640668
Opcode Fuzzy Hash: 5dabace6e67e0c06eac08d1222056b7d28e40e59750a7cb9768306d93d03743a
Instruction Fuzzy Hash: 0AF0B43160223466DB215F62AD05BDB3788EFC57A0F177127BC15A72D1CA78FC0246AC

Function 00433820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,004D1444,?,0041FDF5,?,?,0040A976,00000010,004D1440,004013FC,?,004013C6,?,00401129), ref: 00433852

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9ba315fed18f09302ef8e98e24a00faf4cf5fb8d5a829067cfb3019aa5550736
Instruction ID: ea24614a18cfc8e0f5f1028d92bedc2ebf2131cea25f977605ef6495a1446606
Opcode Fuzzy Hash: 9ba315fed18f09302ef8e98e24a00faf4cf5fb8d5a829067cfb3019aa5550736
Instruction Fuzzy Hash: 72E0E531201234A6F6253E67AC01B9B37C8AF867B2F551037BC04926E0CB19DD0285ED

Function 00404F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404F6D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4eedca288b83df7e3e34ad89446fb61ef27b9c5a18314123e410fda1622ee417
Instruction ID: 7da1d96633d8ef5f9dbaddc38a03c9d61b46ecb57ef492bc0d42c6129748a140
Opcode Fuzzy Hash: 4eedca288b83df7e3e34ad89446fb61ef27b9c5a18314123e410fda1622ee417
Instruction Fuzzy Hash: B4F030B1105752CFDB349F65E490822B7E4EF54319310897FE3DA92651C7359844DF18

Function 00492A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00492A66

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 7830cd159ec51ca8790713ed2201f491ad39a7d8920a42f8a878059be16c375c
Instruction ID: 65fd808a541c5b3995a7fe42aee87d7a2041a0c77dca3463220232c314405076
Opcode Fuzzy Hash: 7830cd159ec51ca8790713ed2201f491ad39a7d8920a42f8a878059be16c375c
Instruction Fuzzy Hash: 23E04FB7354116BACB14EA31DC808FA775CEB60399710453BAC1AC2110EB78999686A9

Function 004030F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0040314E

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 884886bf619458fd5b6da03705da8e9de3f5bdb6d0e4cfbb5b273776887f401e
Instruction ID: 786e83670c3f32f0ca605c717d2d6c264168e41a6749fd1834e2d73f86819c1e
Opcode Fuzzy Hash: 884886bf619458fd5b6da03705da8e9de3f5bdb6d0e4cfbb5b273776887f401e
Instruction Fuzzy Hash: D2F03770A14314AFE752DF64DC457D67BBCA70570CF0000FBA94896291D7745788CF55

Function 00402DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00402DC4

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 874b14e6ba778e3cb0b3d62cc4bbe357d5b9dace6e30cfc053132212e855ca66
Instruction ID: 03946bef7ad949c63c0565e81ec2c357cfa131606da016b7fbbec6739e0ec598
Opcode Fuzzy Hash: 874b14e6ba778e3cb0b3d62cc4bbe357d5b9dace6e30cfc053132212e855ca66
Instruction Fuzzy Hash: 6BE0CD72A001245BC710E7599C05FDA77EDDFC8794F0500B6FD09E7258D974AD848554

Function 00402B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00403837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00403908

Part of subcall function 0040D730: GetInputState.USER32 ref: 0040D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00402B6B

Part of subcall function 004030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0040314E

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 8ccc9755e97500ac3e13081d634d9878b895c0db4801f48f625ff20af7c3b422
Instruction ID: f0a8ae49cca8efb5320a79a97159484f4c2eb2d8bf7c45a8a970065e2a960d7c
Opcode Fuzzy Hash: 8ccc9755e97500ac3e13081d634d9878b895c0db4801f48f625ff20af7c3b422
Instruction Fuzzy Hash: 17E0262230020417CA04BF72985257EBB5D8BD135AF00553FF542632E3CF3C4949421D

Function 0044039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00440704,?,?,00000000,?,00440704,00000000,0000000C), ref: 004403B7

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 019f9e133589fd3687463b32f0c6bc3c70e2a4d6a7a21c8abd77c6802d23c41a
Instruction ID: 521aca0ec161b35fc7263a5d46959885f70ee066a467c01bc4f842704823e81c
Opcode Fuzzy Hash: 019f9e133589fd3687463b32f0c6bc3c70e2a4d6a7a21c8abd77c6802d23c41a
Instruction Fuzzy Hash: B2D06C3204010DBBDF028F84DD46EDA3BAAFB48714F014010BE1856020C732E821AB98

Function 00401CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00401CBC

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: ce1972e61f6ead1ed964811a17e374f6d7253294e9e64f6952c27d48b9b68509
Instruction ID: add4b1965ee0a1157e16c8a0766cb0da33b99116fe27ee521f6a6fd1a6c8daee
Opcode Fuzzy Hash: ce1972e61f6ead1ed964811a17e374f6d7253294e9e64f6952c27d48b9b68509
Instruction Fuzzy Hash: E2C092362C1314BFF2148B84BD9EF107764A368B10F448023FA0AA95F3C3E22820EA58

Non-executed Functions

Function 00499576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0049961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0049965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0049969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004996C9
SendMessageW.USER32 ref: 004996F2
GetKeyState.USER32(00000011), ref: 0049978B
GetKeyState.USER32(00000009), ref: 00499798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004997AE
GetKeyState.USER32(00000010), ref: 004997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004997E9
SendMessageW.USER32 ref: 00499810
SendMessageW.USER32(?,00001030,?,00497E95), ref: 00499918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0049992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00499941
SetCapture.USER32(?), ref: 0049994A
ClientToScreen.USER32(?,?), ref: 004999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004999D6
ReleaseCapture.USER32 ref: 004999E1
GetCursorPos.USER32(?), ref: 00499A19
ScreenToClient.USER32(?,?), ref: 00499A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00499A80
SendMessageW.USER32 ref: 00499AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00499AEB
SendMessageW.USER32 ref: 00499B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00499B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00499B4A
GetCursorPos.USER32(?), ref: 00499B68
ScreenToClient.USER32(?,?), ref: 00499B75
GetParent.USER32(?), ref: 00499B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00499BFA
SendMessageW.USER32 ref: 00499C2B
ClientToScreen.USER32(?,?), ref: 00499C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00499CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00499CDE
SendMessageW.USER32 ref: 00499D01
ClientToScreen.USER32(?,?), ref: 00499D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00499D82

Part of subcall function 00419944: GetWindowLongW.USER32(?,000000EB), ref: 00419952

GetWindowLongW.USER32(?,000000F0), ref: 00499E05

Strings

F, xrefs: 00499D07
p#M, xrefs: 00499990
@GUI_DRAGID, xrefs: 0049997D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#M
API String ID: 3429851547-3815028896
Opcode ID: 9acda88ef481f64dff2691987adc0f51729c3fbb8ee1b3f1175fb876a3806e9f
Instruction ID: 451fa1f71198719e719a83d051876cca88b8aaffde1248d9f209bff65fa2bb0d
Opcode Fuzzy Hash: 9acda88ef481f64dff2691987adc0f51729c3fbb8ee1b3f1175fb876a3806e9f
Instruction Fuzzy Hash: C8427A71204201AFDB24CF68CC94EAABFE5EF49314F14067EFA59872A1D735AC50CB5A

Function 00494873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00494908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00494927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0049494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0049495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0049497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00494A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00494A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00494A7E
IsMenu.USER32(?), ref: 00494A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00494AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00494B20
GetWindowLongW.USER32(?,000000F0), ref: 00494B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00494BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00494C82
wsprintfW.USER32 ref: 00494CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00494CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00494CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00494D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00494D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00494D5A

Strings

%d/%02d/%02d, xrefs: 00494CA8

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 566d1b631cac16fda6b9161d29c7ad282f69a39e3b479491bb44582bb1afbca9
Instruction ID: 5eac038fe5f433155554c2c10b5bf9f2c42c8b1a3c0168f8d10ef8b7821d07a4
Opcode Fuzzy Hash: 566d1b631cac16fda6b9161d29c7ad282f69a39e3b479491bb44582bb1afbca9
Instruction Fuzzy Hash: 8D12DE71600215ABEF248F25CC49FAF7FE8AF85314F10413AF915EA2E1DB789942CB58

Function 0041F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0041F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0045F474
IsIconic.USER32(00000000), ref: 0045F47D
ShowWindow.USER32(00000000,00000009), ref: 0045F48A
SetForegroundWindow.USER32(00000000), ref: 0045F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0045F4AA
GetCurrentThreadId.KERNEL32 ref: 0045F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0045F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0045F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0045F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0045F4DE
SetForegroundWindow.USER32(00000000), ref: 0045F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0045F4F6
keybd_event.USER32(00000012,00000000), ref: 0045F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0045F50B
keybd_event.USER32(00000012,00000000), ref: 0045F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0045F519
keybd_event.USER32(00000012,00000000), ref: 0045F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0045F528
keybd_event.USER32(00000012,00000000), ref: 0045F52D
SetForegroundWindow.USER32(00000000), ref: 0045F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0045F557

Strings

Shell_TrayWnd, xrefs: 0045F46F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 89acd574fb6a0b7656c56520897254534c713e2cba09e691e399ff85dd037462
Instruction ID: 89da0c36e13a6727c88d70c3afad404323dbee3c10041995e1ca3f9583298dba
Opcode Fuzzy Hash: 89acd574fb6a0b7656c56520897254534c713e2cba09e691e399ff85dd037462
Instruction Fuzzy Hash: 2F319671A40318BBEB206BB55C8AFBF7E6CEB44B50F110077FA04E61D2D6B45D00AA69

Function 00461201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0046170D
Part of subcall function 004616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0046173A
Part of subcall function 004616C3: GetLastError.KERNEL32 ref: 0046174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00461286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004612A8
CloseHandle.KERNEL32(?), ref: 004612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004612D1
GetProcessWindowStation.USER32 ref: 004612EA
SetProcessWindowStation.USER32(00000000), ref: 004612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00461310

Part of subcall function 004610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004611FC), ref: 004610D4
Part of subcall function 004610BF: CloseHandle.KERNEL32(?,?,004611FC), ref: 004610E9

Strings

default, xrefs: 0046130B
ZL, xrefs: 00461392
, xrefs: 0046125A
winsta0, xrefs: 004612CC

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZL
API String ID: 22674027-2359302695
Opcode ID: 99669894ca868404bd0965625402234785b5b61a595aea7c6a8b7b375b0d8caf
Instruction ID: a28069ea172d0e0229c1adbb0c91e81f8246f874796570f01ecfab716675dc87
Opcode Fuzzy Hash: 99669894ca868404bd0965625402234785b5b61a595aea7c6a8b7b375b0d8caf
Instruction Fuzzy Hash: CE818F71900309AFDF109FA5DC49FEF7BB9EF04704F18412AF911A6260EB799944CB2A

Function 00460B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00461114
Part of subcall function 004610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 00461120
Part of subcall function 004610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 0046112F
Part of subcall function 004610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 00461136
Part of subcall function 004610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0046114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00460BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00460C00
GetLengthSid.ADVAPI32(?), ref: 00460C17
GetAce.ADVAPI32(?,00000000,?), ref: 00460C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00460C6D
GetLengthSid.ADVAPI32(?), ref: 00460C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00460C8C
HeapAlloc.KERNEL32(00000000), ref: 00460C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00460CB4
CopySid.ADVAPI32(00000000), ref: 00460CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00460CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00460D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00460D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00460D45
HeapFree.KERNEL32(00000000), ref: 00460D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00460D55
HeapFree.KERNEL32(00000000), ref: 00460D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00460D65
HeapFree.KERNEL32(00000000), ref: 00460D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00460D78
HeapFree.KERNEL32(00000000), ref: 00460D7F

Part of subcall function 00461193: GetProcessHeap.KERNEL32(00000008,00460BB1,?,00000000,?,00460BB1,?), ref: 004611A1
Part of subcall function 00461193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00460BB1,?), ref: 004611A8
Part of subcall function 00461193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00460BB1,?), ref: 004611B7

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 6f1d1eab96d0e58d5600fe02c65cedcc1878308623e8f5026091cf664e7cad02
Instruction ID: fba8d662ddaae9df11d243ea9366e1dcc73a0a01e4a7c9837e69444c1501a4fc
Opcode Fuzzy Hash: 6f1d1eab96d0e58d5600fe02c65cedcc1878308623e8f5026091cf664e7cad02
Instruction Fuzzy Hash: 3D716E7190020AAFDF10DFE4DC85BAFBBB8BF15300F044626E915A7291E779A905CB69

Function 0047EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0049CC08), ref: 0047EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0047EB37
GetClipboardData.USER32(0000000D), ref: 0047EB43
CloseClipboard.USER32 ref: 0047EB4F
GlobalLock.KERNEL32(00000000), ref: 0047EB87
CloseClipboard.USER32 ref: 0047EB91
GlobalUnlock.KERNEL32(00000000), ref: 0047EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0047EBC9
GetClipboardData.USER32(00000001), ref: 0047EBD1
GlobalLock.KERNEL32(00000000), ref: 0047EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0047EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0047EC38
GetClipboardData.USER32(0000000F), ref: 0047EC44
GlobalLock.KERNEL32(00000000), ref: 0047EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0047EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0047EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0047ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0047ECF3
CountClipboardFormats.USER32 ref: 0047ED14
CloseClipboard.USER32 ref: 0047ED59

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 8fe17c3bab9062a7bed266275bca05752757c30c2a912ef8c1c6ccc1190608e1
Instruction ID: 447a503540a737e03ec4d46a85d158c84dc9abba7b119e26716bd7b04c4049c1
Opcode Fuzzy Hash: 8fe17c3bab9062a7bed266275bca05752757c30c2a912ef8c1c6ccc1190608e1
Instruction Fuzzy Hash: 6661F9352043019FD310EF25C888F6A7BA4AF58704F0486BFF45A972A1DB35ED05CB6A

Function 0047698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004769BE
FindClose.KERNEL32(00000000), ref: 00476A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00476A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00476A75

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00476AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00476ADF

Strings

%02d, xrefs: 00476C00, 00476C0A, 00476C5A, 00476CAA, 00476CFA, 00476D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00476B6A
%03d, xrefs: 00476DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00476B32
%4d, xrefs: 00476BB1

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9d3135ad1febd28d754d82b35882d5ff40bf617c4c6234b86c455014bec0be7b
Instruction ID: 0bd16310d27d533a2d081857489bd4d1db209a6d1e6702d10dfe972364f7fd66
Opcode Fuzzy Hash: 9d3135ad1febd28d754d82b35882d5ff40bf617c4c6234b86c455014bec0be7b
Instruction Fuzzy Hash: BCD17871508340AFC710EBA5C881EAFB7ECAF98704F44492EF589D7191EB78EA44C766

Function 00479642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00479663
GetFileAttributesW.KERNEL32(?), ref: 004796A1
SetFileAttributesW.KERNEL32(?,?), ref: 004796BB
FindNextFileW.KERNEL32(00000000,?), ref: 004796D3
FindClose.KERNEL32(00000000), ref: 004796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0047974A
SetCurrentDirectoryW.KERNEL32(004C6B7C), ref: 00479768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00479772
FindClose.KERNEL32(00000000), ref: 0047977F
FindClose.KERNEL32(00000000), ref: 0047978F

Strings

*.*, xrefs: 004796F5

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: b2bc96c289f416ca38797849f78142382af58d5d1abd49691628c6991f17aa8e
Instruction ID: d4aaf40869890fa9a321a3e40125cc3d44fdb7a38802f5ebe86ad51efc8d8379
Opcode Fuzzy Hash: b2bc96c289f416ca38797849f78142382af58d5d1abd49691628c6991f17aa8e
Instruction Fuzzy Hash: 8C31A432541219AADB14EFB5DC49EDF77AC9F09320F1081A7E819E2190EB38DD448A6C

Function 0047979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00479819
FindClose.KERNEL32(00000000), ref: 00479824
FindFirstFileW.KERNEL32(*.*,?), ref: 00479840
SetCurrentDirectoryW.KERNEL32(?), ref: 00479890
SetCurrentDirectoryW.KERNEL32(004C6B7C), ref: 004798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004798B8
FindClose.KERNEL32(00000000), ref: 004798C5
FindClose.KERNEL32(00000000), ref: 004798D5

Part of subcall function 0046DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0046DB00

Strings

*.*, xrefs: 0047983B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 08009f9506173d6a8c255edc86dcc0ecfda648b1141ac077244459e378de50eb
Instruction ID: 495e4a146dab6e58c30566e9c8dfa1d6dcbdd1e1662f98abe0714f5f10764809
Opcode Fuzzy Hash: 08009f9506173d6a8c255edc86dcc0ecfda648b1141ac077244459e378de50eb
Instruction Fuzzy Hash: 0831C5315406196ADF10EFB5EC48EDF77AC9F06324F1581ABE818A22D0DB38DD498A2D

Function 0048BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0048C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0048B6AE,?,?), ref: 0048C9B5
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048C9F1
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048CA68
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0048BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0048BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0048BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0048C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0048C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0048C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0048C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0048C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0048C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0048C382
RegCloseKey.ADVAPI32(00000000), ref: 0048C38F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 3d4af5b5025fd58a0ddd2c32495ffa31ccb0a50d4f93926b96d688173c8263d5
Instruction ID: aaf0b7578b8a3a489d678232efe354e41b4b6eebc14e4f037e906613394edbc0
Opcode Fuzzy Hash: 3d4af5b5025fd58a0ddd2c32495ffa31ccb0a50d4f93926b96d688173c8263d5
Instruction Fuzzy Hash: 90023E716042009FD714DF24C8D5E2AB7E5EF49318F1888AEF849DB2A2D735EC46CB66

Function 00478195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00478257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00478267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00478273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00478310
SetCurrentDirectoryW.KERNEL32(?), ref: 00478324
SetCurrentDirectoryW.KERNEL32(?), ref: 00478356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0047838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00478395

Strings

*.*, xrefs: 0047839B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 0a5646b9a09b1b589cea59cdf34af19873cf5b148a597532c8212f33060f7762
Instruction ID: ec0bd870f80bf12659f63383d377d20427defd451f36f299c09526282445d03b
Opcode Fuzzy Hash: 0a5646b9a09b1b589cea59cdf34af19873cf5b148a597532c8212f33060f7762
Instruction Fuzzy Hash: 06619C725043059FC710EF65C88499FB3E8FF89318F04896EF98993251EB39E945CB9A

Function 0046D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00403AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00403A97,?,?,00402E7F,?,?,?,00000000), ref: 00403AC2

Part of subcall function 0046E199: GetFileAttributesW.KERNEL32(?,0046CF95), ref: 0046E19A

FindFirstFileW.KERNEL32(?,?), ref: 0046D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0046D1DD
MoveFileW.KERNEL32(?,?), ref: 0046D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0046D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0046D237

Part of subcall function 0046D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0046D21C,?,?), ref: 0046D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0046D253
FindClose.KERNEL32(00000000), ref: 0046D264

Strings

\*.*, xrefs: 0046D0CD, 0046D0D6, 0046D0EB

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 9b3e5d3e5ebe9d0059891b799ff9c4ea5bb52d40759b5a867d195dae7264e656
Instruction ID: da9c7cc7adf92f154ef8a75c6e12d1e766ca85ccd6e7875007feca1946bbe232
Opcode Fuzzy Hash: 9b3e5d3e5ebe9d0059891b799ff9c4ea5bb52d40759b5a867d195dae7264e656
Instruction Fuzzy Hash: 1B616F71D0110D9BCF05EBE1C9929EEB7B5AF55304F2481AAE40177292EB385F09CB6A

Function 0047ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0047ED91
EmptyClipboard.USER32 ref: 0047ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0047EDAC
CloseClipboard.USER32 ref: 0047EEA3

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8368addd3b95697cd8db1ee6ebe80e4f7274778474e2aaa1c6c53d436946e5f3
Instruction ID: 31251baaf32f351de7778df961977fd25441d5b15c2f72f92dc87ea2c7501845
Opcode Fuzzy Hash: 8368addd3b95697cd8db1ee6ebe80e4f7274778474e2aaa1c6c53d436946e5f3
Instruction Fuzzy Hash: 0541A335604511EFD320CF16D888B5A7BE5EF48318F14C5AAE4198B7A2C739EC41CB99

Function 0046E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0046170D
Part of subcall function 004616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0046173A
Part of subcall function 004616C3: GetLastError.KERNEL32 ref: 0046174A

ExitWindowsEx.USER32(?,00000000), ref: 0046E932

Strings

@, xrefs: 0046E925
, xrefs: 0046E920
, xrefs: 0046E95C
SeShutdownPrivilege, xrefs: 0046E902

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: b96c2a0a8a4f47adf6c99b3b0435ccfefb1d85958ad9cc69c56c726e97da3043
Instruction ID: eb52d6be280e91a3479a4c9c93090d33203d32185dd35972c73cc41e4985f576
Opcode Fuzzy Hash: b96c2a0a8a4f47adf6c99b3b0435ccfefb1d85958ad9cc69c56c726e97da3043
Instruction Fuzzy Hash: 7C012BB6710210ABFB5426B69C85FBB73AC9F14754F150437F802E21D1F5695C4481AE

Function 00481204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00481276
WSAGetLastError.WSOCK32 ref: 00481283
bind.WSOCK32(00000000,?,00000010), ref: 004812BA
WSAGetLastError.WSOCK32 ref: 004812C5
closesocket.WSOCK32(00000000), ref: 004812F4
listen.WSOCK32(00000000,00000005), ref: 00481303
WSAGetLastError.WSOCK32 ref: 0048130D
closesocket.WSOCK32(00000000), ref: 0048133C

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: dd98f8202aba79796c57e48e731577952ce9a50eaedf74f618eb9b9ddbb7e935
Instruction ID: ce28ad5cbf6225e9ea6dc1edb30dc527f953928a226dc1dda54e321c2215de1d
Opcode Fuzzy Hash: dd98f8202aba79796c57e48e731577952ce9a50eaedf74f618eb9b9ddbb7e935
Instruction Fuzzy Hash: 244193316001009FD710EF64C4C4B6ABBE5AF46318F1885AAD8569F3E6C775ED82CBE5

Function 0043B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043B9D4
_free.LIBCMT ref: 0043B9F8
_free.LIBCMT ref: 0043BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004A3700), ref: 0043BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0043BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004D1270,000000FF,?,0000003F,00000000,?), ref: 0043BC36
_free.LIBCMT ref: 0043BD4B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 8e1ab56355fcd08fc52a6704cd795d14ff78001090b23ef68c0ae7f2c546dafc
Instruction ID: 71ae4cf4c1b7f42d99881a5d695aef9df234634b51de67786957360bd0beca24
Opcode Fuzzy Hash: 8e1ab56355fcd08fc52a6704cd795d14ff78001090b23ef68c0ae7f2c546dafc
Instruction Fuzzy Hash: 8EC13C71A04204AFDB20DF659C41BAA7BB8EF49310F1461AFEA94D7351DB389E41C7D8

Function 0046D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00403AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00403A97,?,?,00402E7F,?,?,?,00000000), ref: 00403AC2

Part of subcall function 0046E199: GetFileAttributesW.KERNEL32(?,0046CF95), ref: 0046E19A

FindFirstFileW.KERNEL32(?,?), ref: 0046D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0046D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0046D481
FindClose.KERNEL32(00000000), ref: 0046D498
FindClose.KERNEL32(00000000), ref: 0046D4A1

Strings

\*.*, xrefs: 0046D3F2

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 2df3a2f652ca3e994cc6e46c095a2a74bd65cf7c7df61fef8d8ee1dcfc12855c
Instruction ID: 53818abd8a2c914abd403a079adf620a96c10967e39a6483e3d81c850f0d193b
Opcode Fuzzy Hash: 2df3a2f652ca3e994cc6e46c095a2a74bd65cf7c7df61fef8d8ee1dcfc12855c
Instruction Fuzzy Hash: AD3170719183459BC304EF65C8919AF77A8AE91304F444E2FF4D1622D1EB38AE09CB6B

Function 0043E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0043E645

Strings

1#IND, xrefs: 0043F83D
1#INF, xrefs: 0043F852
1#SNAN, xrefs: 0043F844
1#QNAN, xrefs: 0043F84B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d36d642652a26de60f8180d17ea76e7c76dd79590718a29a24308ceaa12e0c42
Instruction ID: 11a7b4ff1fb68f5cb3f2ac3fe9731016f2f84ad1b05d2b742d6db5be86653bd3
Opcode Fuzzy Hash: d36d642652a26de60f8180d17ea76e7c76dd79590718a29a24308ceaa12e0c42
Instruction Fuzzy Hash: 94C26C71E056288FDB29CE29DD407EAB7B5EB48304F1451EBD80DE7281E778AE858F44

Function 0047648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004764DC
CoInitialize.OLE32(00000000), ref: 00476639
CoCreateInstance.OLE32(0049FCF8,00000000,00000001,0049FB68,?), ref: 00476650
CoUninitialize.OLE32 ref: 004768D4

Strings

.lnk, xrefs: 004764BA, 00476524, 004765E0

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 9545a9c088e76c4e6b92dd9cb2970a3788846d1390ffe20bda88ac8e3d4e5368
Instruction ID: d0bb72b36f0c3be6f4d9adaa6407929a3aa0b63b58f28ffd8b4fd6195cfdec25
Opcode Fuzzy Hash: 9545a9c088e76c4e6b92dd9cb2970a3788846d1390ffe20bda88ac8e3d4e5368
Instruction Fuzzy Hash: A7D15C71508601AFC304EF25C881EABB7E9FF94308F11896EF5599B291DB34ED09CB96

Function 004822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004822E8

Part of subcall function 0047E4EC: GetWindowRect.USER32(?,?), ref: 0047E504

GetDesktopWindow.USER32 ref: 00482312
GetWindowRect.USER32(00000000), ref: 00482319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00482355
GetCursorPos.USER32(?), ref: 00482381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004823DF

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: b0a4e48dd66b5824444019d0540c92ce7d017f65b45e459c58e2f5098004674c
Instruction ID: 05b831872450339c644785dfbb21d9b45ae3de71cb0cae446400f5b7fa18373c
Opcode Fuzzy Hash: b0a4e48dd66b5824444019d0540c92ce7d017f65b45e459c58e2f5098004674c
Instruction Fuzzy Hash: 2331CF72505315AFC720EF65C845A5BB7E9FF84314F00092EF98597281DB78EA08CB9A

Function 00479B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00479B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00479C8B

Part of subcall function 00473874: GetInputState.USER32 ref: 004738CB
Part of subcall function 00473874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00473966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00479BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00479C75

Strings

*.*, xrefs: 00479B5D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 7acb0a154b22eca82d4832484c7c78dbe3164d6a534a943445dbf0d130a904f0
Instruction ID: e32824acfdb09f5b3aa58c1a709ce8cdac26dbe08683530e39126bd671aea28d
Opcode Fuzzy Hash: 7acb0a154b22eca82d4832484c7c78dbe3164d6a534a943445dbf0d130a904f0
Instruction Fuzzy Hash: 234186719042099FDF15DF65C989AEEBBB8FF05314F24806BE809A2291E7349E44CF69

Function 0041997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00419A4E
GetSysColor.USER32(0000000F), ref: 00419B23
SetBkColor.GDI32(?,00000000), ref: 00419B36

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 008d7f4966374fd70fc10806bddab33b900210bcee92a512a1071b2935ce9feb
Instruction ID: e8bc8b2f7a0bb2fb347258d8ffc67998038f63e5322d7f54452ed9c4e97b1286
Opcode Fuzzy Hash: 008d7f4966374fd70fc10806bddab33b900210bcee92a512a1071b2935ce9feb
Instruction Fuzzy Hash: E0A12F70208444BEE7249A2DAC78DFB3A9DDF46355B14412FF802C6792C62D9D8AC27F

Function 00481806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0048304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0048307A
Part of subcall function 0048304E: _wcslen.LIBCMT ref: 0048309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0048185D
WSAGetLastError.WSOCK32 ref: 00481884
bind.WSOCK32(00000000,?,00000010), ref: 004818DB
WSAGetLastError.WSOCK32 ref: 004818E6
closesocket.WSOCK32(00000000), ref: 00481915

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: fddb4916d305d9aa77e7ea3c76e7392278f2e167924f1c2a3f3dab574a5640fd
Instruction ID: 6c1146d80a6d47799e3eb1c02aaa38066deff44b86852a1e056cb773c88fe3f6
Opcode Fuzzy Hash: fddb4916d305d9aa77e7ea3c76e7392278f2e167924f1c2a3f3dab574a5640fd
Instruction Fuzzy Hash: 37519571A00200AFD710BF25C8C6F6A77E59B44718F0484AEF9066F3D3C779AD828BA5

Function 00491C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00491CC0
IsWindowEnabled.USER32 ref: 00491CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00491CDB
IsIconic.USER32 ref: 00491CE9
IsZoomed.USER32 ref: 00491CF7

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b723d7e158fedadc0e734acb3108f173540e41e4bc311a32e983070453e5dd8e
Instruction ID: 46f85afb1d901da7ddbaad2f414343a11cdface8d7546eab0ffee271a72cceae
Opcode Fuzzy Hash: b723d7e158fedadc0e734acb3108f173540e41e4bc311a32e983070453e5dd8e
Instruction Fuzzy Hash: F521A6317402129FDB208F1AD884B677FA5EF95315F19807EE8468B361CB79EC42CB99

Function 00408060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0040813C
VUUU, xrefs: 004083E8
VUUU, xrefs: 004083FA
VUUU, xrefs: 00445DF0
VUUU, xrefs: 0040843C

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 3458d5c8e35a5eb4d4abe9221a761b80d123fd2791c941d34f43bea1275577d0
Instruction ID: cfaa6e03878f45bc30a657fdf19458c7a45ef9019784888bbaa0b3c236211f0e
Opcode Fuzzy Hash: 3458d5c8e35a5eb4d4abe9221a761b80d123fd2791c941d34f43bea1275577d0
Instruction Fuzzy Hash: 0DA2BF70E0021ACBEF24CF58CA407AEB7B1BF55310F2581ABD855A7385EB789D81CB59

Function 00468298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004682AA

Strings

(, xrefs: 004682F0
tbL, xrefs: 004684F4
|, xrefs: 004682DA

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbL$|
API String ID: 1659193697-2980396599
Opcode ID: 790d896e7481479d827f76a9af8c446c99908b3ceafcf562ae4647b55ea02a14
Instruction ID: 7c3d1f1d6e60aedeafb0bfd01292ff39ac576a8867c44a4da25a8b83af91c2c8
Opcode Fuzzy Hash: 790d896e7481479d827f76a9af8c446c99908b3ceafcf562ae4647b55ea02a14
Instruction Fuzzy Hash: 0A323774A007059FCB28CF19C481A6AB7F0FF48710B15C56EE89ADB7A1EB74E981CB45

Function 0046AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0046AAAC
SetKeyboardState.USER32(00000080), ref: 0046AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0046AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0046AB88

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2f9ea872fcd5b16b6c320691fed18c074195a392627c57f820666567241ad18b
Instruction ID: d6c7c82b2cb215497aa10c5a808ccb43316a8de1af06af0472ee38c67f59c034
Opcode Fuzzy Hash: 2f9ea872fcd5b16b6c320691fed18c074195a392627c57f820666567241ad18b
Instruction Fuzzy Hash: 88311E30A40A046EFB35CA65CC057FF77A6AB45710F04421BF281652D1E37D9DA1CB6B

Function 0047CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0047CE89
GetLastError.KERNEL32(?,00000000), ref: 0047CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0047CEFE

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: da29e5862c4aaa8bd0b7c6b2eafa3e2a34f9cc6830a46817691f556777625195
Instruction ID: c40b4181ee2efc8aab5048ca8942e242746b3d8f2e06dc6c00c056ee98eefdf4
Opcode Fuzzy Hash: da29e5862c4aaa8bd0b7c6b2eafa3e2a34f9cc6830a46817691f556777625195
Instruction Fuzzy Hash: 2221B0716007059FE730DFA5D984BA777FCEB10318F10842FE64A92291E778EE458B68

Function 00475C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00475CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00475D17
FindClose.KERNEL32(?), ref: 00475D5F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: ac110dc58764af0937a4db6983e50305ce9b95a1720288dfe1fb750e1f4a1e5c
Instruction ID: 9decb2298c6266ed8e86a285075026b13791744493c7087e5bc246e6e64b2b11
Opcode Fuzzy Hash: ac110dc58764af0937a4db6983e50305ce9b95a1720288dfe1fb750e1f4a1e5c
Instruction Fuzzy Hash: 67519874604A019FC724CF28C484A9AB7E4FF49318F14856EE95A8B3A1DB78FC05CB96

Function 00432622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0043271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00432724
UnhandledExceptionFilter.KERNEL32(?), ref: 00432731

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9180bc1e0d4adcb3e56e733c61344fc6c4b54028a6dd9c7a72aec5ce681bd319
Instruction ID: 7a38b418b9f860c086cdc517caf7e31996ff0f82c80e1bf280a0a806f4ffcd45
Opcode Fuzzy Hash: 9180bc1e0d4adcb3e56e733c61344fc6c4b54028a6dd9c7a72aec5ce681bd319
Instruction Fuzzy Hash: 2431D574911228ABCB21DF65DD8979DB7B8BF18310F5041EAE80CA7261E7749F818F48

Function 004751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00475238
SetErrorMode.KERNEL32(00000000), ref: 004752A1

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 6902364949b2d7807722b0e5d9ab2f323de730a597aeec86adc4549c799d6072
Instruction ID: 6ef1684098f943dc999916600b65b7d91fa5241aab8e216c5f41f1ed8be4e899
Opcode Fuzzy Hash: 6902364949b2d7807722b0e5d9ab2f323de730a597aeec86adc4549c799d6072
Instruction Fuzzy Hash: 1B316F75A00518DFDB00DF54D8C4EADBBB4FF48318F0480AAE805AB392DB35E845CB55

Function 004616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0041FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00420668
Part of subcall function 0041FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00420685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0046170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0046173A
GetLastError.KERNEL32 ref: 0046174A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: aed49ac032e4bbc6747b21ad9ebe6362e83c56507664e6fd3648c6f2e21bef66
Instruction ID: bc7cfa38161a7c9c8966792a06d2b7d2c0a658b2a9dabc564d92e1320148404f
Opcode Fuzzy Hash: aed49ac032e4bbc6747b21ad9ebe6362e83c56507664e6fd3648c6f2e21bef66
Instruction Fuzzy Hash: 1311CEB2400304AFD718AF54ECC6DABB7B9EB04714B24852FE05653291EB74BC828B68

Function 0046D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0046D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0046D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0046D650

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a64bd305ea81324e51a1bd492d16af95e6b0a74186cd21d324060d9bd8ea620c
Instruction ID: 9cf142b5a91240cc45f4139159ef7cd91e4fccfca0fa27a343eaf3f9661dcb0e
Opcode Fuzzy Hash: a64bd305ea81324e51a1bd492d16af95e6b0a74186cd21d324060d9bd8ea620c
Instruction Fuzzy Hash: E5115E75E05228BFDB208F95DC85FAFBBBCEB45B50F108166F904E7290D6704A058BA6

Function 00461663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0046168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004616A1
FreeSid.ADVAPI32(?), ref: 004616B1

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 4a00d4538f4a05a87a9b86106f75b9d3a5b158a7f568ef3bb80f56e57e52c2db
Instruction ID: 0e9862e382fd7f3c7c80cc72a483831afada185aba4413ed44114177f31b515e
Opcode Fuzzy Hash: 4a00d4538f4a05a87a9b86106f75b9d3a5b158a7f568ef3bb80f56e57e52c2db
Instruction Fuzzy Hash: 87F0F475950309FBDB00DFE4DD89EAEBBBCEB08604F504566E501E2191E774AA448A54

Function 0043C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0043C36C

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 1f729ab8471c975a88b421826102304f1a6c61b9826944682b036adcf93c0e22
Instruction ID: 14c7fa559f5b4763ff171dda732297e2c54b28abf4a20cbe459c24970349e514
Opcode Fuzzy Hash: 1f729ab8471c975a88b421826102304f1a6c61b9826944682b036adcf93c0e22
Instruction Fuzzy Hash: 57415C769002186FCB20DFB9CC89EBB7778EB88314F1041AEF905D7280E6749D41CB58

Function 0045D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0045D28C

Strings

X64, xrefs: 0045D2A8

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 5ae9d3a5c223f98af8f624c997bceb394d8cbf493b0a2dfdf90e0dacfa383068
Instruction ID: 6673ed9d8e3918b7c14938a1278ac1c58549085a93c5f5605fffacb35cb33faf
Opcode Fuzzy Hash: 5ae9d3a5c223f98af8f624c997bceb394d8cbf493b0a2dfdf90e0dacfa383068
Instruction Fuzzy Hash: B6D0C9B480111DEFCB90CB90DCC8DDDB77CBB14305F1001A2F506A2000D77495498F25

Function 0042CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: a0d5f0f00030a5dacf01e29960c58ab36aaed1dbcef93d8d5a01d90ac0399c71
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 72023C71E002299BDF14CFA9D9C06AEFBF1EF48314F65816AD819E7384D735AA41CB84

Function 0040CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00450C40
p#M, xrefs: 0040CF7F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#M
API String ID: 0-1505659392
Opcode ID: 7da4bd4abb306e3cee798d818c6c086eb4c65c15cbc0363916274c208ffc1d75
Instruction ID: 38d766a4293b3aa07483d6856ceb5ffcb9eb73abb101c86768fb291438b6ba99
Opcode Fuzzy Hash: 7da4bd4abb306e3cee798d818c6c086eb4c65c15cbc0363916274c208ffc1d75
Instruction Fuzzy Hash: 19327C74900219DBDF14DF90C881AEEB7B5BF05308F24416BE806BB2D2D779AD4ACB59

Function 004768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00476918
FindClose.KERNEL32(00000000), ref: 00476961

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: cc119e9cb8d3ba5596bdb68c0d606dab488912ceaa58e861835c95aaf75134e1
Instruction ID: 92942087b29a5d91dd29e42cd07644915c47f19228977071f32efbc9528b55e8
Opcode Fuzzy Hash: cc119e9cb8d3ba5596bdb68c0d606dab488912ceaa58e861835c95aaf75134e1
Instruction Fuzzy Hash: D011B1B16046019FC710CF29C4C4A16BBE1EF84328F05C6AEE5699F7A2CB34EC05CB95

Function 004737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00484891,?,?,00000035,?), ref: 004737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00484891,?,?,00000035,?), ref: 004737F4

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a32bef480801aa5e4c810934379b6bc065fb17cd8c6182978b8547d15b8cff7c
Instruction ID: 2c5fbe7c2752015df322a2356125e26b958e5dd1351939e5ef290c0b02a942fb
Opcode Fuzzy Hash: a32bef480801aa5e4c810934379b6bc065fb17cd8c6182978b8547d15b8cff7c
Instruction Fuzzy Hash: 19F0EC716042142AE72017764C8DFDB775DDFC4765F004176F509D2291D5605D44C6B4

Function 0046B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0046B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0046B270

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: d119593b4e5ebd584fa468a1e8ca90e3721e51bee6ae15b10dfa037ed15b2bfb
Instruction ID: 389103867b5a1a62c80a13fc494159a1aa3ff9a704fe43b7a758784a3dee98d5
Opcode Fuzzy Hash: d119593b4e5ebd584fa468a1e8ca90e3721e51bee6ae15b10dfa037ed15b2bfb
Instruction Fuzzy Hash: C6F06D7080428EABDB058FA0C805BAE7BB0FF04305F00805AF951A5192D37982019F99

Function 004610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004611FC), ref: 004610D4
CloseHandle.KERNEL32(?,?,004611FC), ref: 004610E9

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 06e3097bdc3bca98373c1d4b253f8a325d95a3f9b02eef946fa3b8667b309d35
Instruction ID: 36680a2f8fbc7064708e9eb61d2762ab0639a2d8bc41b053545934f4eabf6867
Opcode Fuzzy Hash: 06e3097bdc3bca98373c1d4b253f8a325d95a3f9b02eef946fa3b8667b309d35
Instruction Fuzzy Hash: 14E0BF72018610AEE7252B51FC45EB777A9EB04314F14883FF5A6804B1DB666CE1DB58

Function 0043676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436766,?,?,00000008,?,?,0043FEFE,00000000), ref: 00436998

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 198a520ea869a35980b3f78eccd319767a6126f68f47798b27a54d549f42ff15
Instruction ID: d30b49202280407283aebb84bb8e606652760a62ec8e3b3cb6f6b3a781ee24c8
Opcode Fuzzy Hash: 198a520ea869a35980b3f78eccd319767a6126f68f47798b27a54d549f42ff15
Instruction Fuzzy Hash: 75B15D7151060AAFD719CF28C48AB657BE0FF09364F26D659E899CF3A1C339D982CB44

Function 0041B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0045851F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fc9b716e5d7671c1241b7c4712162e63b804e2f0a4251a4178bb985621070140
Instruction ID: 9c96022233e00f45b40e0282f1d885220868f9e058b094fd9f7a4bbb96fcb14f
Opcode Fuzzy Hash: fc9b716e5d7671c1241b7c4712162e63b804e2f0a4251a4178bb985621070140
Instruction Fuzzy Hash: 611252719002299FDB14CF59C8806EEB7B5FF48710F14819BE849EB252EB389E85CF95

Function 0047EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0047EABD

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 15020fdac601a566885ed4c0a870f6d579dd1160b3a1fd7142283fffb891c640
Instruction ID: b40af947e9697942177ffb577b1694246c813bd138668231549b55f752874d47
Opcode Fuzzy Hash: 15020fdac601a566885ed4c0a870f6d579dd1160b3a1fd7142283fffb891c640
Instruction Fuzzy Hash: 42E01A31200204AFC710EF6AD844E9AB7E9AF98764F00846BFC49D7391DA78AC418B99

Function 004209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004203EE), ref: 004209DA

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 34453acfcdf46af830c81bc421b5064df1454124b76db59955965f425ba95087
Instruction ID: f705d55398cb153b68197336f49732564042bcd18df78a8ece02566bb4e07c66
Opcode Fuzzy Hash: 34453acfcdf46af830c81bc421b5064df1454124b76db59955965f425ba95087
Instruction Fuzzy Hash:

Function 0042781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0042798B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: dd5f3ba559151bc3021faa4d08a574aa33d8e02e948c2b5efb3109fbb398670e
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: FB5168B170C7355AEB386629749A7BF27859B02344FD8090FD882C7382C60DDE82D75E

Function 00472046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&M, xrefs: 00472053

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0&M
API String ID: 0-278495883
Opcode ID: c32e3fc8385f568c32938d2280db9929dc4b1fa9f2a4dd4730763afb1ea23267
Instruction ID: cef1c09b466cac432e6cc030d138e4a232e0cfdd24342920920addecda63d74c
Opcode Fuzzy Hash: c32e3fc8385f568c32938d2280db9929dc4b1fa9f2a4dd4730763afb1ea23267
Instruction Fuzzy Hash: 5321D8323216118BDB28CF79C9226BE73E5A764310F188A2FE4A7C33D0DE79A904C754

Function 00436DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0e8307ef338da49e0da29b8b170f2fc18eeef58ad5343f8096971db0679d2e
Instruction ID: 3ce898e0723c675ca30dfd83868675bb9146081620d05d072c43bf9694a9d0bf
Opcode Fuzzy Hash: ad0e8307ef338da49e0da29b8b170f2fc18eeef58ad5343f8096971db0679d2e
Instruction Fuzzy Hash: 99325661D29F014DD7239638CD22336A649AFBB3D5F15E337E81AB5EA6EB28C4C35104

Function 0041CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3b1f49e82936be172b0303e30b5fac16f65e483f72630dc639334d00fedcf3
Instruction ID: 567821adab74a7b52272253c1dccd6f41d6d8a7a8cd2a5a9328308b85443cdc3
Opcode Fuzzy Hash: 7e3b1f49e82936be172b0303e30b5fac16f65e483f72630dc639334d00fedcf3
Instruction Fuzzy Hash: 5B32E631A003158FDF24CE69C8D46BE7BA1EB45306F288567DC4597393E23C9D8ADA8D

Function 00407920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8fa61a045b2e008dae88d027fac136bec3fa33c06399abc0c9ec0aae4f11ea3
Instruction ID: 16488a37a9ebf6b43e4c6892e0fc228140128a1d93a8fd0dca1333f1a8601933
Opcode Fuzzy Hash: b8fa61a045b2e008dae88d027fac136bec3fa33c06399abc0c9ec0aae4f11ea3
Instruction Fuzzy Hash: 3C22D170E006099FEF14CF65D841AAEB3F1FF44304F14453AE816A7292EB39AD55CB59

Function 004091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30036c20a431cc36830c896ef84712c676619ac8bd636a69a97a5e9ded375a47
Instruction ID: a7c37e6f1452ed374a139f2922219f308528d16e40839c2f88b42618a8a79e06
Opcode Fuzzy Hash: 30036c20a431cc36830c896ef84712c676619ac8bd636a69a97a5e9ded375a47
Instruction Fuzzy Hash: 9C02CAB0E00205EFDB04DF55D881AAEB7B1FF44304F11856AE806AB391EB39ED55CB99

Function 00439EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6c570be3b8e5b369602f87ee64208c4ded3aa1f2014f869a2e6ae5471e5474
Instruction ID: 05a08e5766974571a645db48119de5cd6e13f888aacc5baab25b98f5e23d988c
Opcode Fuzzy Hash: 1a6c570be3b8e5b369602f87ee64208c4ded3aa1f2014f869a2e6ae5471e5474
Instruction Fuzzy Hash: 43B1E420D2AF404DD6239A398831336FA5C6FBB6D6F91D72BFC5674D62FB2185834244

Function 00421C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 03abb81fe3b5adf1efa1b564ba4db5683a0615e5b7235cec36f3ba69c85e462d
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 329187723080B34ADB29463AA57403FFFE15A623A135A079FD4F2CB2E5EE189954D624

Function 004219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 263be3c91c1eb535f95e0da61d69067ed54d374e2ef309587b9275242729dd05
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: B89194723090F30ADB29467AA57403FFFF15AA23A135A07AFD4F2CA2E1FD189554D624

Function 00427A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cfc99caef6fcf3a1232713fd42500ccdf6fc43273da94df47a7739a65c3388a
Instruction ID: 84ac85275a216eff532c1add87baca4d75615409e8ba58ee8a571bdc319d84d4
Opcode Fuzzy Hash: 2cfc99caef6fcf3a1232713fd42500ccdf6fc43273da94df47a7739a65c3388a
Instruction Fuzzy Hash: C761467130873596DA349929B895BBF3794DF41318FD0091FE842DB382DA1DAE42871E

Function 00427CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335cfa9026358501cc6cd1356f553921e6292aa44130cf3439bc3ec1ecf51658
Instruction ID: b3d8b0dcfa79c3ad95e7fbebb9004bf79f267a435944c7c6c5ebb73a9dbd94fe
Opcode Fuzzy Hash: 335cfa9026358501cc6cd1356f553921e6292aa44130cf3439bc3ec1ecf51658
Instruction Fuzzy Hash: A661897531873967DE384A287891BBF2384EF42744FD0095FE943DB381DA5EAD42826E

Function 00421706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 76ceb53c6dfe0c4248e762e257b909a8a314b5929079aaa7e546bb38e22f71ec
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 548174727080B309DB2D423A957443FFFE15AE23A135A079FD4F2CB2E1EE288554E624

Function 00482ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00482B30
DeleteObject.GDI32(00000000), ref: 00482B43
DestroyWindow.USER32 ref: 00482B52
GetDesktopWindow.USER32 ref: 00482B6D
GetWindowRect.USER32(00000000), ref: 00482B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00482CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00482CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482CF8
GetClientRect.USER32(00000000,?), ref: 00482D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00482D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482D80
GlobalLock.KERNEL32(00000000), ref: 00482D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482D98
GlobalUnlock.KERNEL32(00000000), ref: 00482DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482DA8
GlobalFree.KERNEL32(00000000), ref: 00482DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0049FC38,00000000), ref: 00482DDB
GlobalFree.KERNEL32(00000000), ref: 00482DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00482E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00482E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0048303F

Strings

DISPLAY, xrefs: 00482EA2
AutoIt v3, xrefs: 00482CF2
static, xrefs: 00482D3A, 00482E91
, xrefs: 00482FC5

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b494cc3624a38074f3221385d133c055cd0034efb3e5cf8de8c6dcb354adba42
Instruction ID: bbf4dd1d0e10ac38dbf2890fd7e20bdbd7a257b4c3ab9d414e1cffb64e0bd8dd
Opcode Fuzzy Hash: b494cc3624a38074f3221385d133c055cd0034efb3e5cf8de8c6dcb354adba42
Instruction Fuzzy Hash: E7028D71900205EFDB14DFA4CD89EAE7BB9EF49314F00856AF915AB2A1C774AD01CF68

Function 004970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0049712F
GetSysColorBrush.USER32(0000000F), ref: 00497160
GetSysColor.USER32(0000000F), ref: 0049716C
SetBkColor.GDI32(?,000000FF), ref: 00497186
SelectObject.GDI32(?,?), ref: 00497195
InflateRect.USER32(?,000000FF,000000FF), ref: 004971C0
GetSysColor.USER32(00000010), ref: 004971C8
CreateSolidBrush.GDI32(00000000), ref: 004971CF
FrameRect.USER32(?,?,00000000), ref: 004971DE
DeleteObject.GDI32(00000000), ref: 004971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00497230
FillRect.USER32(?,?,?), ref: 00497262
GetWindowLongW.USER32(?,000000F0), ref: 00497284

Part of subcall function 004973E8: GetSysColor.USER32(00000012), ref: 00497421
Part of subcall function 004973E8: SetTextColor.GDI32(?,?), ref: 00497425
Part of subcall function 004973E8: GetSysColorBrush.USER32(0000000F), ref: 0049743B
Part of subcall function 004973E8: GetSysColor.USER32(0000000F), ref: 00497446
Part of subcall function 004973E8: GetSysColor.USER32(00000011), ref: 00497463
Part of subcall function 004973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00497471
Part of subcall function 004973E8: SelectObject.GDI32(?,00000000), ref: 00497482
Part of subcall function 004973E8: SetBkColor.GDI32(?,00000000), ref: 0049748B
Part of subcall function 004973E8: SelectObject.GDI32(?,?), ref: 00497498
Part of subcall function 004973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004974B7
Part of subcall function 004973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004974CE
Part of subcall function 004973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004974DB

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 0dea75f80e2bbe3237c49b0bf1195ce151ff954f2b749752f79636b2c3800b87
Instruction ID: 7653aa0511b1474f4b3cda614fda4756ac704073239f7f11a827eee26e1b1a20
Opcode Fuzzy Hash: 0dea75f80e2bbe3237c49b0bf1195ce151ff954f2b749752f79636b2c3800b87
Instruction Fuzzy Hash: AFA1B172018311BFDB109F60DC89E5B7BA9FF99320F100A3AF962961E1D734E945CB5A

Function 00418D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00418E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00456AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00456AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00456F43

Part of subcall function 00418F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00418BE8,?,00000000,?,?,?,?,00418BBA,00000000,?), ref: 00418FC5

SendMessageW.USER32(?,00001053), ref: 00456F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00456F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00456FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00456FB7

Strings

0, xrefs: 00456DCF

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: c4e1d079e7feecc1f0c7021be5bb067e54142e6e8afc53484fab5642190c1190
Instruction ID: e9b540a01f17715450491459bb1486a3ac7e1ecb175c7ce654376cd1565cf959
Opcode Fuzzy Hash: c4e1d079e7feecc1f0c7021be5bb067e54142e6e8afc53484fab5642190c1190
Instruction Fuzzy Hash: 7812AC70601211AFDB21CF14C894BA6B7F5FB45302F95446FE885CB262CB39AC9ACB59

Function 00482711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0048273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0048286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00482900
GetClientRect.USER32(00000000,?), ref: 0048290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00482955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00482964
GetStockObject.GDI32(00000011), ref: 00482974
SelectObject.GDI32(00000000,00000000), ref: 00482978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00482988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00482991
DeleteDC.GDI32(00000000), ref: 0048299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00482A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00482A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00482A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00482A77
GetStockObject.GDI32(00000011), ref: 00482A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00482A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00482A97

Strings

DISPLAY, xrefs: 0048295A
msctls_progress32, xrefs: 00482A13
AutoIt v3, xrefs: 004828F8
static, xrefs: 0048294F, 00482A71

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 75e675519c1aedcc4f22a6906d58bc5e48459ae5d838ab3ec349a53c673adf86
Instruction ID: e9ade11dab0fe2af951de518d2c42dc0868fb73828cf1c45992ce1b7dabbae1d
Opcode Fuzzy Hash: 75e675519c1aedcc4f22a6906d58bc5e48459ae5d838ab3ec349a53c673adf86
Instruction Fuzzy Hash: 9CB16F71A00215BFEB14DF69CD85FAE7BA9EB08714F00452AF915E72E0D774AD40CBA8

Function 00474ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00474AED
GetDriveTypeW.KERNEL32(?,0049CB68,?,\\.\,0049CC08), ref: 00474BCA
SetErrorMode.KERNEL32(00000000,0049CB68,?,\\.\,0049CC08), ref: 00474D36

Strings

Fixed, xrefs: 00474C09
1394, xrefs: 00474C9F
Unknown, xrefs: 00474BED, 00474C83
FileBackedVirtual, xrefs: 00474CEC
USB, xrefs: 00474CB4
Virtual, xrefs: 00474CE5
SAS, xrefs: 00474CC9
ATA, xrefs: 00474C98
iSCSI, xrefs: 00474CC2
SATA, xrefs: 00474CD0
Fibre, xrefs: 00474CAD
ATAPI, xrefs: 00474C91
SSD, xrefs: 00474C4A
CDROM, xrefs: 00474BFB
PhysicalDrive, xrefs: 00474B76
SSA, xrefs: 00474CA6
MMC, xrefs: 00474CDE
Removable, xrefs: 00474C10, 00474C15
RAMDisk, xrefs: 00474BF4
\\.\, xrefs: 00474B3F
RAID, xrefs: 00474CBB
Network, xrefs: 00474C02
SCSI, xrefs: 00474C8A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ab80831dd2eb253968ff5bd395b14728ef159c1b25e70c5eac400577a6d6c2f3
Instruction ID: 0ac9adffbc1f8b7afb3ae8515e1ade7549d640cd2c15dac342cbcd9624f2b695
Opcode Fuzzy Hash: ab80831dd2eb253968ff5bd395b14728ef159c1b25e70c5eac400577a6d6c2f3
Instruction Fuzzy Hash: 6361B2356051059FCB05DF24CA81EF977A0AB84344B26C02BE80BAB691DB3DED42DB5E

Function 004973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00497421
SetTextColor.GDI32(?,?), ref: 00497425
GetSysColorBrush.USER32(0000000F), ref: 0049743B
GetSysColor.USER32(0000000F), ref: 00497446
CreateSolidBrush.GDI32(?), ref: 0049744B
GetSysColor.USER32(00000011), ref: 00497463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00497471
SelectObject.GDI32(?,00000000), ref: 00497482
SetBkColor.GDI32(?,00000000), ref: 0049748B
SelectObject.GDI32(?,?), ref: 00497498
InflateRect.USER32(?,000000FF,000000FF), ref: 004974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0049752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00497554
InflateRect.USER32(?,000000FD,000000FD), ref: 00497572
DrawFocusRect.USER32(?,?), ref: 0049757D
GetSysColor.USER32(00000011), ref: 0049758E
SetTextColor.GDI32(?,00000000), ref: 00497596
DrawTextW.USER32(?,004970F5,000000FF,?,00000000), ref: 004975A8
SelectObject.GDI32(?,?), ref: 004975BF
DeleteObject.GDI32(?), ref: 004975CA
SelectObject.GDI32(?,?), ref: 004975D0
DeleteObject.GDI32(?), ref: 004975D5
SetTextColor.GDI32(?,?), ref: 004975DB
SetBkColor.GDI32(?,?), ref: 004975E5

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: eee56e40d1b9f2ec313c2527e5820cce17180b7a0ce495f83407a45d49c79982
Instruction ID: 809f5c748247be305c2d038453bd7a4f80c17b766ea098e9d8b68210fc43f4d9
Opcode Fuzzy Hash: eee56e40d1b9f2ec313c2527e5820cce17180b7a0ce495f83407a45d49c79982
Instruction Fuzzy Hash: 7E613D72904218BFDF019FA4DC89EAE7FB9EB09320F114136F915AB2A1D7759940CF98

Function 00490FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00491128
GetDesktopWindow.USER32 ref: 0049113D
GetWindowRect.USER32(00000000), ref: 00491144
GetWindowLongW.USER32(?,000000F0), ref: 00491199
DestroyWindow.USER32(?), ref: 004911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0049120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0049121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00491232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00491245
IsWindowVisible.USER32(00000000), ref: 004912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004912D0
GetWindowRect.USER32(00000000,?), ref: 004912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0049130E
GetMonitorInfoW.USER32(00000000,?), ref: 00491328
CopyRect.USER32(?,?), ref: 0049133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004913AA

Strings

tooltips_class32, xrefs: 004911E6
(, xrefs: 0049131B
0, xrefs: 004910D3

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 2df0520ea53f781151155a9dccb26768136dc9de2785cb82424ff2f6e4428622
Instruction ID: 4fa3465cd89e115d083a00c14f180ab48255e67d4e67e6ea643bc7373abc173c
Opcode Fuzzy Hash: 2df0520ea53f781151155a9dccb26768136dc9de2785cb82424ff2f6e4428622
Instruction Fuzzy Hash: 63B18C71604341AFDB10DF65C885A5BBBE4FF88354F00892EF999AB2A1C735EC44CB99

Function 00490241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004902E5
_wcslen.LIBCMT ref: 0049031F
_wcslen.LIBCMT ref: 00490389
_wcslen.LIBCMT ref: 004903F1
_wcslen.LIBCMT ref: 00490475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004904C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00490504

Part of subcall function 0041F9F2: _wcslen.LIBCMT ref: 0041F9FD

Part of subcall function 0046223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00462258
Part of subcall function 0046223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0046228A

Strings

GETSUBITEMCOUNT, xrefs: 00490384, 0049039F
SELECTALL, xrefs: 00490515
FINDITEM, xrefs: 00490627
GETTEXT, xrefs: 004903EC, 00490407
SELECT, xrefs: 00490548
GETSELECTEDCOUNT, xrefs: 00490470, 0049048B
SELECTINVERT, xrefs: 0049057E
GETSELECTED, xrefs: 004905E1
DESELECT, xrefs: 0049059C
VIEWCHANGE, xrefs: 00490675
GETITEMCOUNT, xrefs: 00490316, 00490337
ISSELECTED, xrefs: 004904DD
SELECTCLEAR, xrefs: 0049052D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: b3078c2079efdba59c02469cbec69a3e9f01576e3346aea7aeeede21f83beaad
Instruction ID: 9a54775b287b5774c99644f3016330cb526a800e56de7245beb016a960f4771f
Opcode Fuzzy Hash: b3078c2079efdba59c02469cbec69a3e9f01576e3346aea7aeeede21f83beaad
Instruction Fuzzy Hash: D4E1B2312082019FCB14DF25C95092BBBE5BFC8758B14457EF896AB391DB38ED46CB4A

Function 00418891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00418968
GetSystemMetrics.USER32(00000007), ref: 00418970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0041899B
GetSystemMetrics.USER32(00000008), ref: 004189A3
GetSystemMetrics.USER32(00000004), ref: 004189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00418A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00418A3C
GetClientRect.USER32(00000000,000000FF), ref: 00418A5A
GetStockObject.GDI32(00000011), ref: 00418A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00418A81

Part of subcall function 0041912D: GetCursorPos.USER32(?), ref: 00419141
Part of subcall function 0041912D: ScreenToClient.USER32(00000000,?), ref: 0041915E
Part of subcall function 0041912D: GetAsyncKeyState.USER32(00000001), ref: 00419183
Part of subcall function 0041912D: GetAsyncKeyState.USER32(00000002), ref: 0041919D

SetTimer.USER32(00000000,00000000,00000028,004190FC), ref: 00418AA8

Strings

AutoIt v3 GUI, xrefs: 00418A20

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: de29922f3459d3c920f9127af5b050397a426be9beab32bd72097dc159e31b3e
Instruction ID: 24350be98dd57b743f4a3dd19b60f581808337178d510593da20842267799206
Opcode Fuzzy Hash: de29922f3459d3c920f9127af5b050397a426be9beab32bd72097dc159e31b3e
Instruction Fuzzy Hash: CBB16F71600209AFDB14DFA8CC95BEE7BB5FB48315F11422BFE1597290DB38A841CB59

Function 00460D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00461114
Part of subcall function 004610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 00461120
Part of subcall function 004610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 0046112F
Part of subcall function 004610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 00461136
Part of subcall function 004610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0046114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00460DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00460E29
GetLengthSid.ADVAPI32(?), ref: 00460E40
GetAce.ADVAPI32(?,00000000,?), ref: 00460E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00460E96
GetLengthSid.ADVAPI32(?), ref: 00460EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00460EB5
HeapAlloc.KERNEL32(00000000), ref: 00460EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00460EDD
CopySid.ADVAPI32(00000000), ref: 00460EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00460F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00460F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00460F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00460F6E
HeapFree.KERNEL32(00000000), ref: 00460F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00460F7E
HeapFree.KERNEL32(00000000), ref: 00460F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00460F8E
HeapFree.KERNEL32(00000000), ref: 00460F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00460FA1
HeapFree.KERNEL32(00000000), ref: 00460FA8

Part of subcall function 00461193: GetProcessHeap.KERNEL32(00000008,00460BB1,?,00000000,?,00460BB1,?), ref: 004611A1
Part of subcall function 00461193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00460BB1,?), ref: 004611A8
Part of subcall function 00461193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00460BB1,?), ref: 004611B7

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 45c2a3535d20612bdbd0e9ab5ee118db897ba99b8e4ba87040f1d0bb3022ba22
Instruction ID: 0fb3ce4afe998c41078967e3b78393224d602ba31502d030620368beac206456
Opcode Fuzzy Hash: 45c2a3535d20612bdbd0e9ab5ee118db897ba99b8e4ba87040f1d0bb3022ba22
Instruction Fuzzy Hash: 92717B7290020AABDF209FA5DC85BAFBBB8BF15300F044126F919A6291E775DD05CB69

Function 0048C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0048C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0049CC08,00000000,?,00000000,?,?), ref: 0048C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0048C5A4
_wcslen.LIBCMT ref: 0048C5F4
_wcslen.LIBCMT ref: 0048C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0048C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0048C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0048C84D
RegCloseKey.ADVAPI32(?), ref: 0048C881
RegCloseKey.ADVAPI32(00000000), ref: 0048C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0048C960

Strings

REG_EXPAND_SZ, xrefs: 0048C5CD
REG_SZ, xrefs: 0048C644
REG_BINARY, xrefs: 0048C913
REG_MULTI_SZ, xrefs: 0048C6F5
REG_QWORD, xrefs: 0048C8C3
REG_DWORD, xrefs: 0048C804

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: dfd249db8cc41b5c82d105e4abbe09f0368b79dc7f18c5e33499ea8f1883d4f5
Instruction ID: c2a433ac3ef539583300f68ceb4562f11c5db710a61bc91a506c5d7cd8db0dd2
Opcode Fuzzy Hash: dfd249db8cc41b5c82d105e4abbe09f0368b79dc7f18c5e33499ea8f1883d4f5
Instruction Fuzzy Hash: 541271356042019FD714EF15C881E2AB7E5EF88758F14886EF8499B3A2DB39FC41CB99

Function 0049091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004909C6
_wcslen.LIBCMT ref: 00490A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00490A54
_wcslen.LIBCMT ref: 00490A8A
_wcslen.LIBCMT ref: 00490B06
_wcslen.LIBCMT ref: 00490B81

Part of subcall function 0041F9F2: _wcslen.LIBCMT ref: 0041F9FD

Part of subcall function 00462BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00462BFA

Strings

UNCHECK, xrefs: 00490D3E
CHECK, xrefs: 00490A85, 00490AA0
GETITEMCOUNT, xrefs: 00490C1E
EXPAND, xrefs: 00490BF8
COLLAPSE, xrefs: 00490B01, 00490B1C
GETTEXT, xrefs: 00490C97
SELECT, xrefs: 00490D11
GETTOTALCOUNT, xrefs: 004909F2, 00490A17
ISCHECKED, xrefs: 00490CE1
GETSELECTED, xrefs: 00490C4E
EXISTS, xrefs: 00490B7C, 00490B97

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 7f0726da428d1f857e1947c38dbf15062f352fe45e50e90fc4be6ee75e981708
Instruction ID: 1013c0651a9dba8fe5b30329448c2a67b3bcb7d5d7144e3293d99a1aa7eccc76
Opcode Fuzzy Hash: 7f0726da428d1f857e1947c38dbf15062f352fe45e50e90fc4be6ee75e981708
Instruction Fuzzy Hash: A0E1B2752083019FCB14DF25C45096ABBE1BF94358F10896EF8966B3A2D738ED45CB8A

Function 0048C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0048B6AE,?,?), ref: 0048C9B5
_wcslen.LIBCMT ref: 0048C9F1
_wcslen.LIBCMT ref: 0048CA68
_wcslen.LIBCMT ref: 0048CA9E
_wcslen.LIBCMT ref: 0048CAF9
_wcslen.LIBCMT ref: 0048CB2F
_wcslen.LIBCMT ref: 0048CB7F

Strings

HKEY_CURRENT_USER, xrefs: 0048CBBD
HKEY_CURRENT_CONFIG, xrefs: 0048CB79, 0048CB7E
HKCC, xrefs: 0048CBAC
HKCU, xrefs: 0048CBCE
HKCR, xrefs: 0048CB29, 0048CB2E
HKEY_LOCAL_MACHINE, xrefs: 0048CA62, 0048CA67
HKU, xrefs: 0048CBF0
HKLM, xrefs: 0048CA98, 0048CA9D
HKEY_USERS, xrefs: 0048CBDF
HKEY_CLASSES_ROOT, xrefs: 0048CAF3, 0048CAF8

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: b31e78215c04d9e7d477a3ca5053a964ce584295d374fffe22a77a35a0470901
Instruction ID: ed2a7cc976ee06f379692ae362c4bca03eff38a4ab6ac2818ef3541a2519e057
Opcode Fuzzy Hash: b31e78215c04d9e7d477a3ca5053a964ce584295d374fffe22a77a35a0470901
Instruction Fuzzy Hash: 6D71E63260052A8BCB10FE79D9C16BF33919BA0754B11492BF86597384E73DDD8587BC

Function 0049833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0049835A
_wcslen.LIBCMT ref: 0049836E
_wcslen.LIBCMT ref: 00498391
_wcslen.LIBCMT ref: 004983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00495BF2), ref: 0049844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00498487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00498501
FreeLibrary.KERNEL32(?), ref: 0049850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0049851D
DestroyIcon.USER32(?,?,?,?,?,00495BF2), ref: 0049852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00498549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00498555

Strings

.icl, xrefs: 00498368
.dll, xrefs: 004983AB
.exe, xrefs: 00498388

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 5ed259a3dd636ea1506d4e87527b88dddd6922e2630e92815831cad2243b0ba6
Instruction ID: 4e18c377d3a93d3c1868f56d560fd42ffcf80cca71b042c358b88d151030d548
Opcode Fuzzy Hash: 5ed259a3dd636ea1506d4e87527b88dddd6922e2630e92815831cad2243b0ba6
Instruction Fuzzy Hash: BC61D071640215BAEF14DF69DC81BBF7BA8AF05720F10412FF815D61D1DB78A980CBA8

Function 00407778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Bad directive syntax error, xrefs: 0044519A
#OnAutoItStartRegister, xrefs: 00407817
', xrefs: 00445169
", xrefs: 00445153
#comments-start, xrefs: 0040785F, 004078B1
Cannot parse #include, xrefs: 00445279
#cs, xrefs: 00407873, 004078C5
#requireadmin, xrefs: 004077FF
#comments-end, xrefs: 004078D9
Unterminated group of comments, xrefs: 0044528C
#pragma compile, xrefs: 004077D3
#notrayicon, xrefs: 004077E7
#ce, xrefs: 004078ED
#include-once, xrefs: 0040782F
#include, xrefs: 00407847

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 37b6be96c844508c1785e83a1e9b947b3535a42a2054fffc2aa05080e39147b1
Instruction ID: 143d0d3894ee3fcd827cba236b78bf0a762740ba91adbf79a0b17f8313cd745c
Opcode Fuzzy Hash: 37b6be96c844508c1785e83a1e9b947b3535a42a2054fffc2aa05080e39147b1
Instruction Fuzzy Hash: AD81B471A04205BBDF20AB61DC42FAF3B64AF54344F14403BF905BB2D2EB7CA945C69A

Function 00473E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00473EF8
_wcslen.LIBCMT ref: 00473F03
_wcslen.LIBCMT ref: 00473F5A
_wcslen.LIBCMT ref: 00473F98
GetDriveTypeW.KERNEL32(?), ref: 00473FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0047401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00474059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00474087

Strings

set cd door , xrefs: 00474028
wait, xrefs: 00474044
close, xrefs: 00473EFE, 00473F18
type cdaudio alias cd wait, xrefs: 00474001
closed, xrefs: 00473F08, 00473F2D, 00473F46, 00473F7E, 00473F97
open , xrefs: 00473FE5
open, xrefs: 00473F54, 00473F59
close cd wait, xrefs: 00474072

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 9a66eb9955f9c6734255fb944ceba52c9190cd67c9890fecea654dd539b7eca5
Instruction ID: c2740d1222ebc385cb82919aaad8bf6600b64fb161edc359628cf9a2a961c0a7
Opcode Fuzzy Hash: 9a66eb9955f9c6734255fb944ceba52c9190cd67c9890fecea654dd539b7eca5
Instruction Fuzzy Hash: D771E4716042119FC310EF24C8809ABB7F4EF94758F10892FF99993291EB38ED45CB9A

Function 00465A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00465A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00465A40
SetWindowTextW.USER32(?,?), ref: 00465A57
GetDlgItem.USER32(?,000003EA), ref: 00465A6C
SetWindowTextW.USER32(00000000,?), ref: 00465A72
GetDlgItem.USER32(?,000003E9), ref: 00465A82
SetWindowTextW.USER32(00000000,?), ref: 00465A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00465AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00465AC3
GetWindowRect.USER32(?,?), ref: 00465ACC
_wcslen.LIBCMT ref: 00465B33
SetWindowTextW.USER32(?,?), ref: 00465B6F
GetDesktopWindow.USER32 ref: 00465B75
GetWindowRect.USER32(00000000), ref: 00465B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00465BD3
GetClientRect.USER32(?,?), ref: 00465BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00465C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00465C2F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 995c23ee9de8ec63ae521d5336bbf1a014c3310c08a33b5eb24cc9a98bea18a1
Instruction ID: 0a901d73f7802359af014b314dccce5a02935b980301162514e1a12ab8627d3d
Opcode Fuzzy Hash: 995c23ee9de8ec63ae521d5336bbf1a014c3310c08a33b5eb24cc9a98bea18a1
Instruction Fuzzy Hash: 54718171900B059FDB20DFA8CD85A6EBBF5FF48704F10452AE542A26A0D774FD44CB59

Function 0047FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0047FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0047FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0047FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0047FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0047FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0047FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0047FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0047FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0047FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0047FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0047FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0047FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0047FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0047FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0047FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0047FECC
GetCursorInfo.USER32(?), ref: 0047FEDC
GetLastError.KERNEL32 ref: 0047FF1E

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 29eff0d44065f1e65d95e5c6162902b78d4fe41269bbd9898af73b59a57f8744
Instruction ID: 3c1c8c6c8ebf84f0bfec2f4cf58b050dbe1a493a1fc2209b7d0b4447c7814f8b
Opcode Fuzzy Hash: 29eff0d44065f1e65d95e5c6162902b78d4fe41269bbd9898af73b59a57f8744
Instruction Fuzzy Hash: 4F4123B0D08319AADB10DFBA8C8585EBFE8FF04754B50853BE11DE7281DB78A9058E95

Function 004630F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0046318D
_wcslen.LIBCMT ref: 004631F8

Strings

TEXT, xrefs: 0046347C
NAME, xrefs: 00463335, 00463346
REGEXPCLASS, xrefs: 00463255, 00463266
[L, xrefs: 0046339A
CLASS, xrefs: 00463188, 004631A5
INSTANCE, xrefs: 00463453
CLASSNN, xrefs: 004631F3, 00463204

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[L
API String ID: 176396367-2673105605
Opcode ID: 3ef901a7c4d3f7d847686ef54d8ca3cb0fe16cad14b22e338ef83e5d3e0195a7
Instruction ID: dec465ae6880087b831d7e9f7dc700507f7d777555492fb578c4aceba1586c83
Opcode Fuzzy Hash: 3ef901a7c4d3f7d847686ef54d8ca3cb0fe16cad14b22e338ef83e5d3e0195a7
Instruction Fuzzy Hash: 6BE10332A00566ABCB149F64C451BEEFBB0BF44715F54812FE456B3380FB38AE858799

Function 004200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004200C6

Part of subcall function 004200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(004D070C,00000FA0,F32407DD,?,?,?,?,004423B3,000000FF), ref: 0042011C
Part of subcall function 004200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004423B3,000000FF), ref: 00420127
Part of subcall function 004200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004423B3,000000FF), ref: 00420138
Part of subcall function 004200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0042014E
Part of subcall function 004200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0042015C
Part of subcall function 004200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0042016A
Part of subcall function 004200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00420195
Part of subcall function 004200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004201A0

___scrt_fastfail.LIBCMT ref: 004200E7

Part of subcall function 004200A3: __onexit.LIBCMT ref: 004200A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00420122
InitializeConditionVariable, xrefs: 00420148
SleepConditionVariableCS, xrefs: 00420154
kernel32.dll, xrefs: 00420133
WakeAllConditionVariable, xrefs: 00420162

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: ed7e43c6380ba617abe833e8cd4ec0574e43a35956320d61fe7d0cf66bf0707d
Instruction ID: 84b6f6118bdc231d3a488da8fe478963a291621794897a1b1255fb41307b7b9d
Opcode Fuzzy Hash: ed7e43c6380ba617abe833e8cd4ec0574e43a35956320d61fe7d0cf66bf0707d
Instruction Fuzzy Hash: 1B21F6327457206BEB106BB5BC46B6A77E4DB05B51F60023BF802E7392DB6D98008A9C

Function 004744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0049CC08), ref: 00474527
_wcslen.LIBCMT ref: 0047453B
_wcslen.LIBCMT ref: 00474599
_wcslen.LIBCMT ref: 004745F4
_wcslen.LIBCMT ref: 0047463F
_wcslen.LIBCMT ref: 004746A7

Part of subcall function 0041F9F2: _wcslen.LIBCMT ref: 0041F9FD

GetDriveTypeW.KERNEL32(?,004C6BF0,00000061), ref: 00474743

Strings

fixed, xrefs: 00474635, 0047463A
all, xrefs: 00474531, 00474536
network, xrefs: 0047469D, 004746A2
cdrom, xrefs: 0047458F, 00474594
removable, xrefs: 004745EA, 004745EF
unknown, xrefs: 00474708
ramdisk, xrefs: 004746F1

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 7a032b10261071238578d7798be2a8d8f1bbc0d2a2d447e15a69d6f0c622db57
Instruction ID: d98997375423f878c0017acd91fdc058ed6cfa4487477bd8f6599caaed90522b
Opcode Fuzzy Hash: 7a032b10261071238578d7798be2a8d8f1bbc0d2a2d447e15a69d6f0c622db57
Instruction Fuzzy Hash: 5CB103716083029BC710DF28C890ABBB7E5AFD5724F50892EF49A97391E738D845CA5A

Function 0049911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

DragQueryPoint.SHELL32(?,?), ref: 00499147

Part of subcall function 00497674: ClientToScreen.USER32(?,?), ref: 0049769A
Part of subcall function 00497674: GetWindowRect.USER32(?,?), ref: 00497710
Part of subcall function 00497674: PtInRect.USER32(?,?,00498B89), ref: 00497720

SendMessageW.USER32(?,000000B0,?,?), ref: 004991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00499225
SendMessageW.USER32(?,000000B0,?,?), ref: 0049923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00499255
SendMessageW.USER32(?,000000B1,?,?), ref: 00499277
DragFinish.SHELL32(?), ref: 0049927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00499371

Strings

@GUI_DROPID, xrefs: 0049929E
@GUI_DRAGFILE, xrefs: 00499320
p#M, xrefs: 004992BB
@GUI_DRAGID, xrefs: 004992E9

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#M
API String ID: 221274066-2015629680
Opcode ID: cc5226adbb9b96ac99bcee9125aa241e4809515293bea636d27be4bdb13d5005
Instruction ID: 3df0e896286e7cc24d35a34c115dd35c96d1348fae80d5e553011d8ae7303d2a
Opcode Fuzzy Hash: cc5226adbb9b96ac99bcee9125aa241e4809515293bea636d27be4bdb13d5005
Instruction Fuzzy Hash: 36618A71108301AFD700EF65CC85DAFBBE8EF99354F00092FF591922A1DB349A49CB5A

Function 0040326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(004D1990), ref: 00442F8D
GetMenuItemCount.USER32(004D1990), ref: 0044303D
GetCursorPos.USER32(?), ref: 00443081
SetForegroundWindow.USER32(00000000), ref: 0044308A
TrackPopupMenuEx.USER32(004D1990,00000000,?,00000000,00000000,00000000), ref: 0044309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004430A9

Strings

0, xrefs: 0040327D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 63dbe3af2f01a2507e731779d95540f2b8473fc6145a53c04e0c9baa7831559b
Instruction ID: 50604dc0154d471f9d9f05728990120ecc12f68252d1d5e29eca4ee7fd44c235
Opcode Fuzzy Hash: 63dbe3af2f01a2507e731779d95540f2b8473fc6145a53c04e0c9baa7831559b
Instruction Fuzzy Hash: 8C711730640215BAFB218F25CD89F9BBF68FF01724F20422BF514662E0C7B9AD54D799

Function 00496CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00496DEB

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00496E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00496E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00496E94
DestroyWindow.USER32(?), ref: 00496EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00496EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00496EFD
GetDesktopWindow.USER32 ref: 00496F16
GetWindowRect.USER32(00000000), ref: 00496F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00496F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00496F4D

Part of subcall function 00419944: GetWindowLongW.USER32(?,000000EB), ref: 00419952

Strings

tooltips_class32, xrefs: 00496E58, 00496EDD
0, xrefs: 00496D98

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 6428b4afc25977ee63a403d95399c66df614a0ee7afea08159283990d6292f2d
Instruction ID: 6a0311cad4bd6a39f66962045e872b5819b0b1edc96ae1726a8a34bf2098f0d7
Opcode Fuzzy Hash: 6428b4afc25977ee63a403d95399c66df614a0ee7afea08159283990d6292f2d
Instruction Fuzzy Hash: 6B715874104244AFDB21CF18D894FBBBBFAFB99304F55042EF98997261C774A906CB19

Function 0047C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0047C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0047C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0047C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0047C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0047C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0047C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0047C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0047C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0047C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0047C5F0
InternetCloseHandle.WININET(00000000), ref: 0047C5FB

Strings

, xrefs: 0047C575

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 7c91576087ff3762589d5d9375ec81b3101d2abcd0dc8baf7d7a45dd79255699
Instruction ID: 62966bfdfc762d986eb43c7bc46254d8f994bea3438afeba38a38ba0b5e87711
Opcode Fuzzy Hash: 7c91576087ff3762589d5d9375ec81b3101d2abcd0dc8baf7d7a45dd79255699
Instruction Fuzzy Hash: 4D516FB0500605BFDB218FA1C9C8AAB7BBCFF14744F00842FF94996250D739E9449BA8

Function 0049856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00498592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004985A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004985AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004985BA
GlobalLock.KERNEL32(00000000), ref: 004985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004985D7
GlobalUnlock.KERNEL32(00000000), ref: 004985E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004985F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0049FC38,?), ref: 00498611
GlobalFree.KERNEL32(00000000), ref: 00498621
GetObjectW.GDI32(?,00000018,?), ref: 00498641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00498671
DeleteObject.GDI32(?), ref: 00498699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004986AF

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: ecf7bf33f19c8727181582f7a1fc1acabdf2093612c6ed86d011053e0d604fa0
Instruction ID: eb69097575f49255b2fdd6a809ba57042cfc9ad38165ae5ecb00aa39181f9416
Opcode Fuzzy Hash: ecf7bf33f19c8727181582f7a1fc1acabdf2093612c6ed86d011053e0d604fa0
Instruction Fuzzy Hash: D2410C75600204BFDB119FA9DD88EAB7BB8EF99711F10407AF905EB260DB349D01CB68

Function 004714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00471502
VariantCopy.OLEAUT32(?,?), ref: 0047150B
VariantClear.OLEAUT32(?), ref: 00471517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00471657
VariantInit.OLEAUT32(?), ref: 00471708
SysFreeString.OLEAUT32(?), ref: 0047178C
VariantClear.OLEAUT32(?), ref: 004717D8
VariantClear.OLEAUT32(?), ref: 004717E7
VariantInit.OLEAUT32(00000000), ref: 00471823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00471625
Default, xrefs: 004716AF

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 04c4721be5f36041c90275518a9327e06ca1f62a5ccf38e40fae594e42cefa8c
Instruction ID: 0c605db627f9a6fcea8deb3e881c5d7ac84542bb8d3de78438d95bbb650700a1
Opcode Fuzzy Hash: 04c4721be5f36041c90275518a9327e06ca1f62a5ccf38e40fae594e42cefa8c
Instruction Fuzzy Hash: 19D11371A00105EBDF089F69D885BF9B7B5BF44704F54C06BE40AAB2A0DB38DC46DB5A

Function 0048B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 0048C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0048B6AE,?,?), ref: 0048C9B5
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048C9F1
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048CA68
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0048B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0048B80A
RegCloseKey.ADVAPI32(?), ref: 0048B87E
RegCloseKey.ADVAPI32(?), ref: 0048B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0048B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0048B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0048B922
FreeLibrary.KERNEL32(00000000), ref: 0048B983
RegCloseKey.ADVAPI32(00000000), ref: 0048B994

Strings

advapi32.dll, xrefs: 0048B8ED
RegDeleteKeyExW, xrefs: 0048B8FE

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 75175d9ad90b8601f1d711508c6a1e4fc295dfd1eb731fceb7cbb3808139d2de
Instruction ID: dff2ae94d901b68dfbc339473ba99015738ca5bac0efe396a6ca95e9687f61ef
Opcode Fuzzy Hash: 75175d9ad90b8601f1d711508c6a1e4fc295dfd1eb731fceb7cbb3808139d2de
Instruction Fuzzy Hash: 11C16D70204201AFD710EF15C495F2ABBE5EF84318F14896EE59A5B3A2CB39EC45CBD6

Function 0048255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004825E8
CreateCompatibleDC.GDI32(?), ref: 004825F4
SelectObject.GDI32(00000000,?), ref: 00482601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0048266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004826D0
SelectObject.GDI32(?,?), ref: 004826D8
DeleteObject.GDI32(?), ref: 004826E1
DeleteDC.GDI32(?), ref: 004826E8
ReleaseDC.USER32(00000000,?), ref: 004826F3

Strings

(, xrefs: 0048268D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: dbb84510cb2e8620e5f8445da91160a115fea5ee5f30ac24f67f344fa54b5bed
Instruction ID: b8a9b27da65527d2ec4fd9924957b6d7e15a17d16c08fc6de10c4135e4ddce9e
Opcode Fuzzy Hash: dbb84510cb2e8620e5f8445da91160a115fea5ee5f30ac24f67f344fa54b5bed
Instruction Fuzzy Hash: 44611475D00219EFCF04DFA4D985AAEBBB5FF48310F20852AE955A7250E374A941CFA8

Function 0043DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043DAA1

Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D659
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D66B
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D67D
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D68F
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D6A1
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D6B3
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D6C5
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D6D7
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D6E9
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D6FB
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D70D
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D71F
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D731

_free.LIBCMT ref: 0043DA96

Part of subcall function 004329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000), ref: 004329DE
Part of subcall function 004329C8: GetLastError.KERNEL32(00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000,00000000), ref: 004329F0

_free.LIBCMT ref: 0043DAB8
_free.LIBCMT ref: 0043DACD
_free.LIBCMT ref: 0043DAD8
_free.LIBCMT ref: 0043DAFA
_free.LIBCMT ref: 0043DB0D
_free.LIBCMT ref: 0043DB1B
_free.LIBCMT ref: 0043DB26
_free.LIBCMT ref: 0043DB5E
_free.LIBCMT ref: 0043DB65
_free.LIBCMT ref: 0043DB82
_free.LIBCMT ref: 0043DB9A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ba9ecef691faa970056ea1d3866dd1f1132379091b2b346f906a9454ef583009
Instruction ID: ffe76eae24fd8544d019f3284b9d6afa4b39dd2c00b4ff96bdf9c62132f8b44f
Opcode Fuzzy Hash: ba9ecef691faa970056ea1d3866dd1f1132379091b2b346f906a9454ef583009
Instruction Fuzzy Hash: 1F315CB1A042049FEB21AA3AF945B5BB7E9FF08314F15646FE449D7291DF78AC40C728

Function 0046365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0046369C
_wcslen.LIBCMT ref: 004636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00463797
GetClassNameW.USER32(?,?,00000400), ref: 0046380C
GetDlgCtrlID.USER32(?), ref: 0046385D
GetWindowRect.USER32(?,?), ref: 00463882
GetParent.USER32(?), ref: 004638A0
ScreenToClient.USER32(00000000), ref: 004638A7
GetClassNameW.USER32(?,?,00000100), ref: 00463921
GetWindowTextW.USER32(?,?,00000400), ref: 0046395D

Strings

%s%u, xrefs: 00463734

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 10ae961581674d5cbcf1e214d19add7430943aa4d55c825e828419219232a29a
Instruction ID: 7b5c3b41c8cbfb7d3e55e91aba6d366648bd1860090b62885b86946cfe082944
Opcode Fuzzy Hash: 10ae961581674d5cbcf1e214d19add7430943aa4d55c825e828419219232a29a
Instruction Fuzzy Hash: FB91D671204246AFD714DF24C885BABF7A8FF44355F00452AF999C2290EB38EA49CB96

Function 00464954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00464994
GetWindowTextW.USER32(?,?,00000400), ref: 004649DA
_wcslen.LIBCMT ref: 004649EB
CharUpperBuffW.USER32(?,00000000), ref: 004649F7
_wcsstr.LIBVCRUNTIME ref: 00464A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00464A64
GetWindowTextW.USER32(?,?,00000400), ref: 00464A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00464AE6
GetClassNameW.USER32(?,?,00000400), ref: 00464B20
GetWindowRect.USER32(?,?), ref: 00464B8B

Strings

ThumbnailClass, xrefs: 00464A6F, 00464AF1

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b0eb2cffebd71530849ad0f8d6f1fc17b2ef59f95678408b0c2633a6fa0fed5b
Instruction ID: ef2d3bd4ef7e396348df645b57022939d607c9c9aefbfeb88a630890a8734fbd
Opcode Fuzzy Hash: b0eb2cffebd71530849ad0f8d6f1fc17b2ef59f95678408b0c2633a6fa0fed5b
Instruction Fuzzy Hash: 4991BD71104205AFDF04DF14C981BAB77A8EF84714F04846BFD859A296EB38ED45CBAA

Function 00498D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00498D5A
GetFocus.USER32 ref: 00498D6A
GetDlgCtrlID.USER32(00000000), ref: 00498D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00498E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00498ECF
GetMenuItemCount.USER32(?), ref: 00498EEC
GetMenuItemID.USER32(?,00000000), ref: 00498EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00498F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00498F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00498FA1

Strings

0, xrefs: 00498E9F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: a548556dfecdd577e630bc5f60a9491288d44b5af433d4468c1f17b7e3a17661
Instruction ID: f09423b894425bfc5704633e703d5dd2c6ec2960b86f90cba4647bf1a8ff03c3
Opcode Fuzzy Hash: a548556dfecdd577e630bc5f60a9491288d44b5af433d4468c1f17b7e3a17661
Instruction Fuzzy Hash: D1818D71508311ABDF10CF28C884AAB7BE9BB8A754F14053FF985D7291DB38D901CB69

Function 0046DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0046DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0046DC46
_wcslen.LIBCMT ref: 0046DC50
_wcsstr.LIBVCRUNTIME ref: 0046DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0046DCBC

Strings

\VarFileInfo\Translation, xrefs: 0046DCB4
DefaultLangCodepage, xrefs: 0046DD1F
StringFileInfo\, xrefs: 0046DC8F
%u.%u.%u.%u, xrefs: 0046DD9A
04090000, xrefs: 0046DCF2

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 54a7fc2a5cf7403b4aa761db22cd1bdd8f33e5a096d1a62ba41d88387c42cdbf
Instruction ID: f3c68cda8f13d66d838053813c1b6eda17fabcab7eb42b2c4e4c77f8d6879363
Opcode Fuzzy Hash: 54a7fc2a5cf7403b4aa761db22cd1bdd8f33e5a096d1a62ba41d88387c42cdbf
Instruction Fuzzy Hash: 7341F272E402157ADB10B666AC43EBF776CDF55714F50006FF900A6182EB7CA90186BE

Function 0048CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0048CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0048CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0048CD48

Part of subcall function 0048CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0048CCAA
Part of subcall function 0048CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0048CCBD
Part of subcall function 0048CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0048CCCF
Part of subcall function 0048CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0048CD05
Part of subcall function 0048CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0048CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0048CCF3

Strings

advapi32.dll, xrefs: 0048CCB8
RegDeleteKeyExW, xrefs: 0048CCC9

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: dcd9112891bd2ee60c26572573abb16304940212726aceebbe92ece07dd225c5
Instruction ID: e86a5ad9e06cbea96041afa100c71b13dc6c8b19f8e223668f847576c6ff0ca9
Opcode Fuzzy Hash: dcd9112891bd2ee60c26572573abb16304940212726aceebbe92ece07dd225c5
Instruction Fuzzy Hash: 17317E71901128BBD720AB95DCC8EFFBBBCEF15740F000576A905E3240D6389A459BB8

Function 00473D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00473D40
_wcslen.LIBCMT ref: 00473D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00473D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00473DBE
RemoveDirectoryW.KERNEL32(?), ref: 00473DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00473E55
CloseHandle.KERNEL32(00000000), ref: 00473E60
CloseHandle.KERNEL32(00000000), ref: 00473E6B

Strings

\??\%s, xrefs: 00473D5B
:, xrefs: 00473D82
\, xrefs: 00473D77

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b9d3e618e6fa3ebb9a3c5d2616e8e7b9c5a5a7138cc54e559d284f287ebab92d
Instruction ID: 45f412fbf88540b0839e6120521b8d0ed4ce0d8f7d653a8e801b687624a6f445
Opcode Fuzzy Hash: b9d3e618e6fa3ebb9a3c5d2616e8e7b9c5a5a7138cc54e559d284f287ebab92d
Instruction Fuzzy Hash: 1E319371900119ABDB209FA0DC89FEB37BCEF88705F1041B7F509D6150E77897448B28

Function 0046E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0046E6B4

Part of subcall function 0041E551: timeGetTime.WINMM(?,?,0046E6D4), ref: 0041E555

Sleep.KERNEL32(0000000A), ref: 0046E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0046E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0046E727
SetActiveWindow.USER32 ref: 0046E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0046E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0046E773
Sleep.KERNEL32(000000FA), ref: 0046E77E
IsWindow.USER32 ref: 0046E78A
EndDialog.USER32(00000000), ref: 0046E79B

Strings

BUTTON, xrefs: 0046E719

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 2fa67f0e142f612aeb7d58deafcfc03ae6a8127cb1edbb26ea12d7241a330f20
Instruction ID: bb1c645b88745d441f71c4c0e3317fcc2af5ab1b42d7041e6cab7d24ff849380
Opcode Fuzzy Hash: 2fa67f0e142f612aeb7d58deafcfc03ae6a8127cb1edbb26ea12d7241a330f20
Instruction Fuzzy Hash: 13219278241200BFEB015F66EDC9A263BE9EB75349F100437F801912B1EBB59C009B2E

Function 0046E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0046EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0046EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0046EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0046EAA7

Strings

play PlayMe wait, xrefs: 0046EA91
close PlayMe, xrefs: 0046EA6E, 0046EA9B
alias PlayMe, xrefs: 0046EA36
play PlayMe, xrefs: 0046EAA2
status PlayMe mode, xrefs: 0046EA58
open , xrefs: 0046EA0C

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 3ea94977c5d223316f1155f6eff61fa39fea3f99cf92d776db3c494c09294a11
Instruction ID: 3692b6db05fd65ba027c1393d3da603a5f1682cfd2a4fe2854ed4949e6019a26
Opcode Fuzzy Hash: 3ea94977c5d223316f1155f6eff61fa39fea3f99cf92d776db3c494c09294a11
Instruction Fuzzy Hash: 611191B9A5021979D720A7A6DD4AFFF6ABCEFD1B04F10443F7801A20D1EA780D05C5B9

Function 00465CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00465CE2
GetWindowRect.USER32(00000000,?), ref: 00465CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00465D59
GetDlgItem.USER32(?,00000002), ref: 00465D69
GetWindowRect.USER32(00000000,?), ref: 00465D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00465DCF
GetDlgItem.USER32(?,000003E9), ref: 00465DDD
GetWindowRect.USER32(00000000,?), ref: 00465DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00465E31
GetDlgItem.USER32(?,000003EA), ref: 00465E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00465E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00465E67

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d21ffe64e1f4e85eff8bb6a0b9b5b748bc87b69ad4b7a0a8e8701bd1311b54ec
Instruction ID: 1615ec01f1b767351423a91222ba3e2daaf1e3309ad538aadd29b213b8852cec
Opcode Fuzzy Hash: d21ffe64e1f4e85eff8bb6a0b9b5b748bc87b69ad4b7a0a8e8701bd1311b54ec
Instruction Fuzzy Hash: 26510D71B00605AFDF18CFA8DD89AAEBBB5FB58300F54813AF515E6290E7749E00CB65

Function 00418BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00418F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00418BE8,?,00000000,?,?,?,?,00418BBA,00000000,?), ref: 00418FC5

DestroyWindow.USER32(?), ref: 00418C81
KillTimer.USER32(00000000,?,?,?,?,00418BBA,00000000,?), ref: 00418D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00456973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00418BBA,00000000,?), ref: 004569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00418BBA,00000000,?), ref: 004569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00418BBA,00000000), ref: 004569D4
DeleteObject.GDI32(00000000), ref: 004569E6

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fbedbd1a7937270782ab1f8e2379ddec0a405b1dff3a68fadf911eade46e8b87
Instruction ID: 904443176f2e0c5aabccd5091ed5999ad562dca2c220c71f3dfeb9455a1b2caf
Opcode Fuzzy Hash: fbedbd1a7937270782ab1f8e2379ddec0a405b1dff3a68fadf911eade46e8b87
Instruction Fuzzy Hash: 9B618770502600EFCB219F14D958BAAB7F2FB50316F50452FE8429BA60CB39ACC5CB9D

Function 00419838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00419944: GetWindowLongW.USER32(?,000000EB), ref: 00419952

GetSysColor.USER32(0000000F), ref: 00419862

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 62751d272673b0821f713b73e41fe23e6aa4ecf6cc85e1f49b590694757af1f2
Instruction ID: 61c94829c2f462e06b9a30ff81eafb122e759f6e81981193f23f48934df35d16
Opcode Fuzzy Hash: 62751d272673b0821f713b73e41fe23e6aa4ecf6cc85e1f49b590694757af1f2
Instruction Fuzzy Hash: 2041E731104644AFDB206F389C95BFA37A5FB16331F144627F9A2872E2D7349C86DB19

Function 00438D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.B, xrefs: 0043903A, 00438FD0, 00438FF2

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: .B
API String ID: 0-829718130
Opcode ID: 1a429c879d0e0c11a062f5037e8e0557d84ca674edd92bd5450c4b7a15ab3dcd
Instruction ID: ba4d2f9f1d6b6df295ecb80300e5698ac04355b15020690fa3d2e25e92e1a355
Opcode Fuzzy Hash: 1a429c879d0e0c11a062f5037e8e0557d84ca674edd92bd5450c4b7a15ab3dcd
Instruction Fuzzy Hash: 69C1E274A04349AFCB159FA9D841BAEBBB0AF0D310F1450AFF414A7392C7798D41CB69

Function 004696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0044F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00469717
LoadStringW.USER32(00000000,?,0044F7F8,00000001), ref: 00469720

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0044F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00469742
LoadStringW.USER32(00000000,?,0044F7F8,00000001), ref: 00469745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00469866

Strings

Line %d:, xrefs: 004697A0
Line %d (File "%s"):, xrefs: 0046978F
Error: , xrefs: 0046981D
^ ERROR, xrefs: 004697FB
%s (%d) : ==> %s: %s %s, xrefs: 0046984A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 7b38b459b0b7ee8610b7421aa3696a694746c801a850e6032a21f670c94f97eb
Instruction ID: dc6073b0ffb8b2717a848ac97e341e3e6e2156971ee481b89b677cdd9599d0e4
Opcode Fuzzy Hash: 7b38b459b0b7ee8610b7421aa3696a694746c801a850e6032a21f670c94f97eb
Instruction Fuzzy Hash: 5A414D72800209AACB04FBE1CD82EEE777DAF14745F10403BB60172092EB796F49CB69

Function 004606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00460804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0046082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00460837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0046083C

Strings

SOFTWARE\Classes\, xrefs: 0046070E
\IPC$, xrefs: 00460784
\CLSID, xrefs: 00460724

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4f9931b86399ff3fdc48cabcab343352e6cc1c909b92cb775524740a28e2332d
Instruction ID: 456a90b4fc616be063c3ea6fd44dfdeda56d2f04aa281644d67354a3b811078f
Opcode Fuzzy Hash: 4f9931b86399ff3fdc48cabcab343352e6cc1c909b92cb775524740a28e2332d
Instruction Fuzzy Hash: DF411972910228ABCB15EFA4DC85DEEB778BF14344F14413AE901B32A1EB346E14CB94

Function 00483C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00483C5C
CoInitialize.OLE32(00000000), ref: 00483C8A
CoUninitialize.OLE32 ref: 00483C94
_wcslen.LIBCMT ref: 00483D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00483DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00483ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00483F0E
CoGetObject.OLE32(?,00000000,0049FB98,?), ref: 00483F2D
SetErrorMode.KERNEL32(00000000), ref: 00483F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00483FC4
VariantClear.OLEAUT32(?), ref: 00483FD8

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 1c1127b21db608e96d0d715ebe0ba67e94e3456a38ec46a9dac7e8945c95463a
Instruction ID: 12de96ae0b113bc0545e21b25557b52b4d4fd77f565ba02b6129c877210c7fcf
Opcode Fuzzy Hash: 1c1127b21db608e96d0d715ebe0ba67e94e3456a38ec46a9dac7e8945c95463a
Instruction Fuzzy Hash: 6AC157716082019FD700EF29C88492FB7E9FF88B49F00492EF98A9B251D734ED45CB96

Function 00477A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00477AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00477B8F
SHGetDesktopFolder.SHELL32(?), ref: 00477BA3
CoCreateInstance.OLE32(0049FD08,00000000,00000001,004C6E6C,?), ref: 00477BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00477C74
CoTaskMemFree.OLE32(?,?), ref: 00477CCC
SHBrowseForFolderW.SHELL32(?), ref: 00477D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00477D7A
CoTaskMemFree.OLE32(00000000), ref: 00477D81
CoTaskMemFree.OLE32(00000000), ref: 00477DD6
CoUninitialize.OLE32 ref: 00477DDC

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 13083e98f3f27a85d855056a1a6163d0e2174d188d216187338b7cd683abf6d6
Instruction ID: 39bbd3678709868c1330d616e21568fed79a46750d80a3cae74fa18317dd7f80
Opcode Fuzzy Hash: 13083e98f3f27a85d855056a1a6163d0e2174d188d216187338b7cd683abf6d6
Instruction Fuzzy Hash: 5EC12C75A04109AFCB14DF64C884DAEBBF5FF48308B1484AAE91AEB361D734ED45CB94

Function 0049541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00495504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00495515
CharNextW.USER32(00000158), ref: 00495544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00495585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0049559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004955AC

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: d161e1ce9203be114704a4439add49d4e860955f28bb8d8851bfc5335a59baec
Instruction ID: 23b6a745198481fe7597f927e24a292adea9889f47785b6f77cf4ece44108869
Opcode Fuzzy Hash: d161e1ce9203be114704a4439add49d4e860955f28bb8d8851bfc5335a59baec
Instruction Fuzzy Hash: 5761AD71900608BBDF12DF50CC84EFF3FB9EB05720F204066F925A6291D7389A81DB69

Function 0045FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0045FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0045FB08
VariantInit.OLEAUT32(?), ref: 0045FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0045FB3A
VariantCopy.OLEAUT32(?,?), ref: 0045FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0045FBA1
VariantClear.OLEAUT32(?), ref: 0045FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0045FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0045FBCC
VariantClear.OLEAUT32(?), ref: 0045FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0045FBE9

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d065f95d9964d003929c320fd761995a09dfa1eba26e18688a85f29929e3774e
Instruction ID: d0f5244db563a2ebb953bca7e1bf553e058448cf4b9d20363b30dd2a6705a66b
Opcode Fuzzy Hash: d065f95d9964d003929c320fd761995a09dfa1eba26e18688a85f29929e3774e
Instruction Fuzzy Hash: CD416035A00219DFCF00DF64C8949AEBBB9FF58345F00807AE915A7262DB34A949CFA5

Function 00469C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00469CA1
GetAsyncKeyState.USER32(000000A0), ref: 00469D22
GetKeyState.USER32(000000A0), ref: 00469D3D
GetAsyncKeyState.USER32(000000A1), ref: 00469D57
GetKeyState.USER32(000000A1), ref: 00469D6C
GetAsyncKeyState.USER32(00000011), ref: 00469D84
GetKeyState.USER32(00000011), ref: 00469D96
GetAsyncKeyState.USER32(00000012), ref: 00469DAE
GetKeyState.USER32(00000012), ref: 00469DC0
GetAsyncKeyState.USER32(0000005B), ref: 00469DD8
GetKeyState.USER32(0000005B), ref: 00469DEA

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ece8b12a8c9c813f122cef61ccd582114eb384c29df3fea1ae8481df1bad03f0
Instruction ID: 7dc09306008a31b833f5af183839e5855d31891a0c8accca6a8bc99e28fcda2b
Opcode Fuzzy Hash: ece8b12a8c9c813f122cef61ccd582114eb384c29df3fea1ae8481df1bad03f0
Instruction Fuzzy Hash: 8E41B5345047C969FF308660C4443A7BEA86B21344F08806BD6C6567C2F7F99DC8C79B

Function 0048055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004805BC
inet_addr.WSOCK32(?), ref: 0048061C
gethostbyname.WSOCK32(?), ref: 00480628
IcmpCreateFile.IPHLPAPI ref: 00480636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004807B9
WSACleanup.WSOCK32 ref: 004807BF

Strings

Ping, xrefs: 00480676

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: aec7c0bc094edb215f7f5cf34f16d30e81e133578bda891190a24780c76f3469
Instruction ID: 5c0c681a77d667199f412a631dc81a6052911fdb817d86fd0548510bbdadaad4
Opcode Fuzzy Hash: aec7c0bc094edb215f7f5cf34f16d30e81e133578bda891190a24780c76f3469
Instruction Fuzzy Hash: 9A91A135614241AFD360EF15C489F1ABBE0EF44318F1489AAF4699B7A2C738EC49CF95

Function 00488CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00488CF3

Part of subcall function 00468E54: _wcslen.LIBCMT ref: 00468E77

_wcslen.LIBCMT ref: 00488D4E
_wcslen.LIBCMT ref: 00488D9C
_wcslen.LIBCMT ref: 00488DDC
_wcslen.LIBCMT ref: 00488E6E

Strings

winapi, xrefs: 00488D96, 00488D9B
stdcall, xrefs: 00488DD6, 00488DDB
none, xrefs: 00488E65, 00488E6A
cdecl, xrefs: 00488D48, 00488D4D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: cb388e303b5336f06868d7919d8d2e66aec040e8f0d5d8257fd8325fbab22050
Instruction ID: 8212ab8b0198c01814745c1b291fcdb86e5b13909f40ebd7fc902a52f087fba3
Opcode Fuzzy Hash: cb388e303b5336f06868d7919d8d2e66aec040e8f0d5d8257fd8325fbab22050
Instruction Fuzzy Hash: 3251A431A001169BCB14EF69C9409BE73E5BF64324BA1462FE825E73C5DB39DD41C798

Function 0048372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00483774
CoUninitialize.OLE32 ref: 0048377F
CoCreateInstance.OLE32(?,00000000,00000017,0049FB78,?), ref: 004837D9
IIDFromString.OLE32(?,?), ref: 0048384C
VariantInit.OLEAUT32(?), ref: 004838E4
VariantClear.OLEAUT32(?), ref: 00483936

Strings

Invalid parameter, xrefs: 00483865
NULL Pointer assignment, xrefs: 0048381E
Failed to create object, xrefs: 004837E4, 0048389A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: b9f62f697f7be44ac650460f3ee5306f382d9b7bfc26a55888d3d021032f03a4
Instruction ID: 09448163fb94b08c5125ba562485cc8212cf43027621ceee6864fd56bf278ce6
Opcode Fuzzy Hash: b9f62f697f7be44ac650460f3ee5306f382d9b7bfc26a55888d3d021032f03a4
Instruction Fuzzy Hash: B3618D70608301AFD310EF55C888B5EB7E4AF44B15F10485EF98597291D778EE49CB9A

Function 00498B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

Part of subcall function 0041912D: GetCursorPos.USER32(?), ref: 00419141
Part of subcall function 0041912D: ScreenToClient.USER32(00000000,?), ref: 0041915E
Part of subcall function 0041912D: GetAsyncKeyState.USER32(00000001), ref: 00419183
Part of subcall function 0041912D: GetAsyncKeyState.USER32(00000002), ref: 0041919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00498B6B
ImageList_EndDrag.COMCTL32 ref: 00498B71
ReleaseCapture.USER32 ref: 00498B77
SetWindowTextW.USER32(?,00000000), ref: 00498C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00498C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00498CFF

Strings

@GUI_DROPID, xrefs: 00498C51
@GUI_DRAGFILE, xrefs: 00498C9A
p#M, xrefs: 00498C71

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#M
API String ID: 1924731296-1961496832
Opcode ID: 66363bc38315f6373cc3afc5b30556ee8c41f5b15e10905d3eac083ff7f2f55f
Instruction ID: 52717fa2b95b97a14e042308ffc4897870df37abc473548e4af4715ce2610060
Opcode Fuzzy Hash: 66363bc38315f6373cc3afc5b30556ee8c41f5b15e10905d3eac083ff7f2f55f
Instruction Fuzzy Hash: D1517B71105300AFDB00EF15D8A9FAA7BE4BB85714F40063EF956672E2CB789D44CB6A

Function 00473388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004733CF

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004733F0

Strings

^ ERROR , xrefs: 0047349E
Line %d (File "%s"):, xrefs: 00473443, 0047345C
Incorrect parameters to object property !, xrefs: 004734AB
"%s" (%d) : ==> %s:, xrefs: 00473522
Error: , xrefs: 004734D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00473504

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 7350e0165f010d261893c9f4803e04fb0f7d59449f32f750725959f3c8171fb2
Instruction ID: 1426893d16c5a8541d83e9fc750115f455adac83308913478daf6e2c423aeb3d
Opcode Fuzzy Hash: 7350e0165f010d261893c9f4803e04fb0f7d59449f32f750725959f3c8171fb2
Instruction Fuzzy Hash: 19518271900109BADF14EBE1CD46EEEB778AF04745F10807BB905721A2EB392F58DB69

Function 0046B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0046B5FC
_wcslen.LIBCMT ref: 0046B608
_wcslen.LIBCMT ref: 0046B64D
_wcslen.LIBCMT ref: 0046B68C
_wcslen.LIBCMT ref: 0046B6C7

Strings

KEYS, xrefs: 0046B647, 0046B64C
APPEND, xrefs: 0046B6C1, 0046B6C6
REMOVE, xrefs: 0046B602, 0046B607
EXISTS, xrefs: 0046B686, 0046B68B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: e1c4ef30d4339e6e2b65e40461cf0db23954e06adbf37201190a46b47bcb9e52
Instruction ID: 16ff66291ae7142d824ee3a28711f6f5a2cfdd0b8d46551da25f226ae2d73451
Opcode Fuzzy Hash: e1c4ef30d4339e6e2b65e40461cf0db23954e06adbf37201190a46b47bcb9e52
Instruction Fuzzy Hash: 4B41F432A011269ACB206F7DC8905BF77A5EBA0758B25412BE421DB384F739CDC2C7D6

Function 00475393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00475416
GetLastError.KERNEL32 ref: 00475420
SetErrorMode.KERNEL32(00000000,READY), ref: 004754A7

Strings

NOTREADY, xrefs: 0047544B
READY, xrefs: 00475460, 00475468
UNKNOWN, xrefs: 00475444
INVALID, xrefs: 00475459
READONLY, xrefs: 00475452

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 729518a6c0cfb7bbb2194ed8628378fe14ba429d7a222be60e312a83549b7c57
Instruction ID: c84e953c2e58dff2a5b5b0cc672f699c00e7d82dfc9b0f9726610f43d7423484
Opcode Fuzzy Hash: 729518a6c0cfb7bbb2194ed8628378fe14ba429d7a222be60e312a83549b7c57
Instruction Fuzzy Hash: 7F318D35A005049FDB10DF68C484BEA7BA4EB45309F14C06BE40ADF392DBB9DD82CB99

Function 00493C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00493C79
SetMenu.USER32(?,00000000), ref: 00493C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00493D10
IsMenu.USER32(?), ref: 00493D24
CreatePopupMenu.USER32 ref: 00493D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00493D5B
DrawMenuBar.USER32 ref: 00493D63

Strings

0, xrefs: 00493C54
F, xrefs: 00493D4E

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b2a60e14e018d663fa55a81db5ff368922ac4faeb82bc60f9e85116724bebc83
Instruction ID: b91e1e235a1bc7a01833517849901071aef4b11d4c4293359304a87f4873cbf2
Opcode Fuzzy Hash: b2a60e14e018d663fa55a81db5ff368922ac4faeb82bc60f9e85116724bebc83
Instruction Fuzzy Hash: 73416CB5A01209EFDF14CFA4D894AAA7BB5FF4A351F14013AE94697360D734AA10CB58

Function 00461EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 00463CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00463CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00461F64
GetDlgCtrlID.USER32 ref: 00461F6F
GetParent.USER32 ref: 00461F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00461F8E
GetDlgCtrlID.USER32(?), ref: 00461F97
GetParent.USER32(?), ref: 00461FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00461FAE

Strings

ComboBox, xrefs: 00461EEC
ListBox, xrefs: 00461F21

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 1f9e163d14afb0373389c25db223cd53a6081419f849d3d1174c00c593644fe3
Instruction ID: 0dd91278775af8b3cc8cf0b0e89737a16df73437ee93013ff8dfb771edf50867
Opcode Fuzzy Hash: 1f9e163d14afb0373389c25db223cd53a6081419f849d3d1174c00c593644fe3
Instruction Fuzzy Hash: 4421B075900214BBCF04AFA0CC85EEEBBB8AF15354F10412BB961672E1EB395D14DB69

Function 00493A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00493A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00493AA0
GetWindowLongW.USER32(?,000000F0), ref: 00493AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00493AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00493B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00493BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00493BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00493BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00493BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00493C13

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 863a9386dd68544a25b4dbb1b0d7cc861b13c881a53a64f4b53dda24079983d3
Instruction ID: ade6b4bc2faa9311db67ada8b044e63368f6cba9b4a03933416f70eda9a3338b
Opcode Fuzzy Hash: 863a9386dd68544a25b4dbb1b0d7cc861b13c881a53a64f4b53dda24079983d3
Instruction Fuzzy Hash: 7E615D75900248AFDB10DFA4CC81EEE7BB8EB09704F1041AAFA15A73A2D774AE45DB54

Function 0046B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0046B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0046A1E1,?,00000001), ref: 0046B165
GetWindowThreadProcessId.USER32(00000000), ref: 0046B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0046A1E1,?,00000001), ref: 0046B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0046B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0046A1E1,?,00000001), ref: 0046B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0046A1E1,?,00000001), ref: 0046B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0046A1E1,?,00000001), ref: 0046B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0046A1E1,?,00000001), ref: 0046B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0046A1E1,?,00000001), ref: 0046B21D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 382b209a2cba78ddf8e41334d2b6ba1cf6c3b081d995b84236608703fe32d354
Instruction ID: f6a348beda4ffe143d5e590981e048a75270d40ba3837d0816f26ad695a91573
Opcode Fuzzy Hash: 382b209a2cba78ddf8e41334d2b6ba1cf6c3b081d995b84236608703fe32d354
Instruction Fuzzy Hash: 57318271640204BFDB119F64DC98BAE7BA9EB51356F104037FA01D6250E7789D818FAE

Function 00432C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00432C94

Part of subcall function 004329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000), ref: 004329DE
Part of subcall function 004329C8: GetLastError.KERNEL32(00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000,00000000), ref: 004329F0

_free.LIBCMT ref: 00432CA0
_free.LIBCMT ref: 00432CAB
_free.LIBCMT ref: 00432CB6
_free.LIBCMT ref: 00432CC1
_free.LIBCMT ref: 00432CCC
_free.LIBCMT ref: 00432CD7
_free.LIBCMT ref: 00432CE2
_free.LIBCMT ref: 00432CED
_free.LIBCMT ref: 00432CFB

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b89e3fc481ae3e176462e99b8a7668b8f79c4b48a0d814554b3974eba80e6475
Instruction ID: 3051c53e0822a8872d8489ac48bb26e9ebb0418146d7d3ac8d6911c10ac1cf4c
Opcode Fuzzy Hash: b89e3fc481ae3e176462e99b8a7668b8f79c4b48a0d814554b3974eba80e6475
Instruction Fuzzy Hash: F9112BB6200018BFCB02EF55EA42DDD3BA5FF09344F4050AAFA485F232D675EE509B94

Function 00477DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00477FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00477FC1
GetFileAttributesW.KERNEL32(?), ref: 00477FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00478005
SetCurrentDirectoryW.KERNEL32(?), ref: 00478017
SetCurrentDirectoryW.KERNEL32(?), ref: 00478060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004780B0

Strings

*.*, xrefs: 00478066

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: e2632cf25a4a04b5459b564d5657a8cbc1fbdebf3028a085b464e5827df0e355
Instruction ID: f17111f886a93f156c7a5dfedb575d05050563c8ad9ae53df24e0d901dfba1dd
Opcode Fuzzy Hash: e2632cf25a4a04b5459b564d5657a8cbc1fbdebf3028a085b464e5827df0e355
Instruction Fuzzy Hash: 178181715082419BDB20DF15C8849AFB3D8AF85314F948C6FF889D7250EB78DD458B9A

Function 00405BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00405C7A

Part of subcall function 00405D0A: GetClientRect.USER32(?,?), ref: 00405D30
Part of subcall function 00405D0A: GetWindowRect.USER32(?,?), ref: 00405D71
Part of subcall function 00405D0A: ScreenToClient.USER32(?,?), ref: 00405D99

GetDC.USER32 ref: 004446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00444708
SelectObject.GDI32(00000000,00000000), ref: 00444716
SelectObject.GDI32(00000000,00000000), ref: 0044472B
ReleaseDC.USER32(?,00000000), ref: 00444733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004447C4

Strings

U, xrefs: 00444693

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: fc88bf487012d287045aa7dbc4333abd7d516997430eb8e6c17b957814580e93
Instruction ID: 18c0316b4590178f6e3925bbe4dbfa53a0d9920bccc32b03521c8a94a4d491fc
Opcode Fuzzy Hash: fc88bf487012d287045aa7dbc4333abd7d516997430eb8e6c17b957814580e93
Instruction Fuzzy Hash: 8171E030400205DFEF218F64C984ABB7BB1FF86324F14427BED556A2A6C7389842DF69

Function 0047359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004735E4

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

LoadStringW.USER32(004D2390,?,00000FFF,?), ref: 0047360A

Strings

Line %d (File "%s"):, xrefs: 0047366B
"%s" (%d) : ==> %s:, xrefs: 00473742
Error: , xrefs: 004736EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00473724
^ ERROR, xrefs: 004736C9

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: eb896b8e2b1799887fce0511e1a89e17cc79fd2e457b7826d85e33af4f969589
Instruction ID: 1ab214c128badca45ff07410e642431328e0b3a6551c87b6a7327aa8e2f1ad17
Opcode Fuzzy Hash: eb896b8e2b1799887fce0511e1a89e17cc79fd2e457b7826d85e33af4f969589
Instruction Fuzzy Hash: 67517371800209BADF14EFA1CC42EEEBB79AF04745F14813BF505721A2EB391A99DF59

Function 0047C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0047C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0047C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0047C2CA
GetLastError.KERNEL32 ref: 0047C322
SetEvent.KERNEL32(?), ref: 0047C336
InternetCloseHandle.WININET(00000000), ref: 0047C341

Strings

, xrefs: 0047C2BB

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 2ae87fead1b28522ffa763f2cfc4779ca44399286855b199adfd1e371db4c569
Instruction ID: 7f47d04d608913b586c8f08289edd0458440cd40b92be60ebc4de0d4a00b3483
Opcode Fuzzy Hash: 2ae87fead1b28522ffa763f2cfc4779ca44399286855b199adfd1e371db4c569
Instruction Fuzzy Hash: 14317171500604AFD7219FA58CC4AAB7BFCEB59744B10C52FF84A92201DB38DD059BA9

Function 0046989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00443AAF,?,?,Bad directive syntax error,0049CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004698BC
LoadStringW.USER32(00000000,?,00443AAF,?), ref: 004698C3

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00469987

Strings

Line %d:, xrefs: 00469912
Line %d (File "%s"):, xrefs: 0046992D
Error: , xrefs: 00469955
%s (%d) : ==> %s.: %s %s, xrefs: 004698F1
., xrefs: 0046996D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 35c814936f1dd32bc15b5df856404db4fb2140b47f2021faa70e6393b4990be8
Instruction ID: 551ec2a85a5fe91f92dce7e2b3b89b7bc3e306fd30fdb11d4db69dc2ba035c50
Opcode Fuzzy Hash: 35c814936f1dd32bc15b5df856404db4fb2140b47f2021faa70e6393b4990be8
Instruction Fuzzy Hash: 2321913181021AABCF15AF90CC46FEE7739BF14705F04446FF915710A2EB79AA28DB19

Function 0046209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0046214D

Strings

SHELLDLL_DefView, xrefs: 004620CC
list, xrefs: 0046212F
largeicons, xrefs: 004620E1
smallicons, xrefs: 00462115
details, xrefs: 004620FB

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 8c65e68c5093e92e7d410f0c47d842fd6cd50d60c2769177c48d3f94328cf3cb
Instruction ID: 92216a087c2b3a214069876dba0e85c20e3b9e2fc58689a3b3ad7a817c6cf774
Opcode Fuzzy Hash: 8c65e68c5093e92e7d410f0c47d842fd6cd50d60c2769177c48d3f94328cf3cb
Instruction Fuzzy Hash: 3D11E77A788B17B9F6016621AC06EEB779CDB16324B20002BFB04A51D1FEAD7C42551E

Function 0043CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0043CEB7
_free.LIBCMT ref: 0043CF22
_free.LIBCMT ref: 0043CF48
_free.LIBCMT ref: 0043CF71
_free.LIBCMT ref: 0043CFA9
_free.LIBCMT ref: 0043CFDA
_free.LIBCMT ref: 0043D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0043D09C
_free.LIBCMT ref: 0043D0B5

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 755353a0899066e8f4f07fb7a531df8e2d90b31389a803dea094346c2faad477
Instruction ID: 05b1af434bcca4c45db1c3e2a8b3b367b08b06696651023259944f127f524509
Opcode Fuzzy Hash: 755353a0899066e8f4f07fb7a531df8e2d90b31389a803dea094346c2faad477
Instruction Fuzzy Hash: 9C6136B1A04310AFDB25AFB5A881B6A7BA5EF0D318F14516FF900A7381D63A9901C79C

Function 00418B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00456890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00418874,00000000,00000000,00000000,000000FF,00000000), ref: 00456901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0045691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00418874,00000000,00000000,00000000,000000FF,00000000), ref: 0045692D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: d63c51336c4034a1745d8c490dd669fa66d818d99361f70e4bdf35798142b978
Instruction ID: 5ced514379628bb0f67f0973741f5ab2a5dfa9bdd961912c2b7f256765f21f3b
Opcode Fuzzy Hash: d63c51336c4034a1745d8c490dd669fa66d818d99361f70e4bdf35798142b978
Instruction Fuzzy Hash: 60518CB0600209EFDB20DF25CC91BAA7BB5FF54350F10452EF906972A0DB78E991DB58

Function 0047C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0047C182
GetLastError.KERNEL32 ref: 0047C195
SetEvent.KERNEL32(?), ref: 0047C1A9

Part of subcall function 0047C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0047C272
Part of subcall function 0047C253: GetLastError.KERNEL32 ref: 0047C322
Part of subcall function 0047C253: SetEvent.KERNEL32(?), ref: 0047C336
Part of subcall function 0047C253: InternetCloseHandle.WININET(00000000), ref: 0047C341

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 05408d45139247b7bcb9b0ab34475d6da33b465ea748379226b62031ee06977d
Instruction ID: ad223e64a256ba6d622a408250f1e533b8ca103c90cb607afc9d9c604c5bfcdd
Opcode Fuzzy Hash: 05408d45139247b7bcb9b0ab34475d6da33b465ea748379226b62031ee06977d
Instruction Fuzzy Hash: 3931A171900601AFDB219FA5DD84AA7BBF9FF28300B00847FF95A82611C734E8109FA8

Function 004625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00463A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00463A57
Part of subcall function 00463A3D: GetCurrentThreadId.KERNEL32 ref: 00463A5E
Part of subcall function 00463A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004625B3), ref: 00463A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00462601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00462605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0046260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00462623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00462627

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2f4d1fdb8c17c331799828f8887b12a5bf7f082a9617624e6a7c48990999124f
Instruction ID: 659e0465d2e936b2535ace8495fd7f55644899dc4765ae7d9b52ae139348cc60
Opcode Fuzzy Hash: 2f4d1fdb8c17c331799828f8887b12a5bf7f082a9617624e6a7c48990999124f
Instruction Fuzzy Hash: 5E01B530290610BBFB1067699CCAF593E59DF9AB52F100026F314AE0D1C9E11444DA6E

Function 00461803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00461449,?,?,00000000), ref: 0046180C
HeapAlloc.KERNEL32(00000000,?,00461449,?,?,00000000), ref: 00461813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00461449,?,?,00000000), ref: 00461828
GetCurrentProcess.KERNEL32(?,00000000,?,00461449,?,?,00000000), ref: 00461830
DuplicateHandle.KERNEL32(00000000,?,00461449,?,?,00000000), ref: 00461833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00461449,?,?,00000000), ref: 00461843
GetCurrentProcess.KERNEL32(00461449,00000000,?,00461449,?,?,00000000), ref: 0046184B
DuplicateHandle.KERNEL32(00000000,?,00461449,?,?,00000000), ref: 0046184E
CreateThread.KERNEL32(00000000,00000000,00461874,00000000,00000000,00000000), ref: 00461868

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3295afeee8cc8c7093bf6fe07bd8220d614ae4baa1aa8168f6bf151d454cb0f3
Instruction ID: b364dd57c3a3bf7db4e02ab8b84294dee306902c98affd7dc5dc9744fb0d4595
Opcode Fuzzy Hash: 3295afeee8cc8c7093bf6fe07bd8220d614ae4baa1aa8168f6bf151d454cb0f3
Instruction Fuzzy Hash: 3101AC75240304BFE610AB65DD8AF5B3B6CEB99B11F404422FA05DB1A1D6749C008F38

Function 00433E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00433F0B
__alldvrm.LIBCMT ref: 0043410C
__alldvrm.LIBCMT ref: 0043412E

Strings

}}B, xrefs: 00433E96, 00433EF1, 00433F0A, 00434090
}}B, xrefs: 00433E8A
}}B, xrefs: 004340CD

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}B$}}B$}}B
API String ID: 1036877536-3117721517
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: d4f79936405fa228530589165a8ec21e20da15dfb5630b7fb9a056e36bf5573a
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 52A15571E006869FEB15CE28C8817EEBBF4EFA9354F14416FE5859B381C23CA981C758

Function 0048A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0046D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0046D501
Part of subcall function 0046D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0046D50F
Part of subcall function 0046D4DC: CloseHandle.KERNELBASE(00000000), ref: 0046D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0048A16D
GetLastError.KERNEL32 ref: 0048A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0048A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0048A268
GetLastError.KERNEL32(00000000), ref: 0048A273
CloseHandle.KERNEL32(00000000), ref: 0048A2C4

Strings

SeDebugPrivilege, xrefs: 0048A18F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 47beaf57a111b981b3628154a75d87660bfecf9ccf399f4463967c259a89e05a
Instruction ID: bbae0825d9504e816833fa2aec840b687267c384c8e474c3100c895eea3b3aa3
Opcode Fuzzy Hash: 47beaf57a111b981b3628154a75d87660bfecf9ccf399f4463967c259a89e05a
Instruction Fuzzy Hash: C96180702042429FE720EF15C4D4F1ABBE1AF54318F18849EE4564B7A3C7BAEC55CB9A

Function 00493886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00493925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0049393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00493954
_wcslen.LIBCMT ref: 00493999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004939F4

Strings

SysListView32, xrefs: 004938F7

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 3ecd89782b7b5123188dbc6cfaf20b30c3abe0ff2b40ad5abd01ade34b70e5ea
Instruction ID: 013bb0722e0a1e7de6f290400708e6d2b920f730889d4b40bdacc0df7213a591
Opcode Fuzzy Hash: 3ecd89782b7b5123188dbc6cfaf20b30c3abe0ff2b40ad5abd01ade34b70e5ea
Instruction Fuzzy Hash: 1B419271A00218ABDF21DF64CC45FEA7BA9EB09354F10053BF954A7291D7799D808B98

Function 0046BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0046BCFD
IsMenu.USER32(00000000), ref: 0046BD1D
CreatePopupMenu.USER32 ref: 0046BD53
GetMenuItemCount.USER32(01625D80), ref: 0046BDA4
InsertMenuItemW.USER32(01625D80,?,00000001,00000030), ref: 0046BDCC

Strings

0, xrefs: 0046BCA8
2, xrefs: 0046BD37

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: fc23f78126ae8f3c17f335ed2ee0a4bbf63056aa4ee57b4678f8e2eb18c6fe53
Instruction ID: d2fe6743287e205c4ec621a8d721353cc11330f79cd585bc8e40e3a4eb8813f7
Opcode Fuzzy Hash: fc23f78126ae8f3c17f335ed2ee0a4bbf63056aa4ee57b4678f8e2eb18c6fe53
Instruction Fuzzy Hash: 7151C070600205ABDB11CFA9C8C4BAEBBF9EF45314F14412BE441DB291E7789981CB9B

Function 00422D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00422D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00422D53
_ValidateLocalCookies.LIBCMT ref: 00422DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00422E0C
_ValidateLocalCookies.LIBCMT ref: 00422E61

Strings

csm, xrefs: 00422DF6
&HB, xrefs: 00422DFE, 00422E07, 00422E18

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HB$csm
API String ID: 1170836740-430194703
Opcode ID: 17a0005c6933a5144f9f8d8205935f8b0f75e75d15b2970b1a508403548e2111
Instruction ID: 4818aa0c625e2817a00b2cc851399fe9171d4dad415be29509831b30a559dab0
Opcode Fuzzy Hash: 17a0005c6933a5144f9f8d8205935f8b0f75e75d15b2970b1a508403548e2111
Instruction Fuzzy Hash: CE41F734F00228ABCF10DF69D944A9FBBB0BF45328F94815BE8145B352D7799A01CB94

Function 0046C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0046C913

Strings

question, xrefs: 0046C8CC
warning, xrefs: 0046C8FC
blank, xrefs: 0046C895
info, xrefs: 0046C8B4
stop, xrefs: 0046C8E4

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2f3f6c772facaa6c2e88fc6b5b5e819e8bf7cb92eb527ae9d8b990f435669e35
Instruction ID: bb0d5d1ca0b7b7549bd628b7d457241fa207a64defe98c7702ddfa90c16ab9c0
Opcode Fuzzy Hash: 2f3f6c772facaa6c2e88fc6b5b5e819e8bf7cb92eb527ae9d8b990f435669e35
Instruction Fuzzy Hash: CA115B75789306BAA704AB10ACC2EBB239CCF15318B60003FF444A6282FB7C5D0052AE

Function 0046DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0046DE42
gethostname.WSOCK32(?,00000100), ref: 0046DE5C
gethostbyname.WSOCK32(?), ref: 0046DE69
inet_ntoa.WSOCK32(?), ref: 0046DEAB
_strcat.LIBCMT ref: 0046DEB9
WSACleanup.WSOCK32 ref: 0046DEDE

Strings

0.0.0.0, xrefs: 0046DE87

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 2575356e62f04a6d3325fde72b4d33f533d81d024e5d9de172d66786af207b51
Instruction ID: de7f6c5794e40f3c7e71735b481e7426588519f9a6c5149991fef5076e9e7c04
Opcode Fuzzy Hash: 2575356e62f04a6d3325fde72b4d33f533d81d024e5d9de172d66786af207b51
Instruction Fuzzy Hash: 79112771E04115AFCB20AB71DC4AEDF77ACDF20715F0001BBF10596091FFB98A818AA9

Function 0046ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0046ED2A
_wcslen.LIBCMT ref: 0046ED3B
_wcslen.LIBCMT ref: 0046ED79
_wcslen.LIBCMT ref: 0046EDAF
_wcslen.LIBCMT ref: 0046EDDF
_wcslen.LIBCMT ref: 0046EDEF
_wcslen.LIBCMT ref: 0046EE2B
_wcslen.LIBCMT ref: 0046EE5A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: a420661d227a2c7768e02056e3bc6b955d7d94d0c3ec397bd8422308fd40afbd
Instruction ID: 4f8958e37ec1e81abdee0eef7bf6fc4addebcbdb16e8410d4e2bf860027f3b8a
Opcode Fuzzy Hash: a420661d227a2c7768e02056e3bc6b955d7d94d0c3ec397bd8422308fd40afbd
Instruction Fuzzy Hash: 9241A465D10128B5CB11EBB6D88A9CF77A8AF45310F904467E514E3161FB38E245C3AE

Function 0041F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0045682C,00000004,00000000,00000000), ref: 0041F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0045682C,00000004,00000000,00000000), ref: 0045F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0045682C,00000004,00000000,00000000), ref: 0045F454

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4097de2063e2d903274c254244b3b6af1c99affe0ef641e9fa623c96fc32751a
Instruction ID: 10a6b06008afa1e2328434a854a09bd47367bc282bad862656ef31b7fbd0d56e
Opcode Fuzzy Hash: 4097de2063e2d903274c254244b3b6af1c99affe0ef641e9fa623c96fc32751a
Instruction Fuzzy Hash: 4D415FB0118640BAD734AB29C8887AB7B916B56325F58443FE44752761C63D98CFCB1E

Function 00492D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00492D1B
GetDC.USER32(00000000), ref: 00492D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00492D2E
ReleaseDC.USER32(00000000,00000000), ref: 00492D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00492D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00492D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00495A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00492DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00492DE1

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 40775b777a9ed974af0fa6005f63a35fd003ccd795d9b9edb304a55b101f72ec
Instruction ID: c014384b98ff002bb39f8f228335d4e310598615e16fec949adeca6e26dd830f
Opcode Fuzzy Hash: 40775b777a9ed974af0fa6005f63a35fd003ccd795d9b9edb304a55b101f72ec
Instruction Fuzzy Hash: 4F316B72201214BBEF118F508C8AFEB3FA9EB19755F044076FE089A291C6B59C51CBA8

Function 00465622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00465637
_memcmp.LIBVCRUNTIME ref: 00465659
_memcmp.LIBVCRUNTIME ref: 00465671
_memcmp.LIBVCRUNTIME ref: 00465684
_memcmp.LIBVCRUNTIME ref: 0046569E
_memcmp.LIBVCRUNTIME ref: 004656B1
_memcmp.LIBVCRUNTIME ref: 004656C9
_memcmp.LIBVCRUNTIME ref: 004656E4

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f574267dd208e8414daf43423a911871f3c4da1cc2f54f3bbf8c3215cc0c872d
Instruction ID: e0219283109e526c755bfb0067b1299e64ae9441197aa3b019e1f6381a1da279
Opcode Fuzzy Hash: f574267dd208e8414daf43423a911871f3c4da1cc2f54f3bbf8c3215cc0c872d
Instruction Fuzzy Hash: 2D219561740A197BE6149521DD82FBB235DAE20399F944037FD089AA81F72CED25C1AF

Function 00484FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00485007
NULL Pointer assignment, xrefs: 0048502E, 00485383

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 1dd6b785a94d751ae132f4f50d1053b712e45ba9dd0dd80032dcac1f8843cd12
Instruction ID: 1bf2488d1df435c699735f151444ac7b81e52084c40feb6cc3c7295a9c6c286a
Opcode Fuzzy Hash: 1dd6b785a94d751ae132f4f50d1053b712e45ba9dd0dd80032dcac1f8843cd12
Instruction Fuzzy Hash: DED1D375A0060A9FDF10EFA8C884BAEB7B5BF48344F14886AE915EB380E774DD45CB54

Function 00441522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004417FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004415CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00441651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004417FB,?,004417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004416E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004416FB

Part of subcall function 00433820: RtlAllocateHeap.NTDLL(00000000,?,004D1444,?,0041FDF5,?,?,0040A976,00000010,004D1440,004013FC,?,004013C6,?,00401129), ref: 00433852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00441777
__freea.LIBCMT ref: 004417A2
__freea.LIBCMT ref: 004417AE

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0580935182319acf0986065053460dd0c5db5f7d2393057fb5d76a01597ff8fa
Instruction ID: 61043d0715f82f9c83f994bef9256619e617f3eba19e56cad677481ceaf8c2f0
Opcode Fuzzy Hash: 0580935182319acf0986065053460dd0c5db5f7d2393057fb5d76a01597ff8fa
Instruction Fuzzy Hash: 8891B271E00216ABEB208E64C881EEF7BF59F49354F18466BE805E7261D73DDC81CB68

Function 00484523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00484648
VariantInit.OLEAUT32(?), ref: 00484749
VariantClear.OLEAUT32(?), ref: 00484753
VariantClear.OLEAUT32(?), ref: 004847B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0048472C
Null Object assignment in FOR..IN loop, xrefs: 004845D8, 00484706, 004847BE

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 2f5a253ed7afbd328ed27235bbd26d4c6004a6ff421e973a92f5075da3e51124
Instruction ID: 302d8e85ba75092837d4fbd64c786191f5a26cbf20250f77e8306e51f43bb105
Opcode Fuzzy Hash: 2f5a253ed7afbd328ed27235bbd26d4c6004a6ff421e973a92f5075da3e51124
Instruction Fuzzy Hash: 9E917371A00216AFDF20DFA5C844FAF7BB8EF85714F10895AF505AB280D7789945CFA8

Function 00471187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0047125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00471284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0047135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00471430

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 35628b035f0533521ca5ec4bd4609e2e55e217eb453ec8d8913057ff8cdfb5aa
Instruction ID: eeb8a1cab3dcaf25cce9ef12d76c697ee4238524dd65f2955dc5ebd01ffaeda3
Opcode Fuzzy Hash: 35628b035f0533521ca5ec4bd4609e2e55e217eb453ec8d8913057ff8cdfb5aa
Instruction Fuzzy Hash: EE91F471A00218AFDB10DF99C884BFE77B5FF45314F14806BE905E72A2D778A941CB99

Function 0041948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4f211f78bc30ad95b27f5cb4d7f60e07ad57b5bd2944a6bdef5f2fc8962bcbbb
Instruction ID: 5e354bf8666d2df3c288563dc956d0438b18d1603999bdd2ec6b7625199c5dc1
Opcode Fuzzy Hash: 4f211f78bc30ad95b27f5cb4d7f60e07ad57b5bd2944a6bdef5f2fc8962bcbbb
Instruction Fuzzy Hash: BB911771904219EFCB10CFA9C884AEEBBB9FF49320F14455AE915B7251D378AD82CB64

Function 00483947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0048396B
CharUpperBuffW.USER32(?,?), ref: 00483A7A
_wcslen.LIBCMT ref: 00483A8A
VariantClear.OLEAUT32(?), ref: 00483C1F

Part of subcall function 00470CDF: VariantInit.OLEAUT32(00000000), ref: 00470D1F
Part of subcall function 00470CDF: VariantCopy.OLEAUT32(?,?), ref: 00470D28
Part of subcall function 00470CDF: VariantClear.OLEAUT32(?), ref: 00470D34

Strings

AUTOIT.ERROR, xrefs: 00483A80, 00483A85
Incorrect Parameter format, xrefs: 004839A6, 00483BA1

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 21d3f17ece327e167f2df84096f59f4efb926c703a991a9f835ab7405f023f6a
Instruction ID: 5ee05177af821d28c0339942000487e4f738c6e6fb7a355de418583010d04a9f
Opcode Fuzzy Hash: 21d3f17ece327e167f2df84096f59f4efb926c703a991a9f835ab7405f023f6a
Instruction Fuzzy Hash: E89149756083059FC704EF25C48096EB7E4BF88719F14886EF88997351DB38EE46CB96

Function 00484BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0046000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?,?,?,0046035E), ref: 0046002B
Part of subcall function 0046000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?,?), ref: 00460046
Part of subcall function 0046000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?,?), ref: 00460054
Part of subcall function 0046000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?), ref: 00460064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00484C51
_wcslen.LIBCMT ref: 00484D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00484DCF
CoTaskMemFree.OLE32(?), ref: 00484DDA

Strings

NULL Pointer assignment, xrefs: 00484E23, 00484E52

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 805fa7f04c465343740e9c92e99c2b8ea71e5eb3428725b1344ec4acb19ea1be
Instruction ID: 34672b3efb296b58192750c7ded87718e57233607254ae5501f83e8b5ffc5208
Opcode Fuzzy Hash: 805fa7f04c465343740e9c92e99c2b8ea71e5eb3428725b1344ec4acb19ea1be
Instruction Fuzzy Hash: 6D912871D00219AFDF10EFA5D880AEEB7B8BF48304F10856AE915B7281EB385A45CF64

Function 004920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00492183
GetMenuItemCount.USER32(00000000), ref: 004921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004921DD
_wcslen.LIBCMT ref: 00492213
GetMenuItemID.USER32(?,?), ref: 0049224D
GetSubMenu.USER32(?,?), ref: 0049225B

Part of subcall function 00463A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00463A57
Part of subcall function 00463A3D: GetCurrentThreadId.KERNEL32 ref: 00463A5E
Part of subcall function 00463A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004625B3), ref: 00463A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004922E3

Part of subcall function 0046E97B: Sleep.KERNEL32 ref: 0046E9F3

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: a81211cffdecb3cedb69528b8b2a18e591a0c536b84e89ef436f552fcffcb17d
Instruction ID: 1805a0cc69fbbb964e15b8a736a655253a014d7244d3b62ceb63d91bf63e25d0
Opcode Fuzzy Hash: a81211cffdecb3cedb69528b8b2a18e591a0c536b84e89ef436f552fcffcb17d
Instruction Fuzzy Hash: 2A719075A00215AFCF10DF65C981AAEBBF1EF48314F1484BAE816EB341D778ED418B95

Function 00497E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01625F88), ref: 00497F37
IsWindowEnabled.USER32(01625F88), ref: 00497F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0049801E
SendMessageW.USER32(01625F88,000000B0,?,?), ref: 00498051
IsDlgButtonChecked.USER32(?,?), ref: 00498089
GetWindowLongW.USER32(01625F88,000000EC), ref: 004980AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004980C3

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: a49589ca247ba96b3ab79df58438fe25222ac42e14119a3df3da268823f3b911
Instruction ID: 379461f3a827057e8c87d08a3640b6f5c72e84a650abbc36f8b098bf4028ecfa
Opcode Fuzzy Hash: a49589ca247ba96b3ab79df58438fe25222ac42e14119a3df3da268823f3b911
Instruction Fuzzy Hash: 95717A34648204AFEF219F64C894FAB7FB5EF1A300F14407BE945A7365CB39A845CB28

Function 0046AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0046AEF9
GetKeyboardState.USER32(?), ref: 0046AF0E
SetKeyboardState.USER32(?), ref: 0046AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0046AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0046AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0046AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0046B020

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8ba9329f5e92e9aafe7d6210d21796c70848bd923dbcc46e916c1a158f3e09e2
Instruction ID: 9924b26ac272194e3fc2510f454a83dab54fe79ae351ef58dbb63b9bc59f5407
Opcode Fuzzy Hash: 8ba9329f5e92e9aafe7d6210d21796c70848bd923dbcc46e916c1a158f3e09e2
Instruction Fuzzy Hash: 7B51C3A0A047D53DFB3682348845BBB7EE99B06304F08848AE1D5955C3E3ADACD4D79B

Function 0046ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0046AD19
GetKeyboardState.USER32(?), ref: 0046AD2E
SetKeyboardState.USER32(?), ref: 0046AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0046ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0046ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0046AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0046AE38

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a843fa4b37df1311c615547b8d4ddbcfaa844942cebff1219c35041fbe4f6eb7
Instruction ID: e772fa98876e3abb59c89613fc69063f5804bceb421966d291ff7e32e81c25bc
Opcode Fuzzy Hash: a843fa4b37df1311c615547b8d4ddbcfaa844942cebff1219c35041fbe4f6eb7
Instruction Fuzzy Hash: EF5108A0644BD13DFB328334CC95B7B7ED95B05300F08848AE1D5659C2E399ECA4DB5B

Function 0043542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00443CD6,?,?,?,?,?,?,?,?,00435BA3,?,?,00443CD6,?,?), ref: 00435470
__fassign.LIBCMT ref: 004354EB
__fassign.LIBCMT ref: 00435506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00443CD6,00000005,00000000,00000000), ref: 0043552C
WriteFile.KERNEL32(?,00443CD6,00000000,00435BA3,00000000,?,?,?,?,?,?,?,?,?,00435BA3,?), ref: 0043554B
WriteFile.KERNEL32(?,?,00000001,00435BA3,00000000,?,?,?,?,?,?,?,?,?,00435BA3,?), ref: 00435584

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7850a60d81c923c6729269c404aade9b900cc1d094dee1c2b49cd7d090460185
Instruction ID: 03b2d8e156cb616675dc9e509242e86edbd9154058664cc16284d0fe897106b2
Opcode Fuzzy Hash: 7850a60d81c923c6729269c404aade9b900cc1d094dee1c2b49cd7d090460185
Instruction Fuzzy Hash: 4A51C570900649AFDB10CFA8D885AEEBBF9EF0D300F14552BF955E7291D734AA41CB68

Function 004810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0048304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0048307A
Part of subcall function 0048304E: _wcslen.LIBCMT ref: 0048309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00481112
WSAGetLastError.WSOCK32 ref: 00481121
WSAGetLastError.WSOCK32 ref: 004811C9
closesocket.WSOCK32(00000000), ref: 004811F9

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: dbd23f55031ac0a013bbd3399b20094ebf9ac1a4033711b01e9060edf7a4063a
Instruction ID: 705474394c914199550c23bc0cacf20d47ff7b262d5d4d6d2dda95f8d1e63c40
Opcode Fuzzy Hash: dbd23f55031ac0a013bbd3399b20094ebf9ac1a4033711b01e9060edf7a4063a
Instruction Fuzzy Hash: 4241C831600104AFD710AF54C888BAEB7E9EF45358F14856BF9159B2E1C778AD42CBE9

Function 0046CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0046DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0046CF22,?), ref: 0046DDFD

Part of subcall function 0046DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0046CF22,?), ref: 0046DE16

lstrcmpiW.KERNEL32(?,?), ref: 0046CF45
MoveFileW.KERNEL32(?,?), ref: 0046CF7F
_wcslen.LIBCMT ref: 0046D005
_wcslen.LIBCMT ref: 0046D01B
SHFileOperationW.SHELL32(?), ref: 0046D061

Strings

\*.*, xrefs: 0046CFF3

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 46f710d8293719b9c6cfa25800096bd3e801fa08a52bb9c5e2e18d91c6c6bf5f
Instruction ID: 30fb1ba172d36164f734a964d5767b00f9f23bd7893fd7b2338ade8b969c747b
Opcode Fuzzy Hash: 46f710d8293719b9c6cfa25800096bd3e801fa08a52bb9c5e2e18d91c6c6bf5f
Instruction Fuzzy Hash: 7F416771D051189FDF16EBA5D981AEEB7B8AF08384F0000EBE545E7141FA38A684CB59

Function 00492DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00492E1C
GetWindowLongW.USER32(?,000000F0), ref: 00492E4F
GetWindowLongW.USER32(?,000000F0), ref: 00492E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00492EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00492EE0
GetWindowLongW.USER32(?,000000F0), ref: 00492EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00492F0B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: fe423517453c25fbcdae921af8a04fbdf3df099c7ed61434985df7eec3b91bed
Instruction ID: 89252755f0c39dde2eed47c772f1032802557b1e9df75e8823ace49cd181d258
Opcode Fuzzy Hash: fe423517453c25fbcdae921af8a04fbdf3df099c7ed61434985df7eec3b91bed
Instruction Fuzzy Hash: AF310035605250AFEF21CF18DED4F663BA0EB9A710F1501B6F9048B2B2CBA5AC40DB59

Function 00467726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00467769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0046778F
SysAllocString.OLEAUT32(00000000), ref: 00467792
SysAllocString.OLEAUT32(?), ref: 004677B0
SysFreeString.OLEAUT32(?), ref: 004677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004677DE
SysAllocString.OLEAUT32(?), ref: 004677EC

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8ff8a8e6e55164318c5c61c68511028e9c7aee387c5f73d217abd54dec319d23
Instruction ID: 1347edb73164e8fdaf58e89a1e73af5f76d8f2b3629143057cc2d6e93ba64612
Opcode Fuzzy Hash: 8ff8a8e6e55164318c5c61c68511028e9c7aee387c5f73d217abd54dec319d23
Instruction Fuzzy Hash: 1121C476604219AFDF10DFA8CD88CBB77ACEB093697048037F904DB250E678EC418B69

Function 004677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00467842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00467868
SysAllocString.OLEAUT32(00000000), ref: 0046786B
SysAllocString.OLEAUT32 ref: 0046788C
SysFreeString.OLEAUT32 ref: 00467895
StringFromGUID2.OLE32(?,?,00000028), ref: 004678AF
SysAllocString.OLEAUT32(?), ref: 004678BD

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3f58f946de9e1cf89f3b0a917ffe9bb6988d9f270f498bf818e777779d8152ce
Instruction ID: 65347bf14241952f6fe516d953df497e863d0a2c9858df12de4266c5492117f8
Opcode Fuzzy Hash: 3f58f946de9e1cf89f3b0a917ffe9bb6988d9f270f498bf818e777779d8152ce
Instruction Fuzzy Hash: E4217471608204AFDB10AFB8DC88DAB77ECEB097647108136F915CB2A1E674DC85CB6D

Function 004704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0047052E

Strings

nul, xrefs: 00470567

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 6a902a1a203d2ba6554c9156c2122f106e0b0ece3aef374871c2a7a7205a7d7c
Instruction ID: 37ebc47a503473eab46a6a662aa34668f64f5ef64e3e21c44b32a32161578eff
Opcode Fuzzy Hash: 6a902a1a203d2ba6554c9156c2122f106e0b0ece3aef374871c2a7a7205a7d7c
Instruction Fuzzy Hash: 58216D75501305EBDB20DF29DC45ADA7BA8AF54724F208A2AF8A9D62E0D7749940CF28

Function 004705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00470601

Strings

nul, xrefs: 00470639

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7a4e311930e80124f8ce9cad65942f1111aa2e8cf77577d7e27b56d82681dd65
Instruction ID: d6020922c6df84973a4937718467039e5c324196057f4af472b7a3e10f2118b5
Opcode Fuzzy Hash: 7a4e311930e80124f8ce9cad65942f1111aa2e8cf77577d7e27b56d82681dd65
Instruction Fuzzy Hash: 3521D375501301DBDB208F698C54ADB77E8AF91724F208A2BF8A5E33D0D7749860CB28

Function 004940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040604C
Part of subcall function 0040600E: GetStockObject.GDI32(00000011), ref: 00406060
Part of subcall function 0040600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0040606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00494112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0049411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0049412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00494139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00494145

Strings

Msctls_Progress32, xrefs: 004940E3

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c50fb4c64ff722785e59701b13b36032d6ebc45d8e81b9d85d95dbe7338d2343
Instruction ID: 7e299372ae2737e93466ee5066a8a0b4e73a7db95b0c4324f016d70e89fb52b2
Opcode Fuzzy Hash: c50fb4c64ff722785e59701b13b36032d6ebc45d8e81b9d85d95dbe7338d2343
Instruction Fuzzy Hash: 4C11B6B21401197EEF119F64CC86EE77F5DEF08798F014121BA18A2150C7769C21DBA8

Function 0043D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043D7A3: _free.LIBCMT ref: 0043D7CC

_free.LIBCMT ref: 0043D82D

Part of subcall function 004329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000), ref: 004329DE
Part of subcall function 004329C8: GetLastError.KERNEL32(00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000,00000000), ref: 004329F0

_free.LIBCMT ref: 0043D838
_free.LIBCMT ref: 0043D843
_free.LIBCMT ref: 0043D897
_free.LIBCMT ref: 0043D8A2
_free.LIBCMT ref: 0043D8AD
_free.LIBCMT ref: 0043D8B8

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 9628da1ed74816b1ddcfb1054e77e28d2c59f3be18865d584421ffa251c1dadf
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 1D1181B1E40B14AAD521BFB2EC07FCB7BDC6F08714F40182EB699A6292DB6CB5054654

Function 0046DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0046DA74
LoadStringW.USER32(00000000), ref: 0046DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046DA91
LoadStringW.USER32(00000000), ref: 0046DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0046DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0046DAB9

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a664e4c0c5d0b2bfc634795dffc340d7692c6f5ea088f5bb81d31c5d349e3951
Instruction ID: cb2a43e863df41e6e3ad7029f784b5340023d8d1d8bc7ce810eda679f6cd2114
Opcode Fuzzy Hash: a664e4c0c5d0b2bfc634795dffc340d7692c6f5ea088f5bb81d31c5d349e3951
Instruction Fuzzy Hash: 39012CF69042087FEB109BA09D89EE6366CE708701F4044B7B706E2041E6749E844F79

Function 0047096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0161DC68,0161DC68), ref: 0047097B
EnterCriticalSection.KERNEL32(0161DC48,00000000), ref: 0047098D
TerminateThread.KERNEL32(?,000001F6), ref: 0047099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 004709A9
CloseHandle.KERNEL32(?), ref: 004709B8
InterlockedExchange.KERNEL32(0161DC68,000001F6), ref: 004709C8
LeaveCriticalSection.KERNEL32(0161DC48), ref: 004709CF

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c272fcceccc6d7f61d08d54095e9131f7c27ba34da8304be91edf383ae243266
Instruction ID: e7a7eacf21cf0797fa893d880d775a5ec980312bda4ea9f6b004330434e4aea7
Opcode Fuzzy Hash: c272fcceccc6d7f61d08d54095e9131f7c27ba34da8304be91edf383ae243266
Instruction Fuzzy Hash: ADF01D71442902EBD7515BA4EEC9AD67A25BF51702F801037F201508A0C775A465CFA8

Function 00481C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00481DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00481DE1
WSAGetLastError.WSOCK32 ref: 00481DF2
htons.WSOCK32(?,?,?,?,?), ref: 00481EDB
inet_ntoa.WSOCK32(?), ref: 00481E8C

Part of subcall function 004639E8: _strlen.LIBCMT ref: 004639F2

Part of subcall function 00483224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0047EC0C), ref: 00483240

_strlen.LIBCMT ref: 00481F35

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: db5da0d50c7f578ab7b3c99e6b57ade711d124be040e3b75c7e2c9e5e33f84b6
Instruction ID: 89ba0b211b91206f652a4c76219879ff435bbb1e47efb3a02c600774b8ef4e74
Opcode Fuzzy Hash: db5da0d50c7f578ab7b3c99e6b57ade711d124be040e3b75c7e2c9e5e33f84b6
Instruction Fuzzy Hash: 8CB1E031204300AFC324EF25C885E2A7BE9AF84318F54895EF5565B3E2DB79ED42CB95

Function 00405D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00405D30
GetWindowRect.USER32(?,?), ref: 00405D71
ScreenToClient.USER32(?,?), ref: 00405D99
GetClientRect.USER32(?,?), ref: 00405ED7
GetWindowRect.USER32(?,?), ref: 00405EF8

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: f98a321d9851a9103c4aec90ecc83c7fa5d72bbdd36872e4aab95b285a1da288
Instruction ID: bb136436d6eddd7ce73fccc334cf18d099ab1de5746820dc066c6ffca76b1ecb
Opcode Fuzzy Hash: f98a321d9851a9103c4aec90ecc83c7fa5d72bbdd36872e4aab95b285a1da288
Instruction Fuzzy Hash: A3B15C74A0064ADBDB10DFA9C4807EAB7F1FF54310F14842AE8A9E7290D738AA51DF59

Function 004301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004300D6
__allrem.LIBCMT ref: 004300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043010B
__allrem.LIBCMT ref: 00430122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00430140

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 082c97b854335830c01b3ff9a8a46d3891636cb8aaeecd51a324f571a9ad5372
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 19813472B00B169BEB249A29DC51B6B73F8AF49328F64423FF550D7781E778D9008798

Function 004361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004282D9,004282D9,?,?,?,0043644F,00000001,00000001,8BE85006), ref: 00436258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0043644F,00000001,00000001,8BE85006,?,?,?), ref: 004362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004363D8
__freea.LIBCMT ref: 004363E5

Part of subcall function 00433820: RtlAllocateHeap.NTDLL(00000000,?,004D1444,?,0041FDF5,?,?,0040A976,00000010,004D1440,004013FC,?,004013C6,?,00401129), ref: 00433852

__freea.LIBCMT ref: 004363EE
__freea.LIBCMT ref: 00436413

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 1209449369a141f218ea762d0ca84d0722408024e3814443191bd0c5c44e8fa8
Instruction ID: 00415eec5666cb23733ad8e989fef993a8383569e9390185dd5525917ea16664
Opcode Fuzzy Hash: 1209449369a141f218ea762d0ca84d0722408024e3814443191bd0c5c44e8fa8
Instruction Fuzzy Hash: 4151F472A00217BBEB259F64CC81EBF77A9EF48714F16962AFC05D6241DB38DC40C668

Function 0048BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 0048C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0048B6AE,?,?), ref: 0048C9B5
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048C9F1
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048CA68
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0048BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048BD25
RegCloseKey.ADVAPI32(00000000), ref: 0048BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0048BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0048BDF3
RegCloseKey.ADVAPI32(?), ref: 0048BDFF

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 82e08bbfd684f70d4f226beb7cb2a9cbfc03d9ab4ea118f5a6b662874153eec2
Instruction ID: 66867387895693e3d3c5b46cb5408c9a4ea2bc678d8421b78e890b6d7f12048b
Opcode Fuzzy Hash: 82e08bbfd684f70d4f226beb7cb2a9cbfc03d9ab4ea118f5a6b662874153eec2
Instruction Fuzzy Hash: B4818D70208241AFD714EF24C891E2BBBE5FF84308F14896EF4594B2A2DB35ED45CB96

Function 0045F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0045F7B9
SysAllocString.OLEAUT32(00000001), ref: 0045F860
VariantCopy.OLEAUT32(0045FA64,00000000), ref: 0045F889
VariantClear.OLEAUT32(0045FA64), ref: 0045F8AD
VariantCopy.OLEAUT32(0045FA64,00000000), ref: 0045F8B1
VariantClear.OLEAUT32(?), ref: 0045F8BB

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: a49084a68d879239f3ae60722722be27c42a63aa626aa3e63d977c587d1ee3ee
Instruction ID: fad3531c477c6a02c86f7eb964f9f53b5c2f0619bb92a20d51ab317aa8b873ef
Opcode Fuzzy Hash: a49084a68d879239f3ae60722722be27c42a63aa626aa3e63d977c587d1ee3ee
Instruction Fuzzy Hash: 5E51A371600310ABCF106B66D895B29B3A8EF45315B24847BED06DF293DB789C8D879F

Function 0047910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00407620: _wcslen.LIBCMT ref: 00407625

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004794E5
_wcslen.LIBCMT ref: 00479506
_wcslen.LIBCMT ref: 0047952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00479585

Strings

X, xrefs: 00479412

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 4c9f4a48d09fc528e21ade2740e02bc8829b72f3a75169d9605ffbec50a23091
Instruction ID: f9c8aca44ffe02e8de6b54035f4c347787dd5f254e66c9c0782f12f4ab8f18d5
Opcode Fuzzy Hash: 4c9f4a48d09fc528e21ade2740e02bc8829b72f3a75169d9605ffbec50a23091
Instruction Fuzzy Hash: 48E1A5315083109FD714EF25C881AAAB7E4FF85318F04896EF8899B392DB34DD05CB9A

Function 0041920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

BeginPaint.USER32(?,?,?), ref: 00419241
GetWindowRect.USER32(?,?), ref: 004192A5
ScreenToClient.USER32(?,?), ref: 004192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004192D3
EndPaint.USER32(?,?,?,?,?), ref: 00419321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004571EA

Part of subcall function 00419339: BeginPath.GDI32(00000000), ref: 00419357

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: e5d6b84a52f782b2fb308e5e2c2c967a2313def70907e618fda16057d2da507d
Instruction ID: 4f764ae9922d03d679b2e388ac5059885de830c2255333fd05545b5e445d6b2d
Opcode Fuzzy Hash: e5d6b84a52f782b2fb308e5e2c2c967a2313def70907e618fda16057d2da507d
Instruction Fuzzy Hash: 7941AF70105200AFD710DF65DCA4FAA7BA8EB59325F04067BFD64872B2C7349C85DB6A

Function 004707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0047080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00470847
EnterCriticalSection.KERNEL32(?), ref: 00470863
LeaveCriticalSection.KERNEL32(?), ref: 004708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00470921

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 30ed8882d59acd555a3df60a2a3d52c604f38673e0abfaeff3b18a4558d28b82
Instruction ID: 2bf16e88385f0d526a50965f8e6b83eeec02fa5b23a39e33bc05af52056d0848
Opcode Fuzzy Hash: 30ed8882d59acd555a3df60a2a3d52c604f38673e0abfaeff3b18a4558d28b82
Instruction Fuzzy Hash: 63416B71A00205EFDF14AF55DC85AAA77B8FF04304F1480BAED049A297DB34DE65DBA8

Function 004981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0045F3AB,00000000,?,?,00000000,?,0045682C,00000004,00000000,00000000), ref: 0049824C
EnableWindow.USER32(?,00000000), ref: 00498272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004982D1
ShowWindow.USER32(?,00000004), ref: 004982E5
EnableWindow.USER32(?,00000001), ref: 0049830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0049832F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 42e7f4963a8afe54bfbb12e54d65d3cc8dc09abdcee0118ae871e9cfb65851b4
Instruction ID: dc6b8b90b41af4a5bb97c5c9f48c87ff949981370308f279306f208454a512ee
Opcode Fuzzy Hash: 42e7f4963a8afe54bfbb12e54d65d3cc8dc09abdcee0118ae871e9cfb65851b4
Instruction Fuzzy Hash: 52417074601644AFDF21CF19C899BA57FE0BB4B714F1841FEE9084B272CB36A841CB58

Function 00464C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00464C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00464CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00464CEA
_wcslen.LIBCMT ref: 00464D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00464D10
_wcsstr.LIBVCRUNTIME ref: 00464D1A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: d295e6a594ca4ed98a239005f34aa70c52984f51a62d2fb3dac5a2a277f547b9
Instruction ID: 464251b75fc9d2c55dfd6984dfe7a6015da58f2d422b8e3497c08f751bee6539
Opcode Fuzzy Hash: d295e6a594ca4ed98a239005f34aa70c52984f51a62d2fb3dac5a2a277f547b9
Instruction Fuzzy Hash: 7E212972604210BBEF155B36AC49E7B7B9CDF95750F10403FF805CA291EA69CC4192A9

Function 0047581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00403AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00403A97,?,?,00402E7F,?,?,?,00000000), ref: 00403AC2

_wcslen.LIBCMT ref: 0047587B
CoInitialize.OLE32(00000000), ref: 00475995
CoCreateInstance.OLE32(0049FCF8,00000000,00000001,0049FB68,?), ref: 004759AE
CoUninitialize.OLE32 ref: 004759CC

Strings

.lnk, xrefs: 00475876, 004758C1, 00475985

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 14366bc2929af0f7973c6ac102d43ed3d529afee1c66802db9191eb9b24067af
Instruction ID: 936ccbb4a6bc0a7597216a995219925d773478aa535829475d81f68a9eda2d51
Opcode Fuzzy Hash: 14366bc2929af0f7973c6ac102d43ed3d529afee1c66802db9191eb9b24067af
Instruction Fuzzy Hash: B3D166B06047019FC704DF25C480A6ABBE5FF89718F14886EF8899B3A1D779EC45CB96

Function 0046175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00460FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00460FCA
Part of subcall function 00460FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00460FD6
Part of subcall function 00460FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00460FE5
Part of subcall function 00460FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00460FEC
Part of subcall function 00460FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00461002

GetLengthSid.ADVAPI32(?,00000000,00461335), ref: 004617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004617BA
HeapAlloc.KERNEL32(00000000), ref: 004617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004617DA
GetProcessHeap.KERNEL32(00000000,00000000,00461335), ref: 004617EE
HeapFree.KERNEL32(00000000), ref: 004617F5

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 0217f33d3a09f36f6fd57d8d795c311aac87a1b448ea70626e62691d88011ea3
Instruction ID: f7763e6a00078c504dd556e881d6e2e8fceb37f6314b3f51a0856c51d334f811
Opcode Fuzzy Hash: 0217f33d3a09f36f6fd57d8d795c311aac87a1b448ea70626e62691d88011ea3
Instruction Fuzzy Hash: D611D031500205FFDB109FA4CC89BAFBBB9EF42356F18402AF44197220E739AA40CB69

Function 004614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00461506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00461515
CloseHandle.KERNEL32(00000004), ref: 00461520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0046154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00461563

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0004ec5b68ba4ca5e08fe2f58a29e972c16729a28a51e0587da2401d2513db42
Instruction ID: 8ad008c533a390392ba9902b6fce0b931663af64d2e56dd3b277a9d789bafa8b
Opcode Fuzzy Hash: 0004ec5b68ba4ca5e08fe2f58a29e972c16729a28a51e0587da2401d2513db42
Instruction Fuzzy Hash: DB115972501209BBDF118FA8EE89BDE7BA9EF48744F084026FA05A2160D3758E60DB65

Function 00423382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00423379,00422FE5), ref: 00423390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0042339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004233B7
SetLastError.KERNEL32(00000000,?,00423379,00422FE5), ref: 00423409

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a32605ef527eaa469144d2134be0da9f5a51a31bd8af4ba380e7972ee934d743
Instruction ID: e20225832f620dfe49ce4b56b4c60c5507e4676c0e6068a5d99a8cdab85c0515
Opcode Fuzzy Hash: a32605ef527eaa469144d2134be0da9f5a51a31bd8af4ba380e7972ee934d743
Instruction Fuzzy Hash: 4201D232308331AAA6242BB67CC5A272AA8EB1577A7A0027FF810802F1EE1D4E02514C

Function 00432D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00435686,00443CD6,?,00000000,?,00435B6A,?,?,?,?,?,0042E6D1,?,004C8A48), ref: 00432D78
_free.LIBCMT ref: 00432DAB
_free.LIBCMT ref: 00432DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0042E6D1,?,004C8A48,00000010,00404F4A,?,?,00000000,00443CD6), ref: 00432DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0042E6D1,?,004C8A48,00000010,00404F4A,?,?,00000000,00443CD6), ref: 00432DEC
_abort.LIBCMT ref: 00432DF2

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 5e0add9b765b87a898494888a9c51f6034469cae76b700c4ba7ec96355a0c39e
Instruction ID: bc5def4ff60a7aec5a6b9e7cc89536806b7c65568b5938bd00be58f42aabd56c
Opcode Fuzzy Hash: 5e0add9b765b87a898494888a9c51f6034469cae76b700c4ba7ec96355a0c39e
Instruction Fuzzy Hash: 3EF028355456102BC2623736BE06F5B3559AFCE7B5F24203FF824922D2EEEC8802516C

Function 00498A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00419639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00419693
Part of subcall function 00419639: SelectObject.GDI32(?,00000000), ref: 004196A2
Part of subcall function 00419639: BeginPath.GDI32(?), ref: 004196B9
Part of subcall function 00419639: SelectObject.GDI32(?,00000000), ref: 004196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00498A4E
LineTo.GDI32(?,00000003,00000000), ref: 00498A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00498A70
LineTo.GDI32(?,00000000,00000003), ref: 00498A80
EndPath.GDI32(?), ref: 00498A90
StrokePath.GDI32(?), ref: 00498AA0

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7546945f018009c9331fba3f7a2bb4d016bfd2e7c7688a7605cf59210c7cd9fc
Instruction ID: fbe2cd0df6ce29d36aa60cb89ce8f05a0eb0660468d66753ff6b58e60e770502
Opcode Fuzzy Hash: 7546945f018009c9331fba3f7a2bb4d016bfd2e7c7688a7605cf59210c7cd9fc
Instruction Fuzzy Hash: C1110976000108FFDF129F94DC88EAA7F6DEB08354F008076FA199A1A1C7719D55DFA4

Function 004651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00465218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00465229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00465230
ReleaseDC.USER32(00000000,00000000), ref: 00465238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0046524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00465261

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 8faba0ee30be5cb13a1b2ecbb04910e715b6cec58ab827c338ca8977ae4f2e7f
Instruction ID: b580059f6be7f40f5b932cc52e30610f12d628495f3ea0f87bdd437489a17fc3
Opcode Fuzzy Hash: 8faba0ee30be5cb13a1b2ecbb04910e715b6cec58ab827c338ca8977ae4f2e7f
Instruction Fuzzy Hash: 3B014F75A00718BBEB109BA69C89A5EBFB8EB58751F044076FA04A7381D6709C05CFA5

Function 00401BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00401BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00401BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00401C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00401C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00401C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00401C22

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 1a522003fa8669d509f293f71d3ce78c7a9fdbd6614cce04aed6fde4746875c8
Instruction ID: bde655c877d2c08a540512c5fbf9159b657977c32e8b628f088c8e44422960a5
Opcode Fuzzy Hash: 1a522003fa8669d509f293f71d3ce78c7a9fdbd6614cce04aed6fde4746875c8
Instruction Fuzzy Hash: D30167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5AC64CBE5

Function 0046EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0046EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0046EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0046EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046EB75

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 006adf219d05379228fd92673f0820b1abaf0f8004913cab913325fb14eb15e3
Instruction ID: f5e88bd126d4b4a45c055c34ca32b052b60c6e081341237e67be9e8f7f9e4ade
Opcode Fuzzy Hash: 006adf219d05379228fd92673f0820b1abaf0f8004913cab913325fb14eb15e3
Instruction Fuzzy Hash: 55F03072140158BBE72157529C4EEEF3A7CEFDAB11F00017AF601D1191D7A05E01CABD

Function 00457439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00457452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00457469
GetWindowDC.USER32(?), ref: 00457475
GetPixel.GDI32(00000000,?,?), ref: 00457484
ReleaseDC.USER32(?,00000000), ref: 00457496
GetSysColor.USER32(00000005), ref: 004574B0

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 13767dde9905c331695c021f44ed15c71d7cf84250aa2b4c85453f6a2abbb232
Instruction ID: 6ab9d80463e99b87d734b7b9dcd57c73bb02452364882ca98cfe7d1e246d3b82
Opcode Fuzzy Hash: 13767dde9905c331695c021f44ed15c71d7cf84250aa2b4c85453f6a2abbb232
Instruction Fuzzy Hash: CB018B31400215FFEB105FA4EC48BAA7BB5FB14322F510072FD16A21A1CB311E42AB59

Function 00461874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0046187F
UnloadUserProfile.USERENV(?,?), ref: 0046188B
CloseHandle.KERNEL32(?), ref: 00461894
CloseHandle.KERNEL32(?), ref: 0046189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004618A5
HeapFree.KERNEL32(00000000), ref: 004618AC

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 43ec2971e1f8e2b585ea47eb38944aec25349c450572c3fa8a85bc44f1bb437f
Instruction ID: 93ed99ab83d3086ca9a7d7f977fc2ab570087ad659e0d6fe9bbd6d734ea77bf3
Opcode Fuzzy Hash: 43ec2971e1f8e2b585ea47eb38944aec25349c450572c3fa8a85bc44f1bb437f
Instruction Fuzzy Hash: B6E0E536004101BBDB016FA1EE4D90ABF39FFA9B22B108232F22581070CB329420DF68

Function 0040BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040BEB3

Strings

D%M, xrefs: 0040BDED, 0040BD91, 0040BD1B
D%M, xrefs: 0040BCA2
D%MD%M, xrefs: 0040BCA5
D%M, xrefs: 0040BE9A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%M$D%M$D%M$D%MD%M
API String ID: 1385522511-4071987705
Opcode ID: 45be36f2c31fd68d13b3661d6e4058314b6040ef6306753e818845e7dda3d8e9
Instruction ID: b7ac573a61b6c86a4bc46bfd2286d2af8bebba7c614699f93cceb1e50d544b9f
Opcode Fuzzy Hash: 45be36f2c31fd68d13b3661d6e4058314b6040ef6306753e818845e7dda3d8e9
Instruction Fuzzy Hash: 94915A75A04206DFCB14CF58C090AAAB7F1FF59310B24816FD945AB390D779AD82CBD8

Function 00487B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00420242: EnterCriticalSection.KERNEL32(004D070C,004D1884,?,?,0041198B,004D2518,?,?,?,004012F9,00000000), ref: 0042024D
Part of subcall function 00420242: LeaveCriticalSection.KERNEL32(004D070C,?,0041198B,004D2518,?,?,?,004012F9,00000000), ref: 0042028A

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 004200A3: __onexit.LIBCMT ref: 004200A9

__Init_thread_footer.LIBCMT ref: 00487BFB

Part of subcall function 004201F8: EnterCriticalSection.KERNEL32(004D070C,?,?,00418747,004D2514), ref: 00420202
Part of subcall function 004201F8: LeaveCriticalSection.KERNEL32(004D070C,?,00418747,004D2514), ref: 00420235

Strings

+TE, xrefs: 00487E2E
5, xrefs: 00487C78
Variable must be of type 'Object'., xrefs: 00487C3A
G, xrefs: 00487C7F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TE$5$G$Variable must be of type 'Object'.
API String ID: 535116098-3584180923
Opcode ID: af21ac6e1d72347c8a3d2dfb41b3795d3fc3680a5ff0b23ec7531807dcfec201
Instruction ID: 0825d4067c9ae755b982dfb175b1a2eaf4d05ac682f8bd9bb84b6976c6d4baab
Opcode Fuzzy Hash: af21ac6e1d72347c8a3d2dfb41b3795d3fc3680a5ff0b23ec7531807dcfec201
Instruction Fuzzy Hash: 60916E70604209EFCB14EF55D8A19AEB7B2BF44304F24845EF805AB392DB79EE41CB59

Function 0046C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407620: _wcslen.LIBCMT ref: 00407625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0046C6EE
_wcslen.LIBCMT ref: 0046C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0046C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0046C7CA

Strings

0, xrefs: 0046C6AF

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: f0e09503e9eb8345d2979dfcebe89e69e1399e560a686f2de5a808b2492547e4
Instruction ID: 02c39af64d605911332feec9c2f910ed825ee2d27519ab025def179ed8ccc1ac
Opcode Fuzzy Hash: f0e09503e9eb8345d2979dfcebe89e69e1399e560a686f2de5a808b2492547e4
Instruction Fuzzy Hash: E451BD71604302ABD710AF29C8C5A7B77E4AB49315F040A2FF9D5E32A0EB78D8058A5F

Function 0048AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0048AEA3

Part of subcall function 00407620: _wcslen.LIBCMT ref: 00407625

GetProcessId.KERNEL32(00000000), ref: 0048AF38
CloseHandle.KERNEL32(00000000), ref: 0048AF67

Strings

@, xrefs: 0048AE72
<, xrefs: 0048AE6B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 932be7b8c4401304ef154d8a21cef403a2eefc9f347d245a286148f2fc14bcf5
Instruction ID: 3a9d9222576e1ac9a23f032ea787e2e7f4163c939ef43f311c18500ddff8749b
Opcode Fuzzy Hash: 932be7b8c4401304ef154d8a21cef403a2eefc9f347d245a286148f2fc14bcf5
Instruction Fuzzy Hash: FB716D71A00615DFDB14EF55C484A9EBBF0BF08318F0488AEE816AB391C778ED55CB99

Function 0046719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00467206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0046723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0046724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004672CF

Strings

DllGetClassObject, xrefs: 00467242

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b35b2fabb8949c64e64443875823b8b72f8e25cef496698fd7594227b97294f6
Instruction ID: e332de68a8d26745d51daefcd21ff4a8066250c0fbc8ee4667deaac8a0dfb549
Opcode Fuzzy Hash: b35b2fabb8949c64e64443875823b8b72f8e25cef496698fd7594227b97294f6
Instruction Fuzzy Hash: B841AFB1604204EFDB15CF54C895B9A7BA9EF44318F1080AFFD059F20AE7B8D945CBA9

Function 00493D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00493E35
IsMenu.USER32(?), ref: 00493E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00493E92
DrawMenuBar.USER32 ref: 00493EA5

Strings

0, xrefs: 00493D89

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: e0036aa3344cb50c9cce7fd23814732b21b91d0636eac94f5e20752203b2f1fc
Instruction ID: 1ceb5875ea216bf0f6704e695d407c18a1549138caaace43da91105b8d0af581
Opcode Fuzzy Hash: e0036aa3344cb50c9cce7fd23814732b21b91d0636eac94f5e20752203b2f1fc
Instruction Fuzzy Hash: D1416775A01209EFDF10DF60D884AAABBB9FF4A365F04417AE905A7350D738AE41CF64

Function 00461DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 00463CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00463CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00461E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00461E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00461EA9

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

Strings

ComboBox, xrefs: 00461DF0
ListBox, xrefs: 00461E25

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 26e78b4820c5daf5577def25cf0f7f9b1bc67df1c9fb176d29c4c91f14213157
Instruction ID: 86c04d156832200472c445316d932c4a34808655da9d2e573a4528d17430349c
Opcode Fuzzy Hash: 26e78b4820c5daf5577def25cf0f7f9b1bc67df1c9fb176d29c4c91f14213157
Instruction Fuzzy Hash: EB213772A00144BADB14AB61DC45DFFBBB8DF41354F14412FF821A32E1EB3D9D0A9629

Function 00492F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00492F8D
LoadLibraryW.KERNEL32(?), ref: 00492F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00492FA9
DestroyWindow.USER32(?), ref: 00492FB1

Strings

SysAnimate32, xrefs: 00492F68

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0b89f4972ad498b70bc2a1595c0db3748fec38cd1bba60b0f3d8d84754f06fab
Instruction ID: 722834eff0a5930c05746b20bfc6279012394e2664c96d2ac67a4f5f0b34f9ae
Opcode Fuzzy Hash: 0b89f4972ad498b70bc2a1595c0db3748fec38cd1bba60b0f3d8d84754f06fab
Instruction Fuzzy Hash: 3C219D72200205BFEF108F64DD80EBB3BB9EB59368F10063AF954D2298D7B5DC51A768

Function 00424D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00424D1E,004328E9,?,00424CBE,004328E9,004C88B8,0000000C,00424E15,004328E9,00000002), ref: 00424D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00424DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00424D1E,004328E9,?,00424CBE,004328E9,004C88B8,0000000C,00424E15,004328E9,00000002,00000000), ref: 00424DC3

Strings

mscoree.dll, xrefs: 00424D86
CorExitProcess, xrefs: 00424D98

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6173fefeb2ea5d8578249e17750bc1ca4379ae90663aaee229e0e61f51f9ce41
Instruction ID: f8f4e9972e8aaa3044dd575916bf8a37e8c474ed8185850f22b2ae15484a8ef3
Opcode Fuzzy Hash: 6173fefeb2ea5d8578249e17750bc1ca4379ae90663aaee229e0e61f51f9ce41
Instruction Fuzzy Hash: A4F04F34A50218BBDB119F91EC89BAEBBB5EF54752F4001BAF809A2260CB345D40CE98

Function 00404E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00404EDD,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404EAE
FreeLibrary.KERNEL32(00000000,?,?,00404EDD,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00404EA8
kernel32.dll, xrefs: 00404E94

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 1f0daf08137303d123905fa1aea4dff68d5910ed260024f2cdacfbd315a855e4
Instruction ID: df5f97fde00aa5c7b11bf10d08503bc6e97474995ffea749878bf06e9095efd0
Opcode Fuzzy Hash: 1f0daf08137303d123905fa1aea4dff68d5910ed260024f2cdacfbd315a855e4
Instruction Fuzzy Hash: 7CE08635A015229BD2211B25BC59B5B6554AFD1B637050137FD04E2254DB78CD0244EC

Function 00404E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00443CDE,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404E74
FreeLibrary.KERNEL32(00000000,?,?,00443CDE,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00404E6E
kernel32.dll, xrefs: 00404E5B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: bbfd422d7dd054d629010c3565ecda1d64402e91b67eb59358e1197e0cf7697b
Instruction ID: 14aa215812f609d35427a445d5e1ed10e05d1ccd2edaed2236f54676345637d1
Opcode Fuzzy Hash: bbfd422d7dd054d629010c3565ecda1d64402e91b67eb59358e1197e0cf7697b
Instruction Fuzzy Hash: A0D0C235502621678A221B24BC0DE8B2A18AFC1B21305023BBE08B2294CF38CD01C9DC

Function 00472947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00472C05
DeleteFileW.KERNEL32(?), ref: 00472C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00472C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00472CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00472CC0

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: cf64b3e1f78aaf6a67b69a5493fc1ba42a6561412770b59028befd677ce06138
Instruction ID: 25f273e5bc0cef79ba705e547f5ffbb84529f1a3e9f84871978032dcead80d90
Opcode Fuzzy Hash: cf64b3e1f78aaf6a67b69a5493fc1ba42a6561412770b59028befd677ce06138
Instruction Fuzzy Hash: 44B16C71E00129ABDF11DFA5CD85EDFB7BCEF48304F0080ABF509A6141EA789A448F69

Function 0048A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0048A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0048A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0048A468
CloseHandle.KERNEL32(?), ref: 0048A63D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 5d9ae3f524424c38900f2aaa5585905a0bf745972dd28d968be09a5aba61aa5e
Instruction ID: b8088afb9398ffb554eda8f2aa8979eea9f31ae81038faa3cf482018adcea7df
Opcode Fuzzy Hash: 5d9ae3f524424c38900f2aaa5585905a0bf745972dd28d968be09a5aba61aa5e
Instruction Fuzzy Hash: ADA1C771604301AFE720DF15C881F2AB7E1AF44718F14882EF5599B3D2D7B4EC418B96

Function 0043BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004A3700), ref: 0043BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0043BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004D1270,000000FF,?,0000003F,00000000,?), ref: 0043BC36
_free.LIBCMT ref: 0043BB7F

Part of subcall function 004329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000), ref: 004329DE
Part of subcall function 004329C8: GetLastError.KERNEL32(00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000,00000000), ref: 004329F0

_free.LIBCMT ref: 0043BD4B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: d9a96ea48cdbbf13f63fef2db02cf8a3c601fb532a01f61efdb8b8ef442142ca
Instruction ID: 1486fbc8524c102181353447770aa1bc8541d8fa981ba0c70f9e98c7ed156765
Opcode Fuzzy Hash: d9a96ea48cdbbf13f63fef2db02cf8a3c601fb532a01f61efdb8b8ef442142ca
Instruction Fuzzy Hash: AC51EA71900219AFC720DFA59C81A6AB7BCEF49314F1052AFEA54E72A1DB345E41CBDC

Function 0046E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0046DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0046CF22,?), ref: 0046DDFD

Part of subcall function 0046DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0046CF22,?), ref: 0046DE16

Part of subcall function 0046E199: GetFileAttributesW.KERNEL32(?,0046CF95), ref: 0046E19A

lstrcmpiW.KERNEL32(?,?), ref: 0046E473
MoveFileW.KERNEL32(?,?), ref: 0046E4AC
_wcslen.LIBCMT ref: 0046E5EB
_wcslen.LIBCMT ref: 0046E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0046E650

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 8b7d12b8691a708a898bce109f04a875d45e2539b377ddf33cb02cb9f38f5ea5
Instruction ID: 51a687a1a71a7dd90ec3e01b8a2bce827e6d680ca17c8134330d861f6370ce1f
Opcode Fuzzy Hash: 8b7d12b8691a708a898bce109f04a875d45e2539b377ddf33cb02cb9f38f5ea5
Instruction Fuzzy Hash: B15160B25083845BC724EBA1DC819DBB3DCAF84344F40492FE68993191EE78A588876F

Function 0048B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 0048C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0048B6AE,?,?), ref: 0048C9B5
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048C9F1
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048CA68
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0048BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0048BB63
RegCloseKey.ADVAPI32(?,?), ref: 0048BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0048BBB3

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ceacbbcad2e4a5d2eb6636eafa7dd984fa30c071b71a42c25ca71737bd75d141
Instruction ID: bbc1d49f96498461f84a1a740cbd438427599bca2e1a62366f813ffdbb4a339f
Opcode Fuzzy Hash: ceacbbcad2e4a5d2eb6636eafa7dd984fa30c071b71a42c25ca71737bd75d141
Instruction Fuzzy Hash: FE619431208241AFD714EF24C490E2BBBE5FF84348F54896EF4954B2A2DB35ED45CB96

Function 00468BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00468BCD
VariantClear.OLEAUT32 ref: 00468C3E
VariantClear.OLEAUT32 ref: 00468C9D
VariantClear.OLEAUT32(?), ref: 00468D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00468D3B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c7c37afbe69f97956fb0d19e3569aca77d964282cb29c84af807d412189997f9
Instruction ID: fb2819b933547efb8b736eec217633f92c801ebe2c35394c71980d4cfd1bf812
Opcode Fuzzy Hash: c7c37afbe69f97956fb0d19e3569aca77d964282cb29c84af807d412189997f9
Instruction Fuzzy Hash: BC516CB5A00219EFCB10CF58D884AAAB7F4FF89314B15856AE905DB350E734E911CFA5

Function 00478AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00478BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00478BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00478C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00478C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00478C5F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: bfa752d8cbad3fbb10bbc00866f72c66d39e64cb8138aeaff2ac495d282c609d
Instruction ID: 4d3a7ff44322516b370283d61508f10edc917193a6e632f242b3c5bb2232e36f
Opcode Fuzzy Hash: bfa752d8cbad3fbb10bbc00866f72c66d39e64cb8138aeaff2ac495d282c609d
Instruction Fuzzy Hash: B0515135A00215AFCB01DF55C885AAABBF5FF48318F04C46DE8496B3A2DB39ED41CB95

Function 00488EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00488F40
GetProcAddress.KERNEL32(00000000,?), ref: 00488FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00488FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00489032
FreeLibrary.KERNEL32(00000000), ref: 00489052

Part of subcall function 0041F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00471043,?,7529E610), ref: 0041F6E6
Part of subcall function 0041F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0045FA64,00000000,00000000,?,?,00471043,?,7529E610,?,0045FA64), ref: 0041F70D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 546b2b00c22c815be91eca14af110e08e7a0377f3c93c43b65a39d16e1c97e2b
Instruction ID: 47ad584446a521801eb7e26ec9ff8de19ac0ca89c07e0ae45e5f1aee28304d75
Opcode Fuzzy Hash: 546b2b00c22c815be91eca14af110e08e7a0377f3c93c43b65a39d16e1c97e2b
Instruction Fuzzy Hash: E8516335600205DFC711EF54C4848ADBBF1FF49318B4884AAE905AB362DB35ED86CF99

Function 00496B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00496C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00496C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00496C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0047AB79,00000000,00000000), ref: 00496C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00496CC7

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 2f03cd997b35680eb01586d1af4fe9623681f8ac33562b8ad328c65bcacae72e
Instruction ID: 12a0e0884739766fa0dfcc0b1bcbf13c14a553a95f9ce1c143211c00233c5ce9
Opcode Fuzzy Hash: 2f03cd997b35680eb01586d1af4fe9623681f8ac33562b8ad328c65bcacae72e
Instruction Fuzzy Hash: 7541A135604114AFDF24CF28CC98FA67FA5EB09350F16027AF999A73A0D375ED41CA58

Function 00432051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004320C3
_free.LIBCMT ref: 004320E3

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3890d703f7ea146fcb4efc749df72bd74b23163155a5f2f9b3b7e357d1c9b5e8
Instruction ID: 6dd859aa5b34bf1fef1704294b8be7e7265d224a6742f6dcd311402aa10f32ba
Opcode Fuzzy Hash: 3890d703f7ea146fcb4efc749df72bd74b23163155a5f2f9b3b7e357d1c9b5e8
Instruction Fuzzy Hash: 9A411372A00200AFCB24DF79CA80A5EB3F1EF88314F1541AEE615EB391D775AD01CB84

Function 0041912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00419141
ScreenToClient.USER32(00000000,?), ref: 0041915E
GetAsyncKeyState.USER32(00000001), ref: 00419183
GetAsyncKeyState.USER32(00000002), ref: 0041919D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 1f4b99ddf7770994000e2e752fd0c50b56e37b570bdab3736163e39e4edf255d
Instruction ID: 4ec9162a1520e967818a38ef5d3125694897c688c06126800f407b15a9c0efab
Opcode Fuzzy Hash: 1f4b99ddf7770994000e2e752fd0c50b56e37b570bdab3736163e39e4edf255d
Instruction Fuzzy Hash: 97417071A0851ABBDF059F64D858BEEB774FB05324F20822BE825A33D1C7386D94CB55

Function 00473874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00473922
TranslateMessage.USER32(?), ref: 0047394B
DispatchMessageW.USER32(?), ref: 00473955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00473966

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 1d263d90fd72d112a53c6766bf6d8848523db5564669c37401054b8c419d30da
Instruction ID: 84eaa786b2387123832bc19ae6b818a3c20a250c8b8cc06f73be85a0076670e9
Opcode Fuzzy Hash: 1d263d90fd72d112a53c6766bf6d8848523db5564669c37401054b8c419d30da
Instruction Fuzzy Hash: F831EAF0505341AEEB35DF349848BF737E49B15305F04857FE95A822A0D3B89685EB1A

Function 0047CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0047C21E,00000000), ref: 0047CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0047CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0047C21E,00000000), ref: 0047CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0047C21E,00000000), ref: 0047CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0047C21E,00000000), ref: 0047CFF2

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 58fa1830f9c8f3a1c47ab0d6b92f4e7d2d06bda8a8397d404c9dfb8567c2c437
Instruction ID: e2ddae2e016a7532fe7ae0336facecb5f043aa575c99eebf64ce95ba0d683efb
Opcode Fuzzy Hash: 58fa1830f9c8f3a1c47ab0d6b92f4e7d2d06bda8a8397d404c9dfb8567c2c437
Instruction Fuzzy Hash: 59314F71500605EFDB20DFA5D8C49EBBBF9EB14354B10846FF50AD2281D738AE459B68

Function 00461901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00461915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004619E2

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: afe3dbb1c1b5812c924d18584f98d9909dfe25e6880b22c06b7a4c40ae944cbe
Instruction ID: 829d82280daac0add66571c4e3e0d920b35c3f5cad5351cfb82f8dd034f1eba3
Opcode Fuzzy Hash: afe3dbb1c1b5812c924d18584f98d9909dfe25e6880b22c06b7a4c40ae944cbe
Instruction Fuzzy Hash: D331E0B1A00219EFCB00CFA8CD99ADE3BB5EB44314F04422AF921A72E0D3749D48CB95

Function 00495706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00495745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0049579D
_wcslen.LIBCMT ref: 004957AF
_wcslen.LIBCMT ref: 004957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00495816

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: f224cb674ae0583935b1f03869fe9fea8b63ee289ff83acd55362933cbc49a42
Instruction ID: 6ec0d0b2a114a538478c386fa1c3cfc577435f3482bce6752ac6046d20e967aa
Opcode Fuzzy Hash: f224cb674ae0583935b1f03869fe9fea8b63ee289ff83acd55362933cbc49a42
Instruction Fuzzy Hash: CE21A7719046189ADF21DFA0DC84AEE7B78FF04724F204177F929DA280D7788A85CF58

Function 00480930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00480951
GetForegroundWindow.USER32 ref: 00480968
GetDC.USER32(00000000), ref: 004809A4
GetPixel.GDI32(00000000,?,00000003), ref: 004809B0
ReleaseDC.USER32(00000000,00000003), ref: 004809E8

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 195a483edd1dcdf039cd03fe6396345472f5f2d478cf678d7b6da44833dd45c7
Instruction ID: 11ced2f4e029b84405b50d312216b8a40d09f6c875fef5a9ce50f43728bdad74
Opcode Fuzzy Hash: 195a483edd1dcdf039cd03fe6396345472f5f2d478cf678d7b6da44833dd45c7
Instruction Fuzzy Hash: 1A21A175600204AFD714EF69C884EAEBBE5EF48704F00847EE84AA7362DB34AC04CB94

Function 0043CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0043CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0043CDE9

Part of subcall function 00433820: RtlAllocateHeap.NTDLL(00000000,?,004D1444,?,0041FDF5,?,?,0040A976,00000010,004D1440,004013FC,?,004013C6,?,00401129), ref: 00433852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0043CE0F
_free.LIBCMT ref: 0043CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0043CE31

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: e06f20c93cc601861fa5ce633177da756fed3fc3e672f577b81ff098bf774a86
Instruction ID: 1197e6e1fe02c4a0703ab6cd5735b10ecee6a660b31c68c5b12b274b31b6dad2
Opcode Fuzzy Hash: e06f20c93cc601861fa5ce633177da756fed3fc3e672f577b81ff098bf774a86
Instruction Fuzzy Hash: AC01D8726012157F232126766CCED7B796DDECABA1715113FFD05E7201DA698D0182BC

Function 00419639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00419693
SelectObject.GDI32(?,00000000), ref: 004196A2
BeginPath.GDI32(?), ref: 004196B9
SelectObject.GDI32(?,00000000), ref: 004196E2

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ff3afd791bfa64476153b784ca82cb3eb3b91a5e99644b880ad6adea22e2ed25
Instruction ID: 78f1d194d7aedd34a2b77dd1bb53a5becfdc778ea9d24743b2e18ad0daeb6eef
Opcode Fuzzy Hash: ff3afd791bfa64476153b784ca82cb3eb3b91a5e99644b880ad6adea22e2ed25
Instruction Fuzzy Hash: 6C213DB0902305EBDB119F64EC657EA3BA9BB50365F100277F810A62B1D3785C95CFAD

Function 00465711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00465726
_memcmp.LIBVCRUNTIME ref: 00465744
_memcmp.LIBVCRUNTIME ref: 00465757
_memcmp.LIBVCRUNTIME ref: 0046576F
_memcmp.LIBVCRUNTIME ref: 00465787

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b3e1830291eea80dcf21e65ab2d8b536b7e6a0cb8c488699daa5d9a5a3874387
Instruction ID: 87b03ce543656566d8abf010f9e260a5a793b331451bb8d5a0ee2648b4f9f092
Opcode Fuzzy Hash: b3e1830291eea80dcf21e65ab2d8b536b7e6a0cb8c488699daa5d9a5a3874387
Instruction Fuzzy Hash: 6601F971341615BBE60895119D42FBB734D9B313A9F504037FD04AAA41F72DED2582EE

Function 00432DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042F2DE,00433863,004D1444,?,0041FDF5,?,?,0040A976,00000010,004D1440,004013FC,?,004013C6), ref: 00432DFD
_free.LIBCMT ref: 00432E32
_free.LIBCMT ref: 00432E59
SetLastError.KERNEL32(00000000,00401129), ref: 00432E66
SetLastError.KERNEL32(00000000,00401129), ref: 00432E6F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 1814151eca9aff72ff2c93c6ccbc5fcea9cb8c04b5e3c10e8124efd733df63a3
Instruction ID: c0694638e7792851092fa5cd03291216858c210ee132d495a6d0c21532e8c229
Opcode Fuzzy Hash: 1814151eca9aff72ff2c93c6ccbc5fcea9cb8c04b5e3c10e8124efd733df63a3
Instruction Fuzzy Hash: 8301F9762456006BD61227766E87E2B3559AFDD369F25203FF825A2292EEFC8C02506C

Function 0046000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?,?,?,0046035E), ref: 0046002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?,?), ref: 00460046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?,?), ref: 00460054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?), ref: 00460064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?,?), ref: 00460070

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 2ef6ad04a1427489c6d2ad9b1713ed0c4ec6fe18a998b475bd347fdebb59028a
Instruction ID: 4ed6cdf9d6976c148567e7f9fd8ca272fe3e0bd2c1d752201ac9e38fb47a593a
Opcode Fuzzy Hash: 2ef6ad04a1427489c6d2ad9b1713ed0c4ec6fe18a998b475bd347fdebb59028a
Instruction Fuzzy Hash: 8B01AD72600204BFDB109F68EC88BAB7AEDEF44792F144136F905E2210E7B9DD408BA4

Function 0046E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0046E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0046E9A5
Sleep.KERNEL32(00000000), ref: 0046E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0046E9B7
Sleep.KERNEL32 ref: 0046E9F3

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2aeaa79d5672aed6268297b647a7432b7ce9414ded8618e8230f64fce08111e6
Instruction ID: e8df75264cfc46d5542beadfd56f5430bc66c85ba3907fffc5f89a1a7ce3f043
Opcode Fuzzy Hash: 2aeaa79d5672aed6268297b647a7432b7ce9414ded8618e8230f64fce08111e6
Instruction Fuzzy Hash: 08015B75C01529DBCF00AFE6D9996DEBBB8BF09700F000567E502B2240DB3895598BAA

Function 004610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00461114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 00461120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 0046112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 00461136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0046114D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ce014c5868846d7c8cbeb970d1f65daabd8744abfde489563efd0793294f8ce4
Instruction ID: 905019f768625a34e11d31e15c1025594aaff330f26edc8ff24bb3a527f57659
Opcode Fuzzy Hash: ce014c5868846d7c8cbeb970d1f65daabd8744abfde489563efd0793294f8ce4
Instruction Fuzzy Hash: 53011D75100205BFDB114FA5DC89AAB3B6EEF8A360B544476FA45D7360EA31DC009A68

Function 00460FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00460FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00460FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00460FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00460FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00461002

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 80b7b46aa13c80867e1358b9b29a91cb199ce5f3faa2ad2d12c0a4ab802f4a79
Instruction ID: 19f58f7f2ef5baa3176ae181a887f72838396cd1930da02c92509eb2eca7197d
Opcode Fuzzy Hash: 80b7b46aa13c80867e1358b9b29a91cb199ce5f3faa2ad2d12c0a4ab802f4a79
Instruction Fuzzy Hash: 9EF0A935200301ABDB210FA49C8AF5B3BADEF99762F200436FA05D6260DA30DC408A78

Function 00461014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0046102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00461036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00461045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0046104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00461062

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 56d3426fd5648950043470301933ab3bbbda605344f19258b7462d08cd539152
Instruction ID: 7a717aa150d4942d0c10e89215848741cb31b7faf8bb8dd1e0430935280b2535
Opcode Fuzzy Hash: 56d3426fd5648950043470301933ab3bbbda605344f19258b7462d08cd539152
Instruction Fuzzy Hash: 95F06D35240311EBDB215FA4EC89F5B3BADEF99761F240436FA45E7260DA74D8408AB8

Function 0047030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0047017D,?,004732FC,?,00000001,00442592,?), ref: 00470324
CloseHandle.KERNEL32(?,?,?,?,0047017D,?,004732FC,?,00000001,00442592,?), ref: 00470331
CloseHandle.KERNEL32(?,?,?,?,0047017D,?,004732FC,?,00000001,00442592,?), ref: 0047033E
CloseHandle.KERNEL32(?,?,?,?,0047017D,?,004732FC,?,00000001,00442592,?), ref: 0047034B
CloseHandle.KERNEL32(?,?,?,?,0047017D,?,004732FC,?,00000001,00442592,?), ref: 00470358
CloseHandle.KERNEL32(?,?,?,?,0047017D,?,004732FC,?,00000001,00442592,?), ref: 00470365

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c0b52786944a190897126378818267e3c41e3c129c4972858b0d9542f89387ea
Instruction ID: 15ace0418df84187642c2314bf566344365291e49933a4038b0db5ea42340f64
Opcode Fuzzy Hash: c0b52786944a190897126378818267e3c41e3c129c4972858b0d9542f89387ea
Instruction Fuzzy Hash: 56019072801B15DFC7309F66D880453F7F5BE602153158A3FD59A52A31C375A954CE84

Function 0043D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D752

Part of subcall function 004329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000), ref: 004329DE
Part of subcall function 004329C8: GetLastError.KERNEL32(00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000,00000000), ref: 004329F0

_free.LIBCMT ref: 0043D764
_free.LIBCMT ref: 0043D776
_free.LIBCMT ref: 0043D788
_free.LIBCMT ref: 0043D79A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 80a46d3f4cdf48cc1f4cb3fd7009116c9b0e75df3a7578b7af18df310060968e
Instruction ID: f5ce886cc1531f6a28f8f015eef13142195b22a627306931412e56b56f15fa43
Opcode Fuzzy Hash: 80a46d3f4cdf48cc1f4cb3fd7009116c9b0e75df3a7578b7af18df310060968e
Instruction Fuzzy Hash: 64F03CB2A00214AB8661FB65FAC2D1777DDBB08310F94281AF048D7601C738FC808A6C

Function 00465C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00465C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00465C6F
MessageBeep.USER32(00000000), ref: 00465C87
KillTimer.USER32(?,0000040A), ref: 00465CA3
EndDialog.USER32(?,00000001), ref: 00465CBD

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 99409bf667dfd5146e04d6ca95f67e3c88710ae28e4330c26662dce5bcfe50df
Instruction ID: d2f2f99a99c3866907f2b8e9e78720351076807077f306acab77195a7e7bd78d
Opcode Fuzzy Hash: 99409bf667dfd5146e04d6ca95f67e3c88710ae28e4330c26662dce5bcfe50df
Instruction Fuzzy Hash: 99018670500B04AFFB205B10DD8EFA67BB8BB10B05F00057BA583A10E1EBF4AD848B99

Function 004322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004322BE

Part of subcall function 004329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000), ref: 004329DE
Part of subcall function 004329C8: GetLastError.KERNEL32(00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000,00000000), ref: 004329F0

_free.LIBCMT ref: 004322D0
_free.LIBCMT ref: 004322E3
_free.LIBCMT ref: 004322F4
_free.LIBCMT ref: 00432305

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4123fa34cb97fe27cc116b7268a18f97c13ccf456534f8fabfb79b2512b9f43b
Instruction ID: 89911822197d56008bbfa5947ace786dcece450e15fc45a2089b3a214c72ff9d
Opcode Fuzzy Hash: 4123fa34cb97fe27cc116b7268a18f97c13ccf456534f8fabfb79b2512b9f43b
Instruction Fuzzy Hash: 4EF03AF89021309B8612BF55BD41A0E3B64FB1C761F1115AFF814E32B1C7B90812ABAC

Function 004195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004195D4
StrokeAndFillPath.GDI32(?,?,004571F7,00000000,?,?,?), ref: 004195F0
SelectObject.GDI32(?,00000000), ref: 00419603
DeleteObject.GDI32 ref: 00419616
StrokePath.GDI32(?), ref: 00419631

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1fa8cac9b5671377a88cd9069445daa392776c05a8e75c04debd9cfbfa3f9ee5
Instruction ID: 238536ff26761e07678ffaf61f955209fe333ea733f2b2e557bdad333fde91c8
Opcode Fuzzy Hash: 1fa8cac9b5671377a88cd9069445daa392776c05a8e75c04debd9cfbfa3f9ee5
Instruction Fuzzy Hash: 6EF03771007208FBDB265F69ED6CBA93B61AB10322F048276F825651F1C7348992DF3C

Function 00430F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004310F9
__freea.LIBCMT ref: 00431117

Part of subcall function 00431537: _free.LIBCMT ref: 0043154F

Strings

am/pm, xrefs: 0043117A
a/p, xrefs: 004311DE

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: ea3ff1d5b773863d711455d32771d517fa4c043961c4b2310e599dbe605c66e5
Instruction ID: e7f55f0000d1cb7e47c77de890cae059c8a33d49be9b46a5649e7d8ef9c59423
Opcode Fuzzy Hash: ea3ff1d5b773863d711455d32771d517fa4c043961c4b2310e599dbe605c66e5
Instruction Fuzzy Hash: 9CD1D331900205DAEB289F68C855BFBB7B1EF0D300F24615BE941ABB61D37D9D81CB5A

Function 004861D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00420242: EnterCriticalSection.KERNEL32(004D070C,004D1884,?,?,0041198B,004D2518,?,?,?,004012F9,00000000), ref: 0042024D
Part of subcall function 00420242: LeaveCriticalSection.KERNEL32(004D070C,?,0041198B,004D2518,?,?,?,004012F9,00000000), ref: 0042028A

Part of subcall function 004200A3: __onexit.LIBCMT ref: 004200A9

__Init_thread_footer.LIBCMT ref: 00486238

Part of subcall function 004201F8: EnterCriticalSection.KERNEL32(004D070C,?,?,00418747,004D2514), ref: 00420202
Part of subcall function 004201F8: LeaveCriticalSection.KERNEL32(004D070C,?,00418747,004D2514), ref: 00420235

Part of subcall function 0047359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004735E4
Part of subcall function 0047359C: LoadStringW.USER32(004D2390,?,00000FFF,?), ref: 0047360A

Strings

x#M, xrefs: 0048636F
x#M, xrefs: 0048633A
x#M, xrefs: 00486353

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#M$x#M$x#M
API String ID: 1072379062-3829861524
Opcode ID: 80ee645dbdc2eab479d3dd8f137cd4178171aa55f5d4c03e64e0d551daf95a42
Instruction ID: ad22d8bb0a2c6c26de9bbcbdc3a22a2ffba9b188311ff05807625ef18eb72349
Opcode Fuzzy Hash: 80ee645dbdc2eab479d3dd8f137cd4178171aa55f5d4c03e64e0d551daf95a42
Instruction Fuzzy Hash: 1FC17C71A00105AFCB14EF58D890EBEB7B9EF48304F11846EE905AB391DB78ED45CB99

Function 00435AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO@, xrefs: 00435BA8, 00435C6C

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: JO@
API String ID: 0-2205270878
Opcode ID: ce11c385007f2bca724f6a85d1323d771e574351dcda8f1700ed997d3dbc06b4
Instruction ID: b658f802e9b97f4507de46c4e8aebdb1be01e23f2c7002ec2af2b44329f3f5e7
Opcode Fuzzy Hash: ce11c385007f2bca724f6a85d1323d771e574351dcda8f1700ed997d3dbc06b4
Instruction Fuzzy Hash: C7510171E006099FDB209FA5D845FEFBBB4AF0D328F54206BF404A7291D7799901CB6A

Function 00438A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00438B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00438B7A
__dosmaperr.LIBCMT ref: 00438B81

Strings

.B, xrefs: 00438A63

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .B
API String ID: 2434981716-829718130
Opcode ID: 70e0843d2617bb1ac96e5cc782c8146a09cdeed1e6b94f01a2576126441d1abf
Instruction ID: d9a944dd131fce4de3f862138ce5449590071cef698f36b4de1b46f389f44ad8
Opcode Fuzzy Hash: 70e0843d2617bb1ac96e5cc782c8146a09cdeed1e6b94f01a2576126441d1abf
Instruction Fuzzy Hash: 8D418070604246AFDB249F24CC81A7AFFA5DB8E304F2855AFF45487252DE399C03875C

Function 00462716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004621D0,?,?,00000034,00000800,?,00000034), ref: 0046B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00462760

Part of subcall function 0046B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0046B3F8

Part of subcall function 0046B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0046B355
Part of subcall function 0046B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00462194,00000034,?,?,00001004,00000000,00000000), ref: 0046B365
Part of subcall function 0046B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00462194,00000034,?,?,00001004,00000000,00000000), ref: 0046B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0046281A

Strings

@, xrefs: 00462832

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e39cb11c52d900d99a61f6393d528a1cc770f9b1bdda61df4e84e090e70b983a
Instruction ID: ff5d13f5b86c1eaaf45520e5384042095ddc4846ce58a2d293a81ddafc3f8c7f
Opcode Fuzzy Hash: e39cb11c52d900d99a61f6393d528a1cc770f9b1bdda61df4e84e090e70b983a
Instruction Fuzzy Hash: 82412E72900218BFDB10DBA4CD41EDEBBB8EF05304F00405AFA55B7181EB746E85CBA5

Function 0043172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00431769
_free.LIBCMT ref: 00431834
_free.LIBCMT ref: 0043183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00431760, 00431767, 00431796, 004317CE

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: e9c9499fd060a66b16600f024b2810deb7c0494803fa76e7a6b1ded376093660
Instruction ID: e674aad6335fce6784df1a39a9e93ca8c5f84d3287671f514f1e0804a55ea8d6
Opcode Fuzzy Hash: e9c9499fd060a66b16600f024b2810deb7c0494803fa76e7a6b1ded376093660
Instruction Fuzzy Hash: 28318375A00218BBDB25DB9A9C85D9FBBBCEB89314F1451ABE804D7221D7744A40CB98

Function 0046C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0046C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0046C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004D1990,01625D80), ref: 0046C395

Strings

0, xrefs: 0046C2DF

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 06fa2ef0e1f7f7ce18e9ba52c077ddcba619eddbc0651f459a18e64a4b6f570c
Instruction ID: a5a26f86fb8e3f621b5e9a31252ed0baa9d5e6f3d5edcb6defe443f1a9038187
Opcode Fuzzy Hash: 06fa2ef0e1f7f7ce18e9ba52c077ddcba619eddbc0651f459a18e64a4b6f570c
Instruction Fuzzy Hash: 454180712043019FD720DF25D884B2ABBE4AB85324F04862EEDA5973D1E738E944CB6B

Function 00494416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0049CC08,00000000,?,?,?,?), ref: 004944AA
GetWindowLongW.USER32 ref: 004944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004944D7

Strings

SysTreeView32, xrefs: 0049447C

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5ff1c83aa0963029c2266391b6556a35f8a62dd241e8c66bd42430d1a9326bf5
Instruction ID: 0728479a3b8ee182e928d7310ced60abdb22f450be0063cda04d8313c87d6beb
Opcode Fuzzy Hash: 5ff1c83aa0963029c2266391b6556a35f8a62dd241e8c66bd42430d1a9326bf5
Instruction Fuzzy Hash: 0E317031210205AFDF209E78DC45FEB7BA9EB48338F21472AF975922D0D778AC519754

Function 00466E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00466EED
VariantCopyInd.OLEAUT32(?,?), ref: 00466F08
VariantClear.OLEAUT32(?), ref: 00466F12

Strings

*jF, xrefs: 00466E8B, 00466E90, 00466EF8

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jF
API String ID: 2173805711-3392568748
Opcode ID: cd5f1077f9571672e8d588c471ce99e63cf3dc401fc2dbd5dd48f9f92d3b6613
Instruction ID: 6de2da9f0326b4a2041103a222ed4b69bcdc90237033d5b8759724ce627c219a
Opcode Fuzzy Hash: cd5f1077f9571672e8d588c471ce99e63cf3dc401fc2dbd5dd48f9f92d3b6613
Instruction Fuzzy Hash: 6F31B371704205DFCB08AF65E8909BE3775EF84308B1104AEF8065B2A1D7389D12DBDE

Function 0048304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0048335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00483077,?,?), ref: 00483378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0048307A
_wcslen.LIBCMT ref: 0048309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00483106

Strings

255.255.255.255, xrefs: 00483095, 0048309A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 2c70b04d5355e2bc115ce831f308f78862127d5d93b64bd96f75ea30fc539669
Instruction ID: 285a93b77c3d3ed3e9b560691309ecfd3242912dfdeec0dd63436009f81c7906
Opcode Fuzzy Hash: 2c70b04d5355e2bc115ce831f308f78862127d5d93b64bd96f75ea30fc539669
Instruction Fuzzy Hash: 9731F535600201DFCB10EF28C485EAE77E0EF15B19F24886AE8158B392C779EE42C765

Function 00494653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00494705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00494713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0049471A

Strings

msctls_updown32, xrefs: 00494684

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 23c8b7b152fe75fdfc6467790956a04e644075744727a90ad01813c248414afc
Instruction ID: cb52790c497286f8ce5b7de91d627fe49a0464525d65d285891c7fb7f9937efc
Opcode Fuzzy Hash: 23c8b7b152fe75fdfc6467790956a04e644075744727a90ad01813c248414afc
Instruction Fuzzy Hash: 8A2165B5600208AFDB10DF55DCD1D773BADEB9A358B14006AFA0097351D774EC12CA64

Function 004695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0046961D

Strings

#OnAutoItStartRegister, xrefs: 004695F3
#notrayicon, xrefs: 004695B7
#requireadmin, xrefs: 004695D9

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 5d84ceffefde7cc67e9065f8dd92b3f4b6053c1133cb07ce4b476eab962502c8
Instruction ID: 92db3e0312e131ddcc12d84735b0dd0389c407085b613a7ecae2ca61b574a9db
Opcode Fuzzy Hash: 5d84ceffefde7cc67e9065f8dd92b3f4b6053c1133cb07ce4b476eab962502c8
Instruction Fuzzy Hash: D221F57220461066C721AA25D802FAB739C9F61314F54442BF94AE6181FBBDAD46C29F

Function 004937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00493840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00493850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00493876

Strings

Listbox, xrefs: 0049380F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: cfacaf523655fb328c9910c8f2b0a9c2e74fedc94336a99e1fd67e23fffc4f95
Instruction ID: 8a9d39a12ed8b5cfa55d7752aa31a57177e4c8dd589084ff0fe160f21cf9084d
Opcode Fuzzy Hash: cfacaf523655fb328c9910c8f2b0a9c2e74fedc94336a99e1fd67e23fffc4f95
Instruction Fuzzy Hash: D821B072600118BBEF21DF95CC85FBB3BAAEF8A754F108136F9059B290C675DC5287A4

Function 004749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00474A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00474A5C
SetErrorMode.KERNEL32(00000000,?,?,0049CC08), ref: 00474AD0

Strings

%lu, xrefs: 00474A6F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 73af92db0b0559782d0fd6770a86a142ab82f764216e87a1e769cef45a771675
Instruction ID: df530c5760f7171ec6f3d07ee33d6c9139ef3a859cd9b124a1ee9dc24f4d8152
Opcode Fuzzy Hash: 73af92db0b0559782d0fd6770a86a142ab82f764216e87a1e769cef45a771675
Instruction Fuzzy Hash: 4F316575A00109AFDB10DF64C885EAA7BF8EF44308F1480AAF909EB352D775ED45CB69

Function 004941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0049424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00494264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00494271

Strings

msctls_trackbar32, xrefs: 00494226

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 78864fb44d737ef458aedb5c933010a09097bc0162def24c59e60035a9a0217b
Instruction ID: 9d8991d74e836ef3985734061df2e246540610c0161d576e753d19c50584e58e
Opcode Fuzzy Hash: 78864fb44d737ef458aedb5c933010a09097bc0162def24c59e60035a9a0217b
Instruction Fuzzy Hash: 0611E7312402087EEF205F29CC06FAB3BACEFD5764F11053AFA55E2190D275DC529B28

Function 00462F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

Part of subcall function 00462DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00462DC5
Part of subcall function 00462DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00462DD6
Part of subcall function 00462DA7: GetCurrentThreadId.KERNEL32 ref: 00462DDD
Part of subcall function 00462DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00462DE4

GetFocus.USER32 ref: 00462F78

Part of subcall function 00462DEE: GetParent.USER32(00000000), ref: 00462DF9

GetClassNameW.USER32(?,?,00000100), ref: 00462FC3
EnumChildWindows.USER32(?,0046303B), ref: 00462FEB

Strings

%s%d, xrefs: 00462FFF

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 0c9f119176b258418091c11ee237925fe53c672ad50993792245eb1f5b0aa3bf
Instruction ID: 82fd7fc501bf372943fdddc3cc937b3277276978e4ba8ad9e090773954ace8d1
Opcode Fuzzy Hash: 0c9f119176b258418091c11ee237925fe53c672ad50993792245eb1f5b0aa3bf
Instruction Fuzzy Hash: D011D8B520020577CF007F61CCC5FED376A9F94308F14407BB9099B196EE7859498B65

Function 00495882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004958EE
DrawMenuBar.USER32(?), ref: 004958FD

Strings

0, xrefs: 0049588F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: f2f005b147a0f3d77085bc4b1a77ac54fd0f615b78dbfea5c5a0abf7541ba167
Instruction ID: 83e1dcf050c05643123abd945a2fa757dd178eb3db84fdade57d0b8e2d2bd318
Opcode Fuzzy Hash: f2f005b147a0f3d77085bc4b1a77ac54fd0f615b78dbfea5c5a0abf7541ba167
Instruction Fuzzy Hash: 07013971500218EFDF229F21D844BAABBB4BB45760F2080AAE849D6251DB348A859F29

Function 0045D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0045D3BF
FreeLibrary.KERNEL32 ref: 0045D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0045D3B9
X64, xrefs: 0045D2A8

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: b6adb67ee163d7f37e6dd4a9f7452c879603423033646fc8a4f5558c059358cf
Instruction ID: 43432f940e0e203114d8ebc562b75f107543d3eb8a764d1fb67787ffffe4334a
Opcode Fuzzy Hash: b6adb67ee163d7f37e6dd4a9f7452c879603423033646fc8a4f5558c059358cf
Instruction Fuzzy Hash: CCF05531C06A209BD73143109C94AAA3710AF10703F9481BBFC02E221BDB2CCD8D8E8F

Function 0046007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecade4058146d6d35f781e3e606741af9ad73b5b9492593b64386777867617e7
Instruction ID: 94c9c41509d1e4c5a8e08a38e1b7b6842f61b44e81293f867b60021e2a4278a4
Opcode Fuzzy Hash: ecade4058146d6d35f781e3e606741af9ad73b5b9492593b64386777867617e7
Instruction Fuzzy Hash: 0FC15B75A00206EFDB14CFA4C894AAFB7B5FF48304F10859AE905EB251E735ED82CB95

Function 0048342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00483459
CoUninitialize.OLE32 ref: 00483463
VariantInit.OLEAUT32(?), ref: 0048346E
VariantClear.OLEAUT32(?), ref: 0048371B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: abafa171fae3fda4dba74323ac88a1efcd320e5409a992ed29497c694f1cea0b
Instruction ID: 570cbaaab2342c233ebb97c5c5b9c444c4d80ccb1daae5e6e76c48cb97dd4743
Opcode Fuzzy Hash: abafa171fae3fda4dba74323ac88a1efcd320e5409a992ed29497c694f1cea0b
Instruction Fuzzy Hash: 17A16F75604200AFC710EF29C485A5EB7E5FF88719F04885EF949AB3A1DB38ED41CB5A

Function 00460436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0049FC08,?), ref: 004605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0049FC08,?), ref: 00460608
CLSIDFromProgID.OLE32(?,?,00000000,0049CC40,000000FF,?,00000000,00000800,00000000,?,0049FC08,?), ref: 0046062D
_memcmp.LIBVCRUNTIME ref: 0046064E

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: cbd5f666aa106cea6d9603c1148a75860384156e2eb44ce4e541e376e2cfc3ea
Instruction ID: f9a59b8346efa6e10ba7795abcb0c6171adc659268d755ba3f0ce48382549377
Opcode Fuzzy Hash: cbd5f666aa106cea6d9603c1148a75860384156e2eb44ce4e541e376e2cfc3ea
Instruction Fuzzy Hash: E4815971A00209EFCB04DF94C984EEFB7B9FF89315F204169E506AB250DB75AE06CB65

Function 0048A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0048A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0048A6BA

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Process32NextW.KERNEL32(00000000,?), ref: 0048A79C
CloseHandle.KERNEL32(00000000), ref: 0048A7AB

Part of subcall function 0041CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00443303,?), ref: 0041CE8A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e8ed07733fba80d8ef3371438869bf8d76030300d570ff76e4d043e37f78fc7c
Instruction ID: 2fb6e68db42923f4ef2dbf57205bcc35e8d348dbbe2b431b4c5cce30a2e3f606
Opcode Fuzzy Hash: e8ed07733fba80d8ef3371438869bf8d76030300d570ff76e4d043e37f78fc7c
Instruction Fuzzy Hash: 815150715083009FD710EF25C886A5FBBE8FF89758F00892EF985A7291EB74D904CB96

Function 00441391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004414C0

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6dd62e419302532069c506016c626128008f7196fd3326eb196f11de1745a17c
Instruction ID: 02eb6fbf82337425a1bdca52d7c6f1392c4afccab4a99a9cb4b0804c59c437be
Opcode Fuzzy Hash: 6dd62e419302532069c506016c626128008f7196fd3326eb196f11de1745a17c
Instruction Fuzzy Hash: E9415031A00510ABFB257BBA9C466AF3AB4EF46374F14027BF418D22E1E67C4881567E

Function 00496278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004962E2
ScreenToClient.USER32(?,?), ref: 00496315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00496382

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8ff6126bd4dbe2165df318716aaafbe08c161f45f1ee59df23545c50577d147b
Instruction ID: acd17833047793f661cc75963ab42a23303c6dd3afac53a11c8f06da8abf5692
Opcode Fuzzy Hash: 8ff6126bd4dbe2165df318716aaafbe08c161f45f1ee59df23545c50577d147b
Instruction Fuzzy Hash: 05512974A00209AFDF20DF68D890AAE7BB5EF55364F11817AF8159B3A0D734ED81CB54

Function 00481AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00481AFD
WSAGetLastError.WSOCK32 ref: 00481B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00481B8A
WSAGetLastError.WSOCK32 ref: 00481B94

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 357181b83124c342bd93e3bae6cd8245922a1b3b9e689de9a9f956bcb3892dc8
Instruction ID: 27d5f7e5e0494daf054d57574bee0fb3d261d84db41f2ed9cb4e1c6f7c1bcb7e
Opcode Fuzzy Hash: 357181b83124c342bd93e3bae6cd8245922a1b3b9e689de9a9f956bcb3892dc8
Instruction Fuzzy Hash: 93410734600200AFD720AF25C886F6A77E5AB4471CF5484AEF5169F3D2D779ED82CB94

Function 0043B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92300467f74a8ce655cf74ca6bdaee5cc0430d91273f78a41d58d6439cffd922
Instruction ID: e7627aa7255900311f934eb1525651e43d661f0787cc4fdac451f9efa051cafa
Opcode Fuzzy Hash: 92300467f74a8ce655cf74ca6bdaee5cc0430d91273f78a41d58d6439cffd922
Instruction Fuzzy Hash: 82413875A00304BFE7249F39CC41B6ABBA9EB9C714F20952FF201DB291D379990187D8

Function 004756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00475783
GetLastError.KERNEL32(?,00000000), ref: 004757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004757FA

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 92ca9afd8fe41bba47b12c9aa4ef774f677980ddcb92bd2aed9e314b4f82b91b
Instruction ID: f13808aea30b6ca16b11c775e8dbcf1b0d9e98dbc966274dcfaaa9eae21a4d25
Opcode Fuzzy Hash: 92ca9afd8fe41bba47b12c9aa4ef774f677980ddcb92bd2aed9e314b4f82b91b
Instruction Fuzzy Hash: 95412035600610DFCB11EF15C484A5EBBE1EF89318B15C499E84A6F3A1CB78FD40CB9A

Function 0043D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00426D71,00000000,00000000,004282D9,?,004282D9,?,00000001,00426D71,?,00000001,004282D9,004282D9), ref: 0043D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0043D9AB
__freea.LIBCMT ref: 0043D9B4

Part of subcall function 00433820: RtlAllocateHeap.NTDLL(00000000,?,004D1444,?,0041FDF5,?,?,0040A976,00000010,004D1440,004013FC,?,004013C6,?,00401129), ref: 00433852

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9ca8838d67c80da80add7f0228582bfa6c55ad9ab9b7d5d82d1829862c59d564
Instruction ID: a53e0f3f1ef5dc868c73918eac7b199a89ae92d9bee37d62cdb11fb19589dfe8
Opcode Fuzzy Hash: 9ca8838d67c80da80add7f0228582bfa6c55ad9ab9b7d5d82d1829862c59d564
Instruction Fuzzy Hash: F8319FB2E0021AABDB259F65EC81EAF7BA5EF48310F05416AFC04D6251E739DD50CB94

Function 004952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00495352
GetWindowLongW.USER32(?,000000F0), ref: 00495375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00495382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004953A8

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 511d5fb108f8a9e0f4715d13bedb196e9b3d0666c99cb93b483389f7228505c9
Instruction ID: 0ba8443947eaa0b957b328e53b3c9f677e901b32d7279b64616371192311d226
Opcode Fuzzy Hash: 511d5fb108f8a9e0f4715d13bedb196e9b3d0666c99cb93b483389f7228505c9
Instruction Fuzzy Hash: C931F430A55A08EFEF329E54CC55BEA3F61AB04390F684133FE00962E0C3B89D40974A

Function 0046AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0046ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0046AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0046AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0046ACC6

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: da4e50ac3e50fd23d4db430a3597b4f20b680fab065b9ad7b9561f43606702b3
Instruction ID: 6b5f9ad4c50b4a72a5369b585876ced4ef989ed1503ca5ba201891c5ba0d6f35
Opcode Fuzzy Hash: da4e50ac3e50fd23d4db430a3597b4f20b680fab065b9ad7b9561f43606702b3
Instruction Fuzzy Hash: 5B312830A00B186FEF34CB658C087FB7BA5AB45310F04422BE485A22D0E37D9DA19B5B

Function 00497674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0049769A
GetWindowRect.USER32(?,?), ref: 00497710
PtInRect.USER32(?,?,00498B89), ref: 00497720
MessageBeep.USER32(00000000), ref: 0049778C

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: fe15a9e217fd7bcb431764799ed8c7dc07bd2885b048f42fb569177d8cc43f4a
Instruction ID: 3148850e934442bae9ab9e8f245fa14f7965a9a10bb23296050446444e877a0a
Opcode Fuzzy Hash: fe15a9e217fd7bcb431764799ed8c7dc07bd2885b048f42fb569177d8cc43f4a
Instruction Fuzzy Hash: D3414A74619214EFCF11CF98C894EA97BF5BB49314F1941FAE8149B361C738A941CB98

Function 004916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004916EB

Part of subcall function 00463A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00463A57
Part of subcall function 00463A3D: GetCurrentThreadId.KERNEL32 ref: 00463A5E
Part of subcall function 00463A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004625B3), ref: 00463A65

GetCaretPos.USER32(?), ref: 004916FF
ClientToScreen.USER32(00000000,?), ref: 0049174C
GetForegroundWindow.USER32 ref: 00491752

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 11bec0e1d696e26015cd59d74202ba3a32b375971c8823a83a654b90efd21bfd
Instruction ID: 5366e923fa50b84878cb882f274bea31430ab8f9376de0b384123f59fd705def
Opcode Fuzzy Hash: 11bec0e1d696e26015cd59d74202ba3a32b375971c8823a83a654b90efd21bfd
Instruction Fuzzy Hash: 99311275D00149AFDB00EFA6C8C1CAEBBF9EF48308B5480BEE415E7251D6359E45CBA5

Function 00498FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

GetCursorPos.USER32(?), ref: 00499001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00457711,?,?,?,?,?), ref: 00499016
GetCursorPos.USER32(?), ref: 0049905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00457711,?,?,?), ref: 00499094

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 99250d01f5c890f46d6bf173303ea69ace29be20169c62719047dd2fe6ac5d5c
Instruction ID: cec915663ca2c8bb586f83bcaca78c357c621a7dc6f8ca8e30b19da9d674b97e
Opcode Fuzzy Hash: 99250d01f5c890f46d6bf173303ea69ace29be20169c62719047dd2fe6ac5d5c
Instruction Fuzzy Hash: BE217E35600018BFCF258F99C898EEA7FB9EB49360F04407AF91547261C33A9DA0DB64

Function 0046D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0049CB68), ref: 0046D2FB
GetLastError.KERNEL32 ref: 0046D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0046D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0049CB68), ref: 0046D376

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a328578aa3fa1b59e8181e21dfa356f2da495c5afe57d429407714ed93bcf902
Instruction ID: f89fce8798b4be60d35f4643ff900d9e52ff374399ac8a38389119623698ce0a
Opcode Fuzzy Hash: a328578aa3fa1b59e8181e21dfa356f2da495c5afe57d429407714ed93bcf902
Instruction Fuzzy Hash: AE218070E042019FC710DF24C88186B77E4AE55368F504A2FF899D73E1E7349986CB9B

Function 00461571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00461014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0046102A
Part of subcall function 00461014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00461036
Part of subcall function 00461014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00461045
Part of subcall function 00461014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0046104C
Part of subcall function 00461014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00461062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004615BE
_memcmp.LIBVCRUNTIME ref: 004615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00461617
HeapFree.KERNEL32(00000000), ref: 0046161E

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: c087934f54d4d3e469edce298c60a4ada1a724d013764d94ebe7646084812df3
Instruction ID: 50c26a26040ff8dbda8b13f57dc9cd37f0013f6c500579c25d0b33cfc995a18a
Opcode Fuzzy Hash: c087934f54d4d3e469edce298c60a4ada1a724d013764d94ebe7646084812df3
Instruction Fuzzy Hash: B921A131E40108EFDF00DFA4C945BEFB7B8EF54354F08445AE441A7261E734AA05CBA9

Function 00492782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0049280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00492824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00492832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00492840

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 28a8f61a0714213bd25370959e1bd8556fef1dbaee07f1766c68448d7cb54261
Instruction ID: 8f022e8f9d96002622f07904c5b1bdddc3a109718bdd758345d8f015df80652a
Opcode Fuzzy Hash: 28a8f61a0714213bd25370959e1bd8556fef1dbaee07f1766c68448d7cb54261
Instruction Fuzzy Hash: 6B21B231204511BFDB14DB24CD84FAA7B95AF45328F14827AF4169B6E2C7B9EC42C7D8

Function 004678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00468D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0046790A,?,000000FF,?,00468754,00000000,?,0000001C,?,?), ref: 00468D8C
Part of subcall function 00468D7D: lstrcpyW.KERNEL32(00000000,?,?,0046790A,?,000000FF,?,00468754,00000000,?,0000001C,?,?,00000000), ref: 00468DB2
Part of subcall function 00468D7D: lstrcmpiW.KERNEL32(00000000,?,0046790A,?,000000FF,?,00468754,00000000,?,0000001C,?,?), ref: 00468DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00468754,00000000,?,0000001C,?,?,00000000), ref: 00467923
lstrcpyW.KERNEL32(00000000,?,?,00468754,00000000,?,0000001C,?,?,00000000), ref: 00467949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00468754,00000000,?,0000001C,?,?,00000000), ref: 00467984

Strings

cdecl, xrefs: 0046797B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: a0b1cff22cef38d5c217245e9b958bd42ae6ef26455dc178a95b457d12cbc90e
Instruction ID: 53f48bd44cf00279fb8665855dee4d1e5cccdd5f11d70974a3dc63400054e2da
Opcode Fuzzy Hash: a0b1cff22cef38d5c217245e9b958bd42ae6ef26455dc178a95b457d12cbc90e
Instruction Fuzzy Hash: A511E47A200301ABDB159F39C845E7B77E5EF55354B50402FE802C7364FB359805C76A

Function 00497CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00497D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00497D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00497D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0047B7AD,00000000), ref: 00497D6B

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c48783ea1269044cc06a5b4679fec9ed2c710974cb6f5e17140b1ae12aad3cf1
Instruction ID: 36d89845a5b792bb5df94f8ccc2f4525689deb094a6e29e64df14a7c4e0ee7f9
Opcode Fuzzy Hash: c48783ea1269044cc06a5b4679fec9ed2c710974cb6f5e17140b1ae12aad3cf1
Instruction Fuzzy Hash: C911AC71225614AFCF109F28CC08AA63BA4AF85360F118336F839C72F0D7349D51CB58

Function 00495660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004956BB
_wcslen.LIBCMT ref: 004956CD
_wcslen.LIBCMT ref: 004956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00495816

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 82f448525df5596a1c6b9b3e414411d84ac42887d1fbcc34259e459b6fa5f1bd
Instruction ID: 8c45eedf7b365e18674649eb3225455f92985a3dc9cc18e629b01723ff380147
Opcode Fuzzy Hash: 82f448525df5596a1c6b9b3e414411d84ac42887d1fbcc34259e459b6fa5f1bd
Instruction Fuzzy Hash: 9411E471600614A6DF21DF61DC81AEF3B7CEF11764B60403BF915D6181E7788984CB68

Function 00431D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263787d79e6ecb710ba77786fe4c764c9dd887a2337dd1265883a7bdf31fa0d6
Instruction ID: 83260ab32fbe65696b986a77e9d0efb3107799688b390c04b0f6234a9b667697
Opcode Fuzzy Hash: 263787d79e6ecb710ba77786fe4c764c9dd887a2337dd1265883a7bdf31fa0d6
Instruction Fuzzy Hash: 40018FB22056163EF6211A797CC1F67661DDF4A3B8F30233BF521512E2DB68AC004168

Function 00461A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00461A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00461A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00461A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00461A8A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ecb82eb4b60301f1cc60a35434cffae2a92b3d6cde291a4d691fbdf649d211d8
Instruction ID: e331da36a062e35d37fa976fa192a343b57a296fe21c17f286506a53c3623515
Opcode Fuzzy Hash: ecb82eb4b60301f1cc60a35434cffae2a92b3d6cde291a4d691fbdf649d211d8
Instruction Fuzzy Hash: E4113C3AD01219FFEB10DBE5CD85FADBB78EB04750F2404A2E604B7290D6716E50DB98

Function 0046E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0046E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0046E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0046E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0046E24D

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 39a9744079d8c27fbf30827386d6fa972f428657d55f2c39bc6967969ff0ae50
Instruction ID: ed460d70f0ccfbd7bd935a062b0e4119e6a50dfc0c374fbaf66538ad3b79bcf8
Opcode Fuzzy Hash: 39a9744079d8c27fbf30827386d6fa972f428657d55f2c39bc6967969ff0ae50
Instruction Fuzzy Hash: 98110876A04214BBD7019BA99C49A9F7FADAB45310F004277FC14D3291E2748D0487A9

Function 0042D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0042CFF9,00000000,00000004,00000000), ref: 0042D218
GetLastError.KERNEL32 ref: 0042D224
__dosmaperr.LIBCMT ref: 0042D22B
ResumeThread.KERNEL32(00000000), ref: 0042D249

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: d71c01c8223f455c691f7a2305e40d5149a69b7bc07c5e8b9ca6ecbc1125fc43
Instruction ID: db17610a689030999de63ba8fcbc3e52e12f0af083c40483d8da24f3cba52d70
Opcode Fuzzy Hash: d71c01c8223f455c691f7a2305e40d5149a69b7bc07c5e8b9ca6ecbc1125fc43
Instruction Fuzzy Hash: 7D012632E04124BBCB205BA6EC09BAF7A68DF81334F90026BF824921D0CF758801C6B9

Function 00499EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

GetClientRect.USER32(?,?), ref: 00499F31
GetCursorPos.USER32(?), ref: 00499F3B
ScreenToClient.USER32(?,?), ref: 00499F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00499F7A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 1ae53cd7b0a0687203d2c5239f6bba26341d1424229240be34718ad16afdb613
Instruction ID: 774e143c1741efea5f4c2d169dd354b153da474e82212f8c5c79de4a227c8fb5
Opcode Fuzzy Hash: 1ae53cd7b0a0687203d2c5239f6bba26341d1424229240be34718ad16afdb613
Instruction Fuzzy Hash: FB11063290051ABBDF10DFA9D8859EEBBB9FB45315F40046AF911E3150D738BE81CBA9

Function 0040600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040604C
GetStockObject.GDI32(00000011), ref: 00406060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0040606A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 74a43f8d5f4b6556e27c767d339bd78e9a4df1997d438f21f7593aeb8d606bea
Instruction ID: fd46379a06a9b4beca9d1fcf9947322c6b43099cf34201dfad0d32ce35ad4846
Opcode Fuzzy Hash: 74a43f8d5f4b6556e27c767d339bd78e9a4df1997d438f21f7593aeb8d606bea
Instruction Fuzzy Hash: 7F11A172501509BFEF128FA4CC44EEB7B69EF18354F010127FA0562150C7369C60DBA8

Function 00423B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00423B56

Part of subcall function 00423AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00423AD2
Part of subcall function 00423AA3: ___AdjustPointer.LIBCMT ref: 00423AED

_UnwindNestedFrames.LIBCMT ref: 00423B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00423B7C
CallCatchBlock.LIBVCRUNTIME ref: 00423BA4

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: cba2e192927fabe95338e8f2681ba899014443c4ece5666d716a894a48ca39e4
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 70018032200158BBCF116E96DC42EEB7F7DEF88759F44401AFE0856121C33AE961DBA4

Function 00433073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004013C6,00000000,00000000,?,0043301A,004013C6,00000000,00000000,00000000,?,0043328B,00000006,FlsSetValue), ref: 004330A5
GetLastError.KERNEL32(?,0043301A,004013C6,00000000,00000000,00000000,?,0043328B,00000006,FlsSetValue,004A2290,FlsSetValue,00000000,00000364,?,00432E46), ref: 004330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0043301A,004013C6,00000000,00000000,00000000,?,0043328B,00000006,FlsSetValue,004A2290,FlsSetValue,00000000), ref: 004330BF

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ac4e29826eddcbdc6b1d3ee23073d414a3116961cdf09809dc0df61eea881cc1
Instruction ID: 928eb022ac10566a03ecd672be19be6db230cea969cd428a119e7f46e4e38b1b
Opcode Fuzzy Hash: ac4e29826eddcbdc6b1d3ee23073d414a3116961cdf09809dc0df61eea881cc1
Instruction Fuzzy Hash: E4012032742622ABCB354F789C84A577BA89F49B73F100632F905D7294C725D901C6E8

Function 00467464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0046747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00467497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004674CA

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 7944630ef19536910aee981060a8da3353241e127b9519e7ef58df84406ec64f
Instruction ID: beb988d59e00a62ee2ce3875196cc7b0ebf39a15ac90f3719256e2de0d627e3a
Opcode Fuzzy Hash: 7944630ef19536910aee981060a8da3353241e127b9519e7ef58df84406ec64f
Instruction Fuzzy Hash: 1D11A1B5205310ABE7208F14DD4DB927BFCEB40B08F10856BE616D6151EB78E904DFA6

Function 0046B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0046ACD3,?,00008000), ref: 0046B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0046ACD3,?,00008000), ref: 0046B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0046ACD3,?,00008000), ref: 0046B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0046ACD3,?,00008000), ref: 0046B126

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c75bb97d45f2952945b32a975a796f0114d2e7ce6c5e78c3969ed1c5ee721cc8
Instruction ID: 390784155f30ae1bbc1060f16be08973ec1ab4dc5c89e85098efdbc7250ea085
Opcode Fuzzy Hash: c75bb97d45f2952945b32a975a796f0114d2e7ce6c5e78c3969ed1c5ee721cc8
Instruction Fuzzy Hash: B8118E30C0051CEBCF009FE4D9996EEBF78FF5A310F0040A7D941B2245DB3485918B9A

Function 00497E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00497E33
ScreenToClient.USER32(?,?), ref: 00497E4B
ScreenToClient.USER32(?,?), ref: 00497E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00497E8A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 8f4618f3518238f39cdb16e48760a598caf28590336b8f7a8231a04e39251ab6
Instruction ID: ee915d00d38b21631e0a2526db825e6a7f0575c166e39680a43bc7771677703d
Opcode Fuzzy Hash: 8f4618f3518238f39cdb16e48760a598caf28590336b8f7a8231a04e39251ab6
Instruction Fuzzy Hash: 3A1140B9D0024AAFDF41CF98C884AEEBBF9FB18310F509066E915E2210D735AA54CF94

Function 00462DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00462DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00462DD6
GetCurrentThreadId.KERNEL32 ref: 00462DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00462DE4

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 59508c552e3cc7491b23046f1937814a2dca9f13bfeb44d5ad3e72d8d76b17d0
Instruction ID: c59a90da35369f06fa3de70585eb304e511b357d78ff98191718303dcb8779a5
Opcode Fuzzy Hash: 59508c552e3cc7491b23046f1937814a2dca9f13bfeb44d5ad3e72d8d76b17d0
Instruction Fuzzy Hash: C1E092711416247BDB201B729D4EFEB3E6CEFA2BA1F400437F105D1090AAE5C841C6BA

Function 00498863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00419639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00419693
Part of subcall function 00419639: SelectObject.GDI32(?,00000000), ref: 004196A2
Part of subcall function 00419639: BeginPath.GDI32(?), ref: 004196B9
Part of subcall function 00419639: SelectObject.GDI32(?,00000000), ref: 004196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00498887
LineTo.GDI32(?,?,?), ref: 00498894
EndPath.GDI32(?), ref: 004988A4
StrokePath.GDI32(?), ref: 004988B2

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7bc6e9994dd55fd8f7022c5eb541b94d13f54f74bed9d9188e9eeb692abb72c1
Instruction ID: eb68587b9d3d583e4183ff923d5e6d3c68104ba52187840049a69319356bc4ea
Opcode Fuzzy Hash: 7bc6e9994dd55fd8f7022c5eb541b94d13f54f74bed9d9188e9eeb692abb72c1
Instruction Fuzzy Hash: 2BF03A36042258FADB126F94AC0EFCA3F59AF16310F048066FA11651E1C7795551CFBD

Function 004198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004198CC
SetTextColor.GDI32(?,?), ref: 004198D6
SetBkMode.GDI32(?,00000001), ref: 004198E9
GetStockObject.GDI32(00000005), ref: 004198F1

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 11c5f26b568b1e63640573b31119633356310989e2e78dd41cfbb696616d4c47
Instruction ID: ac45f2cb34c74f59573de4f4a4e1fc36368f674dfcfe5289bf1e9ed062af58a6
Opcode Fuzzy Hash: 11c5f26b568b1e63640573b31119633356310989e2e78dd41cfbb696616d4c47
Instruction Fuzzy Hash: CCE06531244244BBDB215B74BC49BD93F10AB22336F04823BF6FA541E2C77546449F18

Function 0046162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00461634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004611D9), ref: 0046163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004611D9), ref: 00461648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004611D9), ref: 0046164F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 8df5ca83e93e752b04bd363793e9e7352183de52f3d8b77dce073e3b21016991
Instruction ID: 411b68ab35329f549b658a19f561e1be6e4162bf62ad0a2b59965ea8ee78cb1b
Opcode Fuzzy Hash: 8df5ca83e93e752b04bd363793e9e7352183de52f3d8b77dce073e3b21016991
Instruction Fuzzy Hash: 06E08635601211EBD7201FE09E4DB473B7CAF64791F18883AF646C9090E6384440C7A9

Function 0045D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0045D858
GetDC.USER32(00000000), ref: 0045D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0045D882
ReleaseDC.USER32(?), ref: 0045D8A3

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4ea8d5ce215699fcaba80896e02c5fb2d702ccddd7793033bb46af41cf8c6fe7
Instruction ID: 14c8cf753dd7c871a1456890bbb6bf6f828af7fb0b92da75c78c6187f48285f7
Opcode Fuzzy Hash: 4ea8d5ce215699fcaba80896e02c5fb2d702ccddd7793033bb46af41cf8c6fe7
Instruction Fuzzy Hash: 9FE01AB1C00205DFCF41AFA1D88866DBBB2FB18311F14803AE806E7250CB399942AF59

Function 0045D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0045D86C
GetDC.USER32(00000000), ref: 0045D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0045D882
ReleaseDC.USER32(?), ref: 0045D8A3

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a5986440429c24ebaa17a80c779d8c3fae3533a4e75e0991a34354b205f4686e
Instruction ID: 241a95357ab9049e6a5c98e18df3fa8369b260ced04cdedd243e354f444b0b92
Opcode Fuzzy Hash: a5986440429c24ebaa17a80c779d8c3fae3533a4e75e0991a34354b205f4686e
Instruction Fuzzy Hash: 3BE01AB1C00200DFCF409FA0D88866DBBB1BB18310F14802AE806E7250CB3859029F58

Function 00474D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00407620: _wcslen.LIBCMT ref: 00407625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00474ED4

Strings

*, xrefs: 00474E10
LPT, xrefs: 00474DFB

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 6298b25888bbe2ece275cbb3bed2460f3b30992f4e0f5efd384c4c2649b47b5b
Instruction ID: 049d17bd669cf1602bf8e65d896af253228af9f88d60f18a8b1b7b90b9fbb2ad
Opcode Fuzzy Hash: 6298b25888bbe2ece275cbb3bed2460f3b30992f4e0f5efd384c4c2649b47b5b
Instruction Fuzzy Hash: 0D915075A002149FCB14DF54C484EEABBF1AF84318F19C09AE40A9F392D739ED86CB95

Function 0042E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042E30D

Strings

pow, xrefs: 0042E2E5, 0042E302

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: b7cb9af4af866a8c42950cd0739b5cf10434c4bccb06c92a1e51be8634eb1266
Instruction ID: 2821bb0f82b8bdc5c553cb181ba7bf057006bf9471061ee984d9b40e4d5b8bc7
Opcode Fuzzy Hash: b7cb9af4af866a8c42950cd0739b5cf10434c4bccb06c92a1e51be8634eb1266
Instruction Fuzzy Hash: 47517EA1B0C10296DB31B719E94237B3B94AF44741F7099ABE4D6423E9DB3D8C819A4E

Function 00487771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0045569E,00000000,?,0049CC08,?,00000000,00000000), ref: 004878DD

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

CharUpperBuffW.USER32(0045569E,00000000,?,0049CC08,00000000,?,00000000,00000000), ref: 0048783B

Strings

<sL, xrefs: 004877C8

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sL
API String ID: 3544283678-2840126056
Opcode ID: 5748959d27f900664ddc78cb2de64b8d31efa6dc2385487def3a1804e03c8f01
Instruction ID: 8b3ffcb8c07145f5c2d773d2e34e2ba3481769b4097090b6d640319bd0ba8491
Opcode Fuzzy Hash: 5748959d27f900664ddc78cb2de64b8d31efa6dc2385487def3a1804e03c8f01
Instruction Fuzzy Hash: F4615172914118AACF04FBA5CCA1DFEB378BF14704B54453BE542B3191EF389A05CBA9

Function 0041E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0041E1B1

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7c07d687d0d344e73f2dfd5cb023900affe16d9ffcc76a2759b3c5057d0788e8
Instruction ID: bbf735d9ad7b58113628b44a8e7decb8f79f59637d8e95e5a96792833a3e29c1
Opcode Fuzzy Hash: 7c07d687d0d344e73f2dfd5cb023900affe16d9ffcc76a2759b3c5057d0788e8
Instruction Fuzzy Hash: AA513339900206DFDB18DF2AC090AFA7BA8EF19311F24405BEC519B3C1D6389E87CB58

Function 0041F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0041F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0041F2BB

Strings

@, xrefs: 0041F2AF

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f90ac7e9df806ae8e8400d4f6093d91cfacfe7719c73916ef53f5c2671a71f02
Instruction ID: e3e0bbd6b779b80f1574f1121f07a00789148acc9043f5faf18348846043bd1c
Opcode Fuzzy Hash: f90ac7e9df806ae8e8400d4f6093d91cfacfe7719c73916ef53f5c2671a71f02
Instruction Fuzzy Hash: C45168714087459BD320AF11DC86BABBBF8FB84304F81896EF1D9510A5EB349529CB6B

Function 00485745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004857E0
_wcslen.LIBCMT ref: 004857EC

Strings

CALLARGARRAY, xrefs: 004857E6, 004857EB

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 277de8ae07a91c271c30dd996ca815bcb47939fb0f3ddf794e180ae5fbe4e829
Instruction ID: b902548b1097622b2b007de64ea02a7a2c39ba15d2589f4f2ea8c250aefa9038
Opcode Fuzzy Hash: 277de8ae07a91c271c30dd996ca815bcb47939fb0f3ddf794e180ae5fbe4e829
Instruction Fuzzy Hash: 2C41B131E002059FCB14FFAAC8818AEBBB5EF59354F10442FE505A7391E7389D81CB98

Function 0047D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0047D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0047D13A

Strings

|, xrefs: 0047D10B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: ba85e0ec0627377281ecdcaabcc0fed5c30b1968579b691c4cdeacdacddbf4ec
Instruction ID: 877ede918cba692cdcd5a11f51ef432f6379ab5f4c14447815848413bd8f36df
Opcode Fuzzy Hash: ba85e0ec0627377281ecdcaabcc0fed5c30b1968579b691c4cdeacdacddbf4ec
Instruction Fuzzy Hash: 78311E71D10219ABCF15EFA5CC85AEE7FB9FF04304F40402AF819B6261D7359956CBA4

Function 0049356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00493621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0049365C

Strings

static, xrefs: 004935BC

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: fa237b25923d0265f40b8663ab38f2609312e88f27b505557785ea2994667bfe
Instruction ID: 13b23a05629a1c422e1ebffbf61b2ca35784a7eaad30f15237478ec74bdf463b
Opcode Fuzzy Hash: fa237b25923d0265f40b8663ab38f2609312e88f27b505557785ea2994667bfe
Instruction Fuzzy Hash: 2231A171100204AADB20DF68DC80EFB77A9FF49724F00862EF855D7280DA39AD81C768

Function 00494537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0049461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00494634

Strings

', xrefs: 0049458E

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f9aac446b699ccde0d962463543365e2f8ff15e65cc60a94f0a32b8828f95919
Instruction ID: b670a6df3bfb36399edf79c3a21aa4b452bd0c69e87ca9b6b1efca1536d34c0b
Opcode Fuzzy Hash: f9aac446b699ccde0d962463543365e2f8ff15e65cc60a94f0a32b8828f95919
Instruction Fuzzy Hash: 803137B4A01209AFDF14CFA9C990BDA7BB5FB49310F11407AEA04AB391D734A942CF94

Function 004931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0049327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00493287

Strings

Combobox, xrefs: 00493249

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: b2e6bd7bde28a5fca05dee674e077ab900e0af6054f5d2a78211b50724a9ec20
Instruction ID: 53c26a8419a2af9500000f2e8faa10e46a2095fa3473df88d3b17126a3616a67
Opcode Fuzzy Hash: b2e6bd7bde28a5fca05dee674e077ab900e0af6054f5d2a78211b50724a9ec20
Instruction Fuzzy Hash: 1A11E2713002087FFF21DF94DC80EBB3B6AEB953A9F10013AF918A7290D6399D518764

Function 00493710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0040600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040604C
Part of subcall function 0040600E: GetStockObject.GDI32(00000011), ref: 00406060
Part of subcall function 0040600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0040606A

GetWindowRect.USER32(00000000,?), ref: 0049377A
GetSysColor.USER32(00000012), ref: 00493794

Strings

static, xrefs: 00493757

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: abd42e7da819cb3714455c727f5ce1a7d6fb2b90bfbab7ca4dd80a61a0709472
Instruction ID: b11262674f5e18e9993189c4d7777c52fd53b031a25f2c3957537cd78a81b65d
Opcode Fuzzy Hash: abd42e7da819cb3714455c727f5ce1a7d6fb2b90bfbab7ca4dd80a61a0709472
Instruction Fuzzy Hash: F0113AB2610209AFDF00DFA8CC46EEA7BB8FB09315F01496AFD55E2250D739E8619B54

Function 0047CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0047CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0047CDA6

Strings

<local>, xrefs: 0047CD66

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d89e58862155fc217246a4b1e07bb642df3261dbfdeb7b68bd711acd35ac8a90
Instruction ID: 8339a9b9194697649c21a59ed4a72e8ab03c1194750d865b6d1bcbb7212598fa
Opcode Fuzzy Hash: d89e58862155fc217246a4b1e07bb642df3261dbfdeb7b68bd711acd35ac8a90
Instruction Fuzzy Hash: 6B11A371245632BAD7344A668CC5FE7BEACEB527A4F00823FB10D92180D6689841D6F4

Function 00493429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004934BA

Strings

edit, xrefs: 0049348F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 665bea3e8908f2a30d1b24ab1824d2e4a124b83566d2ed456025cb0841e0e1cb
Instruction ID: 99ad80856f2139ecd37a81d857a61cbe63f5ec37252cfc98367f74baf7ca364f
Opcode Fuzzy Hash: 665bea3e8908f2a30d1b24ab1824d2e4a124b83566d2ed456025cb0841e0e1cb
Instruction Fuzzy Hash: 4E11BF71100108ABEF118F64DC84AAB3BAAEB16379F514336F961932E0C739EC519B68

Function 00466C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

CharUpperBuffW.USER32(?,?,?), ref: 00466CB6
_wcslen.LIBCMT ref: 00466CC2

Strings

STOP, xrefs: 00466CBC, 00466CC1

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: dc70c5d4ee27dc69aa86e32f5615b99e17181f250a9658c833637702a8fd888e
Instruction ID: 2fdac53f4e714fa6a7d542c033d70be5027df1260e0617ae96c54ed08d1e7e48
Opcode Fuzzy Hash: dc70c5d4ee27dc69aa86e32f5615b99e17181f250a9658c833637702a8fd888e
Instruction Fuzzy Hash: 33010432A109268ACB20AFBDDC809BF73A4EE60714702053BE86292291FB39DC40C659

Function 00461CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 00463CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00463CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00461D4C

Strings

ComboBox, xrefs: 00461CEB
ListBox, xrefs: 00461D16

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 46b9ffecef197e977dee657811c4232e751ad30d12dfd667bee5add6704154d2
Instruction ID: 570971fb8cece20fc1dc483e0dfee5048e91cb1b86e2a5e28ae5dd1f74e49274
Opcode Fuzzy Hash: 46b9ffecef197e977dee657811c4232e751ad30d12dfd667bee5add6704154d2
Instruction Fuzzy Hash: E001B576601214ABCB04EBA4CC51DFF7768EB56394F14052FB822673D2FA386D08866A

Function 00461BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 00463CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00463CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00461C46

Strings

ComboBox, xrefs: 00461BE5
ListBox, xrefs: 00461C10

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cb895c6372d0d6fae9861d0dd1e860a741e0e1362341cb1efa1fda6e7dfd6e9a
Instruction ID: 0597a438504da59e00f8abc4464d5a247d5c7bee5e0e142cd15731590097fbc9
Opcode Fuzzy Hash: cb895c6372d0d6fae9861d0dd1e860a741e0e1362341cb1efa1fda6e7dfd6e9a
Instruction Fuzzy Hash: B601A776A8110466DB14EB91C952EFF77A89B11344F14002FB906772D2FA38AE18D6BB

Function 00461C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 00463CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00463CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00461CC8

Strings

ComboBox, xrefs: 00461C69
ListBox, xrefs: 00461C94

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c2a5318a73241cc1dc5b1058b879896892afc14fe025959285147d941a2474ba
Instruction ID: a10a4e44750d24e2bdb598702259e0ba1e539dbd7a79f56e067323db74a2a14c
Opcode Fuzzy Hash: c2a5318a73241cc1dc5b1058b879896892afc14fe025959285147d941a2474ba
Instruction Fuzzy Hash: 0D01A7B6A4015466DB04EB91CA01EFF77A89B11344F14002BB801732D2FA389F08D67B

Function 0041A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0041A529

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Strings

,%M, xrefs: 0041A509
3yE, xrefs: 0041A545, 0041A54D, 0041A552

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%M$3yE
API String ID: 2551934079-2470809835
Opcode ID: b56e633070973a4b0827c1245d19bcaa9b428485a07fc54579d19c4242eef372
Instruction ID: 137d309c537f08a502bcebdcbeb51410c9490a45075ad08a3231cdcb7726ddd3
Opcode Fuzzy Hash: b56e633070973a4b0827c1245d19bcaa9b428485a07fc54579d19c4242eef372
Instruction Fuzzy Hash: 08014731706210A7CA00F769B96BAAE33659B05754F90006FF501272C3DE6C6D81869F

Function 00461D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 00463CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00463CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00461DD3

Strings

ComboBox, xrefs: 00461D75
ListBox, xrefs: 00461DA0

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e2a99d702e963d45345ebd4959a011b98e478b3596a0cfe6e0c37ae30cbe959c
Instruction ID: c0beb8e45727719bae406787afb75ef72389f4d79f3591acad8fe8af3703b57d
Opcode Fuzzy Hash: e2a99d702e963d45345ebd4959a011b98e478b3596a0cfe6e0c37ae30cbe959c
Instruction Fuzzy Hash: 52F0A976E5121466D704F7A5CC51FFF7768AB11354F14092FB822732D2FA787D08826A

Function 00498172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004D3018,004D305C), ref: 004981BF
CloseHandle.KERNEL32 ref: 004981D1

Strings

\0M, xrefs: 0049818A

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0M
API String ID: 3712363035-1305216280
Opcode ID: ad4302e00514b246930092051f5da298722bef87b003d669d467c42e53d20b61
Instruction ID: bf647492967352d073276b5a149b0e9915153a0acee9f49ac13f981fa327f8bf
Opcode Fuzzy Hash: ad4302e00514b246930092051f5da298722bef87b003d669d467c42e53d20b61
Instruction Fuzzy Hash: 41F03AB1641310BAE3216F65AC4AFB73A9CDB05756F004437BE08D51A2D6798E0082BE

Function 0048747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00487493
_wcslen.LIBCMT ref: 004874B9

Strings

3, 3, 16, 1, xrefs: 00487483

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: fa268ca0598650fcfac9f8558f63851eae8667f213d71d306bccb0f27b7f2969
Instruction ID: 3b9cbf0cfa78f0638a43922b0814ada425af960758d9d1aa3e1598ca11300ed7
Opcode Fuzzy Hash: fa268ca0598650fcfac9f8558f63851eae8667f213d71d306bccb0f27b7f2969
Instruction Fuzzy Hash: F7E02B46304230119271327BACD1A7F5689CFC5BA07741C2FF985C2366EADCCDD193A8

Function 00460B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00460B23

Strings

Error allocating memory., xrefs: 00460B1C
AutoIt, xrefs: 00460B17

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: bc6d6d278fe7c2307f7ff583d4dd1be9970475013b02e8ebc9bcbeab5b4095ae
Instruction ID: ec9470fa480f97f4df7d426a9cae74e88c48e8a23ce6c9b125831f8114b73b7b
Opcode Fuzzy Hash: bc6d6d278fe7c2307f7ff583d4dd1be9970475013b02e8ebc9bcbeab5b4095ae
Instruction Fuzzy Hash: F4E0483124431836D61437957C43FD97E848F05F55F20447FF758555C39BE9649046ED

Function 00420D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0041F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00420D71,?,?,?,0040100A), ref: 0041F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0040100A), ref: 00420D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040100A), ref: 00420D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00420D7F

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 065a4c9dbba9de95bf4742d6beed35bc68529f956b744a891e42663b2337a4be
Instruction ID: c5d4853c5c1b1fce94aee53896b707ea2e933c2cfdf6354c90a1adcc212809e9
Opcode Fuzzy Hash: 065a4c9dbba9de95bf4742d6beed35bc68529f956b744a891e42663b2337a4be
Instruction Fuzzy Hash: 7AE092703013118BDB309FB9E4447427BE0AF10744F40897FE886C6652DBB8E4488B99

Function 0041E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0041E3D5

Strings

0%M, xrefs: 0041E3B5
8%M, xrefs: 0041E3CA

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%M$8%M
API String ID: 1385522511-666571738
Opcode ID: 36b27be9e0a83e9aa98581938c918848fc8ca54e9c586360ab56cc84b83fe9f2
Instruction ID: 74f85b7c586fbea48275e29b091cfe4ae65d2a14ce13d66fff79cd8f95e1413d
Opcode Fuzzy Hash: 36b27be9e0a83e9aa98581938c918848fc8ca54e9c586360ab56cc84b83fe9f2
Instruction Fuzzy Hash: 89E02035501924DBCE04971AB678DCA3351BB143247D002BBEC22C72D19BBC5881855D

Function 00473017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0047302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00473044

Strings

aut, xrefs: 00473038

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 71512074328a75fff9972111cfe85e082d2d6940b602f848983f38705948e534
Instruction ID: 628ba23adaad8083477a704895c24df82d8478d918337c65dd219e80a5e16e8b
Opcode Fuzzy Hash: 71512074328a75fff9972111cfe85e082d2d6940b602f848983f38705948e534
Instruction Fuzzy Hash: E4D05E7690032877DA60A7A4AC4EFCB3A6CDB05750F0002B2B655E2091DAB49984CAE4

Function 0045D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0045D220

Strings

X64, xrefs: 0045D2A8
%.3d, xrefs: 0045D22B

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 2db8d864e82e9443b24b989cbfe5594a8cb9d6c2eec2c4614c7c7a76411d85fe
Instruction ID: 38b857cef762aee038f24abea3c29ea6d50e0b75d9b6a8f5b8584eac959ee1e6
Opcode Fuzzy Hash: 2db8d864e82e9443b24b989cbfe5594a8cb9d6c2eec2c4614c7c7a76411d85fe
Instruction Fuzzy Hash: 35D012B5C08108EACBA097D0DC459F9B37CAF18302F6084A7FC0691042D62CD54EEB6B

Function 00492356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0049236C
PostMessageW.USER32(00000000), ref: 00492373

Part of subcall function 0046E97B: Sleep.KERNEL32 ref: 0046E9F3

Strings

Shell_TrayWnd, xrefs: 00492365

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9e1d063b7c62fc5eb741fb1641bc1c1ccf46c772bc3719f8f1f448acc4471665
Instruction ID: 4fbe58dc7f34bcc61f3faa01408e30d6f80e66574df614ba2c414afb8f37d73a
Opcode Fuzzy Hash: 9e1d063b7c62fc5eb741fb1641bc1c1ccf46c772bc3719f8f1f448acc4471665
Instruction Fuzzy Hash: 92D0A936381310BAE6A4A3319C4FFC666249B10B10F01493B7201AA0D0C8A4A8008A0C

Function 00492322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0049232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0049233F

Part of subcall function 0046E97B: Sleep.KERNEL32 ref: 0046E9F3

Strings

Shell_TrayWnd, xrefs: 00492325

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e079d67999e0d67ae200226728b429cca74cceb1a253ffad2ffcc98b29bed123
Instruction ID: 612e0c117d57113be67f559a3391629b3461a494fcf43874db1c798f2140144d
Opcode Fuzzy Hash: e079d67999e0d67ae200226728b429cca74cceb1a253ffad2ffcc98b29bed123
Instruction Fuzzy Hash: 53D0223A380310B7E6A4B331DC4FFC67A249F10B10F01493B7305AA0D0C8F4A800CA0C

Function 0043BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0043BE93
GetLastError.KERNEL32 ref: 0043BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043BEFC

Memory Dump Source

Source File: 00000000.00000002.2164608193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164576232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164794786.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165059460.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165116025.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 47f2202a98bbb92824ba5393a00976133468d0003c5f69189999ea7ea004805d
Instruction ID: 539f3ccde27aa1689970bbd55d2df9f1d5dad94cab1259b0c79e6984442a238b
Opcode Fuzzy Hash: 47f2202a98bbb92824ba5393a00976133468d0003c5f69189999ea7ea004805d
Instruction Fuzzy Hash: 6741E634600216AFDF218F69CC55BAB7BA4EF49310F14616BFA59D72A1DB348C01CFA9

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2370877425.0000013A3F07B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2321235370.0000013A4A893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2321235370.0000013A4A8A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311828864.0000013A4A8A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329606202.0000013A4A8B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2214102186.0000013A4B41D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312565215.0000013A475BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250884019.0000013A4B3BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2312565215.0000013A475BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250884019.0000013A4B3BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212152780.0000013A4B9BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2256406489.0000013A470BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321235370.0000013A4A893000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2215237228.0000013A470BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2321235370.0000013A4A8A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311828864.0000013A4A8A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329606202.0000013A4A8B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2214102186.0000013A4B41D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312565215.0000013A475BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250884019.0000013A4B3BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2312565215.0000013A475BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250884019.0000013A4B3BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212152780.0000013A4B9BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2303294053.0000013A4173E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2303294053.0000013A4173E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2303294053.0000013A4173E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2303294053.0000013A4173E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2303294053.0000013A4173E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2173113708.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345018767.0000013A41E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2303294053.0000013A4173E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2321235370.0000013A4A8A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311828864.0000013A4A8A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329606202.0000013A4A8B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2177342700.0000013A3FE64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nimbus-desktop-experimentshttps://www.facebook.com/requestStorageAccessUnderSiteDEFAULT_REPLACEMENT_CHARACTER1tog0cdkasggly29o8xqc6p37WebExtensionDictionaryManifesthttps://www.wikipedia.org/https://www.aliexpress.com/getFailedCertSecurityInfo equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2333877069.0000013A4B9E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256406489.0000013A470BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321235370.0000013A4A893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2333877069.0000013A4B9E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321235370.0000013A4A8A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311828864.0000013A4A8A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2348249535.0000013A4AC11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2367970797.0000013A3FDDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314071306.0000013A47024000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: file.exe	Virustotal: Detection: 48%			Perma Link
Source: file.exe	ReversingLabs: Detection: 36%

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49865 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cc892ae5-8467-4b84-b8a5-41b0e58678f4.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cc892ae5-8467-4b84-b8a5-41b0e58678f4.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre