Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561840
MD5:	734c2298958280863cad3c352a220423
SHA1:	321631aad52f1d3671a1f6de65682cbcb8c31a5d
SHA256:	6e3fd723df0c2e828a5514171f5dbe8792c571585fc7981a5766b3a1ef68895d
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 4400 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 734C2298958280863CAD3C352A220423)

taskkill.exe (PID: 7160 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3220 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5980 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2228 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6680 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 5084 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1440 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6500 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4088 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5359dab-6852-45d1-9873-e9b6cd21ec60} 6500 "\\.\pipe\gecko-crash-server-pipe.6500" 1482fa6f310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7428 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4068 -parentBuildID 20230927232528 -prefsHandle 2448 -prefMapHandle 3808 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bec29b8f-dfc2-4585-825b-2c5e8cd8351e} 6500 "\\.\pipe\gecko-crash-server-pipe.6500" 148402f8110 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7940 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5016 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5008 -prefMapHandle 5004 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f0445bd-cc5c-4405-a740-06c3bfed3971} 6500 "\\.\pipe\gecko-crash-server-pipe.6500" 148417fc110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 4400	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0030EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0030EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0030ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0030ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0030EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002FAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_002FAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00329576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00329576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2049268802.0000000000352000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5f6ed28f-a
Source: file.exe, 00000000.00000000.2049268802.0000000000352000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e5d3d46b-a
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ca15e83a-8
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8c4d1034-6

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001F161DF3137 NtQuerySystemInformation,		17_2_000001F161DF3137
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001F1620133B2 NtQuerySystemInformation,		17_2_000001F1620133B2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002FD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_002FD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002F1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_002F1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002FE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_002FE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029BF40	0_2_0029BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00298060	0_2_00298060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00302046	0_2_00302046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F8298	0_2_002F8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002CE4FF	0_2_002CE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002C676B	0_2_002C676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00324873	0_2_00324873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002BCAA0	0_2_002BCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029CAF0	0_2_0029CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002ACC39	0_2_002ACC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002C6DD9	0_2_002C6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002AD064	0_2_002AD064
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002AB119	0_2_002AB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002991C0	0_2_002991C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B1394	0_2_002B1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B1706	0_2_002B1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B781B	0_2_002B781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00297920	0_2_00297920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A997D	0_2_002A997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B19B0	0_2_002B19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B7A4A	0_2_002B7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B1C77	0_2_002B1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B7CA7	0_2_002B7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0031BE44	0_2_0031BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002C9EEE	0_2_002C9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B1F32	0_2_002B1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001F161DF3137	17_2_000001F161DF3137
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001F1620133B2	17_2_000001F1620133B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001F1620133F2	17_2_000001F1620133F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001F162013ADC	17_2_000001F162013ADC

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 002AF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 002B0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00299CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.troj.evad.winEXE@34/34@66/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003037B5 GetLastError,FormatMessageW,

0_2_003037B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F10BF AdjustTokenPrivileges,CloseHandle,		0_2_002F10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002F16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003051CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_003051CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002FD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_002FD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0030648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0030648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002942A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002942A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1120:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2292382678.000001484B450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198257953.000001484BE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2244359142.000001484AFD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243926172.000001484B44E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2227570889.000001484BE8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2292382678.000001484B450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243926172.000001484B44E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2292382678.000001484B450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243926172.000001484B44E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2292382678.000001484B450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243926172.000001484B44E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2292382678.000001484B450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243926172.000001484B44E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2292382678.000001484B450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243926172.000001484B44E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2292382678.000001484B450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243926172.000001484B44E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2292382678.000001484B450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243926172.000001484B44E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2292382678.000001484B450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243926172.000001484B44E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5359dab-6852-45d1-9873-e9b6cd21ec60} 6500 "\\.\pipe\gecko-crash-server-pipe.6500" 1482fa6f310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4068 -parentBuildID 20230927232528 -prefsHandle 2448 -prefMapHandle 3808 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bec29b8f-dfc2-4585-825b-2c5e8cd8351e} 6500 "\\.\pipe\gecko-crash-server-pipe.6500" 148402f8110 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5016 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5008 -prefMapHandle 5004 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f0445bd-cc5c-4405-a740-06c3bfed3971} 6500 "\\.\pipe\gecko-crash-server-pipe.6500" 148417fc110 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5359dab-6852-45d1-9873-e9b6cd21ec60} 6500 "\\.\pipe\gecko-crash-server-pipe.6500" 1482fa6f310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4068 -parentBuildID 20230927232528 -prefsHandle 2448 -prefMapHandle 3808 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bec29b8f-dfc2-4585-825b-2c5e8cd8351e} 6500 "\\.\pipe\gecko-crash-server-pipe.6500" 148402f8110 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5016 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5008 -prefMapHandle 5004 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f0445bd-cc5c-4405-a740-06c3bfed3971} 6500 "\\.\pipe\gecko-crash-server-pipe.6500" 148417fc110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: kbdus.pdb source: firefox.exe, 0000000E.00000003.2182291208.000001483CA6E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180834847.000001483CA6E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183071468.000001483CA6E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181143743.000001483CA72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2190132715.000001483CABD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2190416561.000001483CAA4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2188249659.000001483CA9E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2189476874.000001483CA9F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2189329673.000001483CABD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2190132715.000001483CABD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2190416561.000001483CAA4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2188249659.000001483CA9E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2189476874.000001483CA9F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdbUGP source: firefox.exe, 0000000E.00000003.2178578903.000001483CA4C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2178641212.000001483CA60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2184063697.000001483CA9F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2189329673.000001483CABD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2184063697.000001483CA9F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kbdus.pdbGCTL source: firefox.exe, 0000000E.00000003.2182291208.000001483CA6E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180834847.000001483CA6E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183071468.000001483CA6E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181143743.000001483CA72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 0000000E.00000003.2178578903.000001483CA4C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2178641212.000001483CA60000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002942DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002B0A76 push ecx; ret

0_2_002B0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002AF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_002AF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00321C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00321C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95445

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000001F161DF3137 rdtsc

17_2_000001F161DF3137

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_002FDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002CC2A2 FindFirstFileExW,	0_2_002CC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003068EE FindFirstFileW,FindClose,	0_2_003068EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0030698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0030698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002FD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002FD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00309642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00309642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0030979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0030979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00309B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00309B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00305C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00305C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002942DE

Source: firefox.exe, 00000010.00000002.3301341149.000002774329A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3306280598.000001F162500000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3301055795.000001F161D6A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3306318890.000001A09AD70000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3301343534.000001A09AA3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3306438562.000002774371E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3307648369.0000027743B40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3301341149.000002774329A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3306280598.000001F162500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000001F161DF3137 rdtsc

17_2_000001F161DF3137

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0030EAA2 BlockInput,

0_2_0030EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_002C2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002942DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002B4CE8 mov eax, dword ptr fs:[00000030h]

0_2_002B4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002F0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_002F0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002C2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002B083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B09D5 SetUnhandledExceptionFilter,	0_2_002B09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_002B0C21

Source: C:\Users\user\Desktop\file.exe

0_2_002F1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002D2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_002D2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002FB226 SendInput,keybd_event,

0_2_002FB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003122DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_003122DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_002F0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002F1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_002F1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002B0698 cpuid

0_2_002B0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00308195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00308195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002ED27A GetUserNameW,

0_2_002ED27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002CB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_002CB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002942DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4400, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4400, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00311204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00311204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00311806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00311806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.129	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.129.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.17.78	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.1.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://youtube.comZ	firefox.exe, 0000000E.00000003.2246899692.00003D076BA03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.2290026728.000001483EF9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297083283.0000014847846000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3302351669.000001F161FC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3302294112.000001A09ACC3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2292510515.000001484B40A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2198257953.000001484BE19000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2210143821.0000014847938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225083454.0000014847949000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3302736004.00000277435EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3302351669.000001F161FF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3306592905.000001A09AF03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.3302294112.000001A09AC8E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2268597171.000001484105F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2298455804.00000148422DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256863882.000001484217C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2203054640.000001484B4B8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2290856035.000001483F4E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289143212.000001483F48A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2294913564.0000014849022000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2095342787.000001483FA6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2094852150.000001483FA38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095505475.000001483FA8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2094651841.000001483FA1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095030928.000001483FA53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2094418495.000001483F800000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2280544482.000001484081D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280544482.00000148408D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280544482.000001484089D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2266938035.00000148414F2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2292421974.000001484B419000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2207252840.0000014847A2B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2095342787.000001483FA6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278592153.0000014841751000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2151132124.00000148416E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2094852150.000001483FA38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095505475.000001483FA8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2094651841.000001483FA1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095030928.000001483FA53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2094418495.000001483F800000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com/	firefox.exe, 0000000E.00000003.2289143212.000001483F48A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000E.00000003.2231051483.000001484326D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254856326.000001484326D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2095342787.000001483FA6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2094852150.000001483FA38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2094651841.000001483FA1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095030928.000001483FA53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2094418495.000001483F800000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.2293806690.0000014849D53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293806690.0000014849D70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2277103549.0000014847884000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2241289057.0000014847884000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273608516.0000014847882000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245132063.0000014847884000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2203054640.000001484B4B8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2235330288.00000148422DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2246899692.00003D076BA03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://fpn.firefox.com	firefox.exe, 0000000E.00000003.2290856035.000001483F4E1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000E.00000003.2235330288.00000148422E5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2287275812.00000148407F5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2208864211.000001483F31C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225567208.000001483F33B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2205403978.0000014847AD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3302351669.000001F161F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3302294112.000001A09AC0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2139575518.000001484AC1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2141356897.000001484069B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2268597171.000001484105F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2244359142.000001484AF60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251722211.000001484AF60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284567577.000001484AF60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293592118.000001484AF67000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.2205078292.0000014847B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3302351669.000001F161FC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3302294112.000001A09ACC3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2139575518.000001484AC1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2142032291.00000148405A4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2211342209.0000014841645000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2228856796.00000148491E6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://amazon.com	firefox.exe, 0000000E.00000003.2246899692.00003D076BA03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2280544482.00000148408D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2266938035.00000148414F2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2203267934.000001484B49F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3302736004.00000277435EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3302351669.000001F161FF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3306592905.000001A09AF03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3302736004.00000277435EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3302351669.000001F161FF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3306592905.000001A09AF03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2273608516.00000148478A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3302351669.000001F161F12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3302294112.000001A09AC13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2268597171.000001484105F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3305705359.000001A09AD60000.00000004.00000020.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/Z	firefox.exe, 0000000E.00000003.2246899692.00003D076BA03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2245132063.00000148478A9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/CN=The	firefox.exe, 00000012.00000002.3302294112.000001A09AC13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000010.00000002.3302736004.0000027743572000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2207252840.0000014847A2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2252759967.0000014847DD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2295451594.0000014847DD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285357555.0000014847DD5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000E.00000003.2289143212.000001483F4C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290856035.000001483F4C5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2232882749.0000014843227000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2206080662.0000014847A9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2102278762.0000014840D34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2207805166.00000148478E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2145673802.00000148418A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2210143821.0000014847930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242180489.000001483FE23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234457083.00000148430AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2106162812.000001483FEE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198599923.00000148418A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196197940.00000148415BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2288844756.000001483FF6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296605574.0000014847A9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297341527.00000148432F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2151132124.00000148416A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2206377745.000001483FEC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212427863.000001483FEC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2206377745.000001483FEDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198599923.000001484188D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248886104.0000014841651000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2211342209.000001484164D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2231051483.000001484326D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254856326.000001484326D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2231051483.000001484326D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254856326.000001484326D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2207805166.00000148478E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287275812.00000148407F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2235330288.00000148422F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245866854.00000148422F0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2207805166.00000148478E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287275812.00000148407F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2235330288.00000148422F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245866854.00000148422F0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2252759967.0000014847DD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2295451594.0000014847DD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285357555.0000014847DD5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2210143821.0000014847938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225083454.0000014847949000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2205078292.0000014847B7D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2289143212.000001483F4C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2208273958.000001483F673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290856035.000001483F4C5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2118979964.0000014841AC6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2139575518.000001484AC1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2141356897.000001484069B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2142173296.00000148406A2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2289143212.000001483F4C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2208273958.000001483F673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2208864211.000001483F31C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290856035.000001483F4C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225567208.000001483F33B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2244359142.000001484AF60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251722211.000001484AF60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284567577.000001484AF60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293592118.000001484AF67000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2205078292.0000014847B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3306060742.0000027743620000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3301337875.000001F161DA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3301812980.000001A09AA90000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2268597171.000001484105F000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561840
Start date and time:	2024-11-24 12:48:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@34/34@66/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 92% Number of executed functions: 40 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.32.237.164, 52.27.142.243, 34.209.229.249, 172.217.17.42, 172.217.17.74, 172.217.17.78, 23.200.87.12, 23.200.86.251
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 6500 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
06:49:13	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	93.184.215.14
star-mini.c10r.facebook.com	lw2HMxuVuf.exe	Get hash	malicious	Unknown	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	157.240.195.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.244.42.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.116.198.130
	lw2HMxuVuf.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	mDHwap5GlV.exe	Get hash	malicious	LummaC Stealer	Browse	34.117.59.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	lw2HMxuVuf.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	zgp.elf	Get hash	malicious	Mirai	Browse	56.101.120.102
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	zapret.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	file.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	185.199.110.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	lw2HMxuVuf.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	zgp.elf	Get hash	malicious	Mirai	Browse	56.101.120.102
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c45f638c-8795-4389-bdc8-27ad0d39009f.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181850057150299
Encrypted:	false
SSDEEP:	192:0KMXsuBcbhbVbTbfbRbObtbyEl7nMrKJA6wnSrDtTkd/SN3:0PBcNhnzFSJsrZjnSrDhkd/q3
MD5:	A7ACEB51C26F1FF5C58A7D06B2D9945C
SHA1:	F3CCF9CF1A3F612DA2E2E68AE90711DA4AAE02B4
SHA-256:	865B945584B6EB93CF77BFCDAC07FD525923330CD2E1FDC60BA9E18C8BE8AA35
SHA-512:	8F78E166255178F683F45B6E5E6B8517876D4E899FADCBA8BB4CE8759AC851EE12962C9C3ACFCA94932E661F37EE31F93EF9668DCF802C6317EA14D3862213CC
Malicious:	false
Preview:	{"type":"uninstall","id":"c45f638c-8795-4389-bdc8-27ad0d39009f","creationDate":"2024-11-24T13:33:09.085Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c45f638c-8795-4389-bdc8-27ad0d39009f.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181850057150299
Encrypted:	false
SSDEEP:	192:0KMXsuBcbhbVbTbfbRbObtbyEl7nMrKJA6wnSrDtTkd/SN3:0PBcNhnzFSJsrZjnSrDhkd/q3
MD5:	A7ACEB51C26F1FF5C58A7D06B2D9945C
SHA1:	F3CCF9CF1A3F612DA2E2E68AE90711DA4AAE02B4
SHA-256:	865B945584B6EB93CF77BFCDAC07FD525923330CD2E1FDC60BA9E18C8BE8AA35
SHA-512:	8F78E166255178F683F45B6E5E6B8517876D4E899FADCBA8BB4CE8759AC851EE12962C9C3ACFCA94932E661F37EE31F93EF9668DCF802C6317EA14D3862213CC
Malicious:	false
Preview:	{"type":"uninstall","id":"c45f638c-8795-4389-bdc8-27ad0d39009f","creationDate":"2024-11-24T13:33:09.085Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927889132197377
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNJeM9CxE:8S+OVPUFRbOdwNIOdYpjvY1Q6LOeMc8P
MD5:	EE5D8DB09679773C4E1936F90BAF3C09
SHA1:	117AE60E4C6DAC6391524D4E927AA3C60CE07654
SHA-256:	D68978BA416F9EF27205B3A06E06E1F115BC5E6D59D4BBAC850D41AE502D57E9
SHA-512:	C8F7DC538A84F6999CF2E3CD09D33F44051C2ED43CB75022EC3955384516DFCC4BBE0687F19AEFC161160DF47A6EBC0FB5895C44300A52BC4DF71934A757153A
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927889132197377
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNJeM9CxE:8S+OVPUFRbOdwNIOdYpjvY1Q6LOeMc8P
MD5:	EE5D8DB09679773C4E1936F90BAF3C09
SHA1:	117AE60E4C6DAC6391524D4E927AA3C60CE07654
SHA-256:	D68978BA416F9EF27205B3A06E06E1F115BC5E6D59D4BBAC850D41AE502D57E9
SHA-512:	C8F7DC538A84F6999CF2E3CD09D33F44051C2ED43CB75022EC3955384516DFCC4BBE0687F19AEFC161160DF47A6EBC0FB5895C44300A52BC4DF71934A757153A
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07323265657846277
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkih:DLhesh7Owd4+jih
MD5:	AB7454B6C11CE049F20E04F4B36915D1
SHA1:	295B3CA7E7C464AB399D800E7A879A28D41F4CB0
SHA-256:	C1424653A40C936C64F888499ADD7177E2DFDA809CFDC6076035B51F74DF76DF
SHA-512:	7972DE43B7040018C3DB5F8132677BD74632C84C4B87F37F7D45F9C0EF7A7E6D83298EB8748921AEBE008B12676C78633148E1884242DB0BF05FFA826A8CBB15
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03438274924279078
Encrypted:	false
SSDEEP:	3:GtlstFLXpmsVZfp9DYlstFLXpmsVZfp9Z/L89//alEl:GtWtxEsHfp9EWtxEsHfp9BL89XuM
MD5:	2B796D587C06617FF11604E6ADBC4C03
SHA1:	30A63459CAA77C5FE059D83FCA59105FBE5BB089
SHA-256:	8AA4B479CCDE58595907D07D9F95F22D6EA8E847FF6AD5857DF9AF869EA7FC45
SHA-512:	E74A782D1744B96EDD065EBBCE6EEE70FF77807B2180EAB5DB0A817DFEDE6C1B170252ECA747813D18941EA30E8D19137ED4F6B445283C6E87A0F16D4952C667
Malicious:	false
Preview:	..-.......................VqS..g.mtp.IU:....~....-.......................VqS..g.mtp.IU:....~..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.038958374662484155
Encrypted:	false
SSDEEP:	3:Ol1FCyQulfCSRVZcUlllll8rEXsxdwhml8XW3R2:Kr/V5/ll8dMhm93w
MD5:	4A36B10CCE5BCF8A40D7B35D8AAEFD99
SHA1:	EF76A1E5A550D676FA04F8C28A23B706C4B003BE
SHA-256:	F5A4D8C581476998D8E8A1560EE302BCB3580564DC80A408D393836BF6BE05C7
SHA-512:	532B4221019F8E4D4542165EBAD25CC388E297CA675AE4E4269CBFB8FAFAD322AFFAF2AA88726A171DBBBFC55CFA9795206A6FB98C6BA249660A952F2054A255
Malicious:	false
Preview:	7....-..........g.mtp.IUJ4.zW..........g.mtp.IUV....Sq................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.478579686751078
Encrypted:	false
SSDEEP:	192:HnPOeRnLYbBp6HJ0aX++6SEXKsqNOrH5RHWNBw8dISl:vDeKJUltmOnHEwf0
MD5:	1D2A72E4330EC6BC6434F5FCB3FD1454
SHA1:	E195135001C1F8392539F5F567B35860D384DDC9
SHA-256:	78C2BFCB128569303BDE5A08FDFF681FB9ECED6F336BC1B0F75EA2DD88E67738
SHA-512:	7B5541D747DE193E2ECC45A10629571F56B849A9DCA87023F655543C1ED8C893A07C88EC0261ED579059AA851ED68E9602275868ACABCD043368C85ABA1E76B5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732455159);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732455159);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732455159);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173245

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.478579686751078
Encrypted:	false
SSDEEP:	192:HnPOeRnLYbBp6HJ0aX++6SEXKsqNOrH5RHWNBw8dISl:vDeKJUltmOnHEwf0
MD5:	1D2A72E4330EC6BC6434F5FCB3FD1454
SHA1:	E195135001C1F8392539F5F567B35860D384DDC9
SHA-256:	78C2BFCB128569303BDE5A08FDFF681FB9ECED6F336BC1B0F75EA2DD88E67738
SHA-512:	7B5541D747DE193E2ECC45A10629571F56B849A9DCA87023F655543C1ED8C893A07C88EC0261ED579059AA851ED68E9602275868ACABCD043368C85ABA1E76B5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732455159);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732455159);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732455159);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173245

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	6.370961949040549
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSF2LXnIrrR/pnxQwRcWT5sKmgb0e3eHVpjO+YZamhueeJJwO2c0TSn:GUpOxZ2nRcoegB3erjxYZyJwcnO6BtR
MD5:	A7C25F217B6F825E4F576C22AA981D54
SHA1:	1EF37C0793EB6496538B56892DBF89B46974E3DC
SHA-256:	2DA47DA15A634640407B234508CB037DF3C792113E72C79623A47AC6769BE3A4
SHA-512:	13250A16E57E0B888014C19E59F28A10C004FD18148E1E9FD9942DDA856A5DA69D17AF4D7BE311FDB50B0A327C4A2EBA47078642A092C67C7DD53696ABA5A969
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{5d267116-ead6-4b31-a270-d923dd92d602}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732455165885,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..P29165...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...33507,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	6.370961949040549
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSF2LXnIrrR/pnxQwRcWT5sKmgb0e3eHVpjO+YZamhueeJJwO2c0TSn:GUpOxZ2nRcoegB3erjxYZyJwcnO6BtR
MD5:	A7C25F217B6F825E4F576C22AA981D54
SHA1:	1EF37C0793EB6496538B56892DBF89B46974E3DC
SHA-256:	2DA47DA15A634640407B234508CB037DF3C792113E72C79623A47AC6769BE3A4
SHA-512:	13250A16E57E0B888014C19E59F28A10C004FD18148E1E9FD9942DDA856A5DA69D17AF4D7BE311FDB50B0A327C4A2EBA47078642A092C67C7DD53696ABA5A969
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{5d267116-ead6-4b31-a270-d923dd92d602}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732455165885,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..P29165...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...33507,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	6.370961949040549
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSF2LXnIrrR/pnxQwRcWT5sKmgb0e3eHVpjO+YZamhueeJJwO2c0TSn:GUpOxZ2nRcoegB3erjxYZyJwcnO6BtR
MD5:	A7C25F217B6F825E4F576C22AA981D54
SHA1:	1EF37C0793EB6496538B56892DBF89B46974E3DC
SHA-256:	2DA47DA15A634640407B234508CB037DF3C792113E72C79623A47AC6769BE3A4
SHA-512:	13250A16E57E0B888014C19E59F28A10C004FD18148E1E9FD9942DDA856A5DA69D17AF4D7BE311FDB50B0A327C4A2EBA47078642A092C67C7DD53696ABA5A969
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{5d267116-ead6-4b31-a270-d923dd92d602}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732455165885,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..P29165...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...33507,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029687193512556
Encrypted:	false
SSDEEP:	96:ycsMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:fTEr5NX0z3DhRe
MD5:	8C11F23B61B873DFF5D4F49AB58F0361
SHA1:	79A99537AF1762147B91787972805301FB228E79
SHA-256:	41648272F5F02C535BA965DE3735C7F5619F9633C2F057C6630CF10E0CAD422D
SHA-512:	687F64911028870CF47F16781154F4309453109DF3DCF78576AA42C971FF347E848774E6A19F05A0B9AACF318C743D42EF537DD8D353EA656E88234C77A1014B
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T13:32:18.742Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029687193512556
Encrypted:	false
SSDEEP:	96:ycsMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:fTEr5NX0z3DhRe
MD5:	8C11F23B61B873DFF5D4F49AB58F0361
SHA1:	79A99537AF1762147B91787972805301FB228E79
SHA-256:	41648272F5F02C535BA965DE3735C7F5619F9633C2F057C6630CF10E0CAD422D
SHA-512:	687F64911028870CF47F16781154F4309453109DF3DCF78576AA42C971FF347E848774E6A19F05A0B9AACF318C743D42EF537DD8D353EA656E88234C77A1014B
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T13:32:18.742Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.593823650560347
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	923'136 bytes
MD5:	734c2298958280863cad3c352a220423
SHA1:	321631aad52f1d3671a1f6de65682cbcb8c31a5d
SHA256:	6e3fd723df0c2e828a5514171f5dbe8792c571585fc7981a5766b3a1ef68895d
SHA512:	dc48b5c3216111643cc840c39f35083dcb72304cd6f93d8ef55c15c4ac6953f1665d1e4df4f343e56cdb60348a08f8fd0289e4ec16d4dc8b56581947f9dacf0e
SSDEEP:	12288:uqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaVT5:uqDEvCTbMWu7rQYlBQcBiT6rprG8aB5
TLSH:	A6159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67430E10 [Sun Nov 24 11:29:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F69886F3C43h
jmp 00007F69886F354Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F69886F372Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F69886F36FAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F69886F62EDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F69886F6338h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F69886F6321h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xaa10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xaa10	0xac00	861d4f75c5a45c0eb4a3f83b9837b8c4	False	0.37511355377906974	data	5.693372137001386	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1cd8	data			1.001489707475623
RT_GROUP_ICON	0xde490	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde508	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde51c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde530	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde544	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde620	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 12:49:11.207055092 CET	49710	443	192.168.2.5	35.190.72.216
Nov 24, 2024 12:49:11.207113028 CET	443	49710	35.190.72.216	192.168.2.5
Nov 24, 2024 12:49:11.212404013 CET	49710	443	192.168.2.5	35.190.72.216
Nov 24, 2024 12:49:11.218240976 CET	49710	443	192.168.2.5	35.190.72.216
Nov 24, 2024 12:49:11.218261003 CET	443	49710	35.190.72.216	192.168.2.5
Nov 24, 2024 12:49:11.845956087 CET	49711	443	192.168.2.5	142.250.181.78
Nov 24, 2024 12:49:11.846008062 CET	443	49711	142.250.181.78	192.168.2.5
Nov 24, 2024 12:49:11.846082926 CET	49712	443	192.168.2.5	142.250.181.78
Nov 24, 2024 12:49:11.846131086 CET	443	49712	142.250.181.78	192.168.2.5
Nov 24, 2024 12:49:11.846860886 CET	49711	443	192.168.2.5	142.250.181.78
Nov 24, 2024 12:49:11.846950054 CET	49712	443	192.168.2.5	142.250.181.78
Nov 24, 2024 12:49:11.848153114 CET	49711	443	192.168.2.5	142.250.181.78
Nov 24, 2024 12:49:11.848170042 CET	443	49711	142.250.181.78	192.168.2.5
Nov 24, 2024 12:49:11.849452019 CET	49712	443	192.168.2.5	142.250.181.78
Nov 24, 2024 12:49:11.849467993 CET	443	49712	142.250.181.78	192.168.2.5
Nov 24, 2024 12:49:11.853020906 CET	49713	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:11.973156929 CET	80	49713	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:11.974351883 CET	49713	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:11.974562883 CET	49713	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:12.098788023 CET	80	49713	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:12.337745905 CET	49714	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:12.337805033 CET	443	49714	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:12.352068901 CET	49714	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:12.353524923 CET	49714	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:12.353543997 CET	443	49714	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:12.466784000 CET	443	49710	35.190.72.216	192.168.2.5
Nov 24, 2024 12:49:12.474694967 CET	49710	443	192.168.2.5	35.190.72.216
Nov 24, 2024 12:49:12.482774019 CET	49710	443	192.168.2.5	35.190.72.216
Nov 24, 2024 12:49:12.482784033 CET	443	49710	35.190.72.216	192.168.2.5
Nov 24, 2024 12:49:12.482949018 CET	443	49710	35.190.72.216	192.168.2.5
Nov 24, 2024 12:49:12.482966900 CET	49710	443	192.168.2.5	35.190.72.216
Nov 24, 2024 12:49:12.482975006 CET	443	49710	35.190.72.216	192.168.2.5
Nov 24, 2024 12:49:12.483073950 CET	49710	443	192.168.2.5	35.190.72.216
Nov 24, 2024 12:49:12.490017891 CET	49716	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:12.490065098 CET	443	49716	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:12.490525007 CET	49716	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:12.490638971 CET	49716	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:12.490652084 CET	443	49716	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:12.512696981 CET	49717	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:12.512707949 CET	443	49717	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:12.513210058 CET	49717	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:12.514553070 CET	49717	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:12.514566898 CET	443	49717	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:13.142368078 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 12:49:13.142416000 CET	443	49718	34.160.144.191	192.168.2.5
Nov 24, 2024 12:49:13.142606020 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 12:49:13.142726898 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 12:49:13.142743111 CET	443	49718	34.160.144.191	192.168.2.5
Nov 24, 2024 12:49:13.180685043 CET	80	49713	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:13.241857052 CET	49713	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:13.411520004 CET	49719	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:13.531239033 CET	80	49719	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:13.534250975 CET	49719	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:13.534415007 CET	49719	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:13.563396931 CET	443	49711	142.250.181.78	192.168.2.5
Nov 24, 2024 12:49:13.563504934 CET	49711	443	192.168.2.5	142.250.181.78
Nov 24, 2024 12:49:13.564385891 CET	443	49711	142.250.181.78	192.168.2.5
Nov 24, 2024 12:49:13.564435959 CET	49711	443	192.168.2.5	142.250.181.78
Nov 24, 2024 12:49:13.567802906 CET	49711	443	192.168.2.5	142.250.181.78
Nov 24, 2024 12:49:13.567810059 CET	443	49711	142.250.181.78	192.168.2.5
Nov 24, 2024 12:49:13.567867041 CET	49711	443	192.168.2.5	142.250.181.78
Nov 24, 2024 12:49:13.567979097 CET	443	49711	142.250.181.78	192.168.2.5
Nov 24, 2024 12:49:13.568141937 CET	49711	443	192.168.2.5	142.250.181.78
Nov 24, 2024 12:49:13.602540016 CET	443	49714	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:13.602551937 CET	443	49714	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:13.602627039 CET	49714	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:13.607630014 CET	49714	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:13.607676983 CET	443	49714	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:13.607733965 CET	49714	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:13.607839108 CET	443	49712	142.250.181.78	192.168.2.5
Nov 24, 2024 12:49:13.607846975 CET	443	49714	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:13.608843088 CET	443	49712	142.250.181.78	192.168.2.5
Nov 24, 2024 12:49:13.609874964 CET	49714	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:13.609977007 CET	49712	443	192.168.2.5	142.250.181.78
Nov 24, 2024 12:49:13.609991074 CET	443	49712	142.250.181.78	192.168.2.5
Nov 24, 2024 12:49:13.614764929 CET	49712	443	192.168.2.5	142.250.181.78
Nov 24, 2024 12:49:13.614777088 CET	443	49712	142.250.181.78	192.168.2.5
Nov 24, 2024 12:49:13.614861012 CET	49712	443	192.168.2.5	142.250.181.78
Nov 24, 2024 12:49:13.614938974 CET	443	49712	142.250.181.78	192.168.2.5
Nov 24, 2024 12:49:13.615119934 CET	49712	443	192.168.2.5	142.250.181.78
Nov 24, 2024 12:49:13.654063940 CET	80	49719	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:13.768260956 CET	443	49716	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:13.768392086 CET	49716	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:13.771652937 CET	49716	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:13.771665096 CET	443	49716	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:13.771955967 CET	443	49716	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:13.774785042 CET	49716	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:13.774869919 CET	49716	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:13.774933100 CET	443	49716	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:13.775016069 CET	49716	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:13.829830885 CET	49713	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:13.843175888 CET	443	49717	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:13.843250990 CET	49717	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:13.875207901 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:13.877985001 CET	49717	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:13.878000975 CET	443	49717	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:13.878063917 CET	49717	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:13.878220081 CET	443	49717	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:13.882114887 CET	49717	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:13.947417021 CET	49721	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:13.947448015 CET	443	49721	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:13.949771881 CET	49721	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:13.949847937 CET	80	49713	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:13.951189995 CET	49721	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:13.951203108 CET	443	49721	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:13.959505081 CET	49713	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:13.995110989 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:13.996865034 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:13.997148037 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:14.116810083 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:14.458787918 CET	443	49718	34.160.144.191	192.168.2.5
Nov 24, 2024 12:49:14.458887100 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 12:49:14.462197065 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 12:49:14.462213039 CET	443	49718	34.160.144.191	192.168.2.5
Nov 24, 2024 12:49:14.462441921 CET	443	49718	34.160.144.191	192.168.2.5
Nov 24, 2024 12:49:14.464858055 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 12:49:14.464993954 CET	443	49718	34.160.144.191	192.168.2.5
Nov 24, 2024 12:49:14.465004921 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 12:49:14.465015888 CET	443	49718	34.160.144.191	192.168.2.5
Nov 24, 2024 12:49:14.465059042 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 12:49:14.480649948 CET	49723	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:14.480712891 CET	443	49723	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:14.480824947 CET	49723	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:14.482230902 CET	49723	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:14.482249022 CET	443	49723	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:14.637512922 CET	80	49719	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:14.638060093 CET	49719	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:14.758001089 CET	80	49719	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:14.759865046 CET	49719	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:14.826030016 CET	49725	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:14.826139927 CET	443	49725	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:14.829924107 CET	49725	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:14.831371069 CET	49725	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:14.831408024 CET	443	49725	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:14.839340925 CET	49726	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:14.839380026 CET	443	49726	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:14.839477062 CET	49726	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:14.839596987 CET	49726	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:14.839612961 CET	443	49726	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:15.149741888 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:15.193851948 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:15.229662895 CET	443	49721	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:15.229729891 CET	49721	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:15.260364056 CET	49721	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:15.260380983 CET	443	49721	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:15.260550022 CET	443	49721	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:15.263252020 CET	49721	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:15.263259888 CET	443	49721	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:15.266436100 CET	49727	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:15.266470909 CET	443	49727	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:15.272902966 CET	49727	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:15.288101912 CET	49727	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:15.288115978 CET	443	49727	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:15.471326113 CET	443	49721	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:15.471544027 CET	49721	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:15.800528049 CET	443	49723	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:15.803416967 CET	49723	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:15.807224989 CET	49723	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:15.807233095 CET	443	49723	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:15.807329893 CET	49723	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:15.807373047 CET	443	49723	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:15.807585001 CET	49723	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:16.107753038 CET	443	49725	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:16.110501051 CET	49725	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:16.115622044 CET	49725	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:16.115654945 CET	443	49725	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:16.115706921 CET	49725	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:16.115962029 CET	443	49725	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:16.116102934 CET	49725	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:16.159868002 CET	443	49726	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:16.164654016 CET	49726	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:16.167568922 CET	49726	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:16.167574883 CET	443	49726	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:16.167841911 CET	443	49726	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:16.169929981 CET	49726	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:16.170021057 CET	49726	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:16.170089006 CET	443	49726	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:16.170161963 CET	49726	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:16.533565044 CET	443	49727	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:16.533700943 CET	49727	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:16.539287090 CET	49727	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:16.539297104 CET	443	49727	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:16.539397955 CET	49727	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:16.539443970 CET	443	49727	34.117.188.166	192.168.2.5
Nov 24, 2024 12:49:16.539504051 CET	49727	443	192.168.2.5	34.117.188.166
Nov 24, 2024 12:49:17.659081936 CET	49729	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:17.686271906 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:17.778769970 CET	80	49729	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:17.782562971 CET	49729	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:17.782701969 CET	49729	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:17.805847883 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:17.846371889 CET	49730	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:17.846451998 CET	443	49730	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:17.846587896 CET	49730	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:17.847943068 CET	49730	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:17.847958088 CET	443	49730	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:17.850071907 CET	49731	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:17.850092888 CET	443	49731	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:17.853096008 CET	49731	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:17.854778051 CET	49731	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:17.854793072 CET	443	49731	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:17.902789116 CET	80	49729	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:18.027502060 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:18.028117895 CET	49729	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:18.030550003 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:18.077776909 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:18.150527954 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:18.151853085 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:18.152024984 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:18.194632053 CET	80	49729	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:18.273441076 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:18.715066910 CET	80	49729	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:18.717048883 CET	49729	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:18.863424063 CET	49733	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:18.863534927 CET	443	49733	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:18.864500999 CET	49733	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:18.865957975 CET	49733	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:18.865995884 CET	443	49733	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:19.071058989 CET	443	49731	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:19.071144104 CET	49731	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:19.161652088 CET	443	49730	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:19.161720991 CET	49730	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:19.248460054 CET	49731	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:19.248478889 CET	443	49731	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:19.248564959 CET	49731	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:19.248635054 CET	443	49731	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:19.248778105 CET	49730	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:19.248800993 CET	443	49730	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:19.248823881 CET	49730	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:19.249000072 CET	443	49730	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:19.250154018 CET	49731	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:19.250159025 CET	49730	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:19.252218008 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:19.255500078 CET	49734	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:19.255570889 CET	443	49734	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:19.256906033 CET	49734	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:19.259128094 CET	49734	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:19.259162903 CET	443	49734	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:19.259991884 CET	49735	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:19.260010004 CET	443	49735	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:19.261740923 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:19.261780977 CET	443	49736	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:19.262515068 CET	49735	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:19.262602091 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:19.262603998 CET	49735	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:19.262617111 CET	443	49735	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:19.262706041 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:19.262717009 CET	443	49736	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:19.298264980 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:19.350259066 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:19.373276949 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:19.577430964 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:19.635488987 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:20.133565903 CET	443	49733	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:20.133646965 CET	49733	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:20.138458014 CET	49733	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:20.138489008 CET	443	49733	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:20.138586998 CET	49733	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:20.138642073 CET	443	49733	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:20.138700962 CET	49733	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:20.477328062 CET	443	49736	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:20.477411985 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:20.520114899 CET	443	49735	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:20.520373106 CET	49735	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:20.565246105 CET	443	49734	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:20.565448999 CET	49734	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:21.142342091 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:21.142366886 CET	443	49736	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:21.142738104 CET	443	49736	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:21.146143913 CET	49735	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:21.146188021 CET	443	49735	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:21.146552086 CET	443	49735	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:21.147630930 CET	49737	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:21.147669077 CET	443	49737	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:21.147876978 CET	49737	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:21.150336981 CET	49737	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:21.150350094 CET	443	49737	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:21.153343916 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:21.153423071 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:21.153534889 CET	49734	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:21.153547049 CET	443	49736	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:21.153606892 CET	443	49734	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:21.153630972 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:21.153635979 CET	49734	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:21.153686047 CET	49735	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:21.153728008 CET	49735	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:21.153834105 CET	443	49734	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:21.153870106 CET	443	49735	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:21.153913975 CET	49734	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:21.153940916 CET	49735	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:22.427809000 CET	443	49737	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:22.427922010 CET	49737	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:22.432620049 CET	49737	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:22.432631016 CET	443	49737	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:22.432701111 CET	49737	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:22.432827950 CET	443	49737	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:22.432895899 CET	49737	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:24.300165892 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:24.348841906 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:24.349461079 CET	49741	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:24.349484921 CET	443	49741	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:24.352336884 CET	49741	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:24.419826984 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:24.468584061 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:24.494854927 CET	49741	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:24.494873047 CET	443	49741	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:24.509234905 CET	49742	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:24.509248018 CET	443	49742	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:24.510261059 CET	49742	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:24.511687994 CET	49742	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:24.511699915 CET	443	49742	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:24.623577118 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:24.672914028 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:24.676489115 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:24.729902983 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:25.219697952 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:25.253082037 CET	49746	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:25.253108025 CET	443	49746	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:25.253436089 CET	49746	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:25.253571987 CET	49746	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:25.253582001 CET	443	49746	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:25.316915989 CET	49747	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:25.316956043 CET	443	49747	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:25.317905903 CET	49747	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:25.319302082 CET	49747	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:25.319318056 CET	443	49747	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:25.340442896 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:25.554223061 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:25.594724894 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:25.723520041 CET	443	49742	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:25.723603964 CET	49742	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:25.768018961 CET	443	49741	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:25.768090963 CET	49741	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:26.598995924 CET	443	49747	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:26.607336044 CET	443	49747	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:26.613105059 CET	49747	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:27.022768021 CET	443	49746	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:27.022835016 CET	49746	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:27.289985895 CET	49741	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:27.290004969 CET	443	49741	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:27.290333986 CET	443	49741	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:27.347558022 CET	49741	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:27.798096895 CET	49746	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:27.798116922 CET	443	49746	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:27.798489094 CET	443	49746	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:27.804323912 CET	49742	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:27.804338932 CET	443	49742	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:27.804579973 CET	443	49742	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:27.804611921 CET	49742	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:27.804617882 CET	443	49742	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:27.804939985 CET	49741	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:27.805006027 CET	49741	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:27.805145979 CET	49746	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:27.805145979 CET	49746	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:27.805241108 CET	443	49741	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:27.805331945 CET	443	49746	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:27.806720972 CET	49747	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:27.806721926 CET	49747	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:27.806763887 CET	443	49747	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:27.806953907 CET	443	49747	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:27.809946060 CET	49741	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:27.810075045 CET	49746	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:27.810139894 CET	49747	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:27.810329914 CET	49742	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:29.462088108 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:29.581729889 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:29.785980940 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:29.839162111 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:30.417716980 CET	49754	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:30.417757034 CET	443	49754	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:30.418901920 CET	49754	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:30.420303106 CET	49754	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:30.420319080 CET	443	49754	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:30.422486067 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:30.542166948 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:30.765149117 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:30.810816050 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:31.744478941 CET	443	49754	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:31.744566917 CET	49754	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:31.749994993 CET	49754	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:31.750003099 CET	443	49754	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:31.750089884 CET	49754	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:31.750178099 CET	443	49754	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:31.750859976 CET	49754	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:31.755484104 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:31.757484913 CET	49760	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:31.757507086 CET	443	49760	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:31.757812023 CET	49760	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:31.759104013 CET	49760	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:31.759119987 CET	443	49760	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:31.875004053 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:32.081231117 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:32.085196972 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:32.130237103 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:32.206465006 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:32.417069912 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:32.462372065 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:33.025837898 CET	443	49760	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:33.025930882 CET	49760	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:33.030128956 CET	49760	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:33.030142069 CET	443	49760	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:33.030225039 CET	49760	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:33.030348063 CET	443	49760	34.120.208.123	192.168.2.5
Nov 24, 2024 12:49:33.031377077 CET	49760	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:49:33.033456087 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:33.155734062 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:33.360280991 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:33.363010883 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:33.402724981 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:33.483103037 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:33.695383072 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:33.750468016 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:34.730544090 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:34.850322008 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:35.055459976 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:35.058017969 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:35.107645035 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:35.180941105 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:35.385072947 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:35.439740896 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:39.534205914 CET	49780	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:39.534219980 CET	443	49780	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:39.535921097 CET	49780	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:39.537318945 CET	49780	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:39.537331104 CET	443	49780	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:39.539997101 CET	49781	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:39.540059090 CET	443	49781	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:39.540147066 CET	49781	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:39.540256023 CET	49781	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:39.540272951 CET	443	49781	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:39.575603962 CET	49783	443	192.168.2.5	35.190.72.216
Nov 24, 2024 12:49:39.575639009 CET	443	49783	35.190.72.216	192.168.2.5
Nov 24, 2024 12:49:39.575973034 CET	49783	443	192.168.2.5	35.190.72.216
Nov 24, 2024 12:49:39.577424049 CET	49783	443	192.168.2.5	35.190.72.216
Nov 24, 2024 12:49:39.577438116 CET	443	49783	35.190.72.216	192.168.2.5
Nov 24, 2024 12:49:39.651645899 CET	49784	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:39.651729107 CET	443	49784	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:39.651864052 CET	49784	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:39.652008057 CET	49784	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:39.652030945 CET	443	49784	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:39.670747042 CET	49785	443	192.168.2.5	151.101.129.91
Nov 24, 2024 12:49:39.670758963 CET	443	49785	151.101.129.91	192.168.2.5
Nov 24, 2024 12:49:39.670835972 CET	49785	443	192.168.2.5	151.101.129.91
Nov 24, 2024 12:49:39.670953035 CET	49785	443	192.168.2.5	151.101.129.91
Nov 24, 2024 12:49:39.670964003 CET	443	49785	151.101.129.91	192.168.2.5
Nov 24, 2024 12:49:39.723367929 CET	49786	443	192.168.2.5	35.201.103.21
Nov 24, 2024 12:49:39.723445892 CET	443	49786	35.201.103.21	192.168.2.5
Nov 24, 2024 12:49:39.723592043 CET	49786	443	192.168.2.5	35.201.103.21
Nov 24, 2024 12:49:39.724960089 CET	49786	443	192.168.2.5	35.201.103.21
Nov 24, 2024 12:49:39.724992037 CET	443	49786	35.201.103.21	192.168.2.5
Nov 24, 2024 12:49:40.822129965 CET	443	49781	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:40.822257996 CET	49781	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:40.825295925 CET	49781	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:40.825318098 CET	443	49781	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:40.825582027 CET	443	49781	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:40.827223063 CET	443	49780	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:40.827527046 CET	49781	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:40.827605963 CET	49781	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:40.827676058 CET	443	49781	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:40.828183889 CET	49781	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:40.828183889 CET	49781	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:40.828203917 CET	49780	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:40.833005905 CET	49780	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:40.833018064 CET	443	49780	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:40.833084106 CET	49780	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:40.833194971 CET	443	49780	34.107.243.93	192.168.2.5
Nov 24, 2024 12:49:40.833376884 CET	49780	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:49:40.834398031 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:40.862531900 CET	443	49783	35.190.72.216	192.168.2.5
Nov 24, 2024 12:49:40.862657070 CET	49783	443	192.168.2.5	35.190.72.216
Nov 24, 2024 12:49:40.866877079 CET	49783	443	192.168.2.5	35.190.72.216
Nov 24, 2024 12:49:40.866888046 CET	443	49783	35.190.72.216	192.168.2.5
Nov 24, 2024 12:49:40.866955042 CET	49783	443	192.168.2.5	35.190.72.216
Nov 24, 2024 12:49:40.867033958 CET	443	49783	35.190.72.216	192.168.2.5
Nov 24, 2024 12:49:40.869877100 CET	49783	443	192.168.2.5	35.190.72.216
Nov 24, 2024 12:49:40.934463978 CET	443	49784	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:40.934556007 CET	49784	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:40.937386036 CET	49784	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:40.937408924 CET	443	49784	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:40.937623024 CET	443	49784	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:40.939691067 CET	49784	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:40.939773083 CET	49784	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:40.939824104 CET	443	49784	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:40.939929962 CET	49784	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:40.953845978 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:40.956372976 CET	443	49785	151.101.129.91	192.168.2.5
Nov 24, 2024 12:49:40.956574917 CET	49785	443	192.168.2.5	151.101.129.91
Nov 24, 2024 12:49:40.959436893 CET	49785	443	192.168.2.5	151.101.129.91
Nov 24, 2024 12:49:40.959455967 CET	443	49785	151.101.129.91	192.168.2.5
Nov 24, 2024 12:49:40.959712029 CET	443	49785	151.101.129.91	192.168.2.5
Nov 24, 2024 12:49:40.961327076 CET	49785	443	192.168.2.5	151.101.129.91
Nov 24, 2024 12:49:40.961421967 CET	49785	443	192.168.2.5	151.101.129.91
Nov 24, 2024 12:49:40.961489916 CET	443	49785	151.101.129.91	192.168.2.5
Nov 24, 2024 12:49:40.961744070 CET	49785	443	192.168.2.5	151.101.129.91
Nov 24, 2024 12:49:40.961761951 CET	49785	443	192.168.2.5	151.101.129.91
Nov 24, 2024 12:49:40.968923092 CET	49788	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:40.968983889 CET	443	49788	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:40.969183922 CET	49788	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:40.969285011 CET	49788	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:40.969300985 CET	443	49788	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:40.971872091 CET	49789	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:40.971910000 CET	443	49789	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:40.972243071 CET	49789	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:40.972449064 CET	49789	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:40.972464085 CET	443	49789	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:40.973306894 CET	443	49786	35.201.103.21	192.168.2.5
Nov 24, 2024 12:49:40.973582029 CET	49786	443	192.168.2.5	35.201.103.21
Nov 24, 2024 12:49:40.976114035 CET	49790	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:40.976138115 CET	443	49790	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:40.976743937 CET	49790	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:40.976891041 CET	49790	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:40.976914883 CET	443	49790	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:40.978226900 CET	49786	443	192.168.2.5	35.201.103.21
Nov 24, 2024 12:49:40.978238106 CET	443	49786	35.201.103.21	192.168.2.5
Nov 24, 2024 12:49:40.978332996 CET	49786	443	192.168.2.5	35.201.103.21
Nov 24, 2024 12:49:40.978579998 CET	443	49786	35.201.103.21	192.168.2.5
Nov 24, 2024 12:49:40.979080915 CET	49786	443	192.168.2.5	35.201.103.21
Nov 24, 2024 12:49:40.989955902 CET	49791	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:40.989993095 CET	443	49791	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:40.990154028 CET	49791	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:40.990253925 CET	49791	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:40.990267992 CET	443	49791	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:41.166686058 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:41.169569969 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:41.209558964 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:41.289155006 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:41.493170977 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:41.541665077 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:42.247095108 CET	443	49788	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:42.247281075 CET	49788	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.249826908 CET	49788	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.249857903 CET	443	49788	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:42.250396967 CET	443	49788	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:42.252198935 CET	49788	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.252291918 CET	49788	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.252512932 CET	443	49788	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:42.252712011 CET	49788	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.256366968 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:42.257137060 CET	443	49789	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:42.257252932 CET	49789	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.257390976 CET	443	49790	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:42.259350061 CET	49790	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.259797096 CET	49789	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.259803057 CET	443	49789	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:42.260320902 CET	443	49789	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:42.262613058 CET	49790	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.262628078 CET	443	49790	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:42.262900114 CET	443	49790	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:42.265067101 CET	49789	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.265147924 CET	49789	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.265266895 CET	443	49789	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:42.265383959 CET	49790	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.265439987 CET	49790	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.265695095 CET	443	49790	35.244.181.201	192.168.2.5
Nov 24, 2024 12:49:42.266367912 CET	49790	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.266374111 CET	49789	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.266396046 CET	49790	443	192.168.2.5	35.244.181.201
Nov 24, 2024 12:49:42.272917986 CET	443	49791	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:42.272989035 CET	49791	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:42.275958061 CET	49791	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:42.275974989 CET	443	49791	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:42.276174068 CET	443	49791	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:42.278160095 CET	49791	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:42.278215885 CET	49791	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:42.278280020 CET	443	49791	34.149.100.209	192.168.2.5
Nov 24, 2024 12:49:42.280761957 CET	49791	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:42.280786037 CET	49791	443	192.168.2.5	34.149.100.209
Nov 24, 2024 12:49:42.375885010 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:42.580044985 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:42.583558083 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:42.629213095 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:42.703278065 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:42.907154083 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:42.961350918 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:52.588988066 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:52.708553076 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:49:52.921099901 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:49:53.040793896 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:00.847527981 CET	49837	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:50:00.847556114 CET	443	49837	34.107.243.93	192.168.2.5
Nov 24, 2024 12:50:00.847657919 CET	49837	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:50:00.848978996 CET	49837	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:50:00.848994970 CET	443	49837	34.107.243.93	192.168.2.5
Nov 24, 2024 12:50:02.091289043 CET	443	49837	34.107.243.93	192.168.2.5
Nov 24, 2024 12:50:02.091485977 CET	49837	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:50:02.096446991 CET	49837	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:50:02.096455097 CET	443	49837	34.107.243.93	192.168.2.5
Nov 24, 2024 12:50:02.096549988 CET	49837	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:50:02.096600056 CET	443	49837	34.107.243.93	192.168.2.5
Nov 24, 2024 12:50:02.097856045 CET	49837	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:50:02.099323034 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:02.220096111 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:02.424249887 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:02.427356005 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:02.469449043 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:02.548234940 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:02.766120911 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:02.817179918 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:09.646331072 CET	49858	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:09.646372080 CET	443	49858	34.120.208.123	192.168.2.5
Nov 24, 2024 12:50:09.646570921 CET	49859	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:09.646620035 CET	443	49859	34.120.208.123	192.168.2.5
Nov 24, 2024 12:50:09.648264885 CET	49858	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:09.648355961 CET	49859	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:09.648477077 CET	49858	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:09.648495913 CET	443	49858	34.120.208.123	192.168.2.5
Nov 24, 2024 12:50:09.648603916 CET	49859	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:09.648638964 CET	443	49859	34.120.208.123	192.168.2.5
Nov 24, 2024 12:50:11.088828087 CET	443	49859	34.120.208.123	192.168.2.5
Nov 24, 2024 12:50:11.089052916 CET	49859	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:11.091981888 CET	49859	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:11.092015028 CET	443	49859	34.120.208.123	192.168.2.5
Nov 24, 2024 12:50:11.092276096 CET	443	49859	34.120.208.123	192.168.2.5
Nov 24, 2024 12:50:11.094206095 CET	49859	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:11.094324112 CET	49859	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:11.094366074 CET	443	49859	34.120.208.123	192.168.2.5
Nov 24, 2024 12:50:11.094480038 CET	49859	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:11.097901106 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:11.145735025 CET	443	49858	34.120.208.123	192.168.2.5
Nov 24, 2024 12:50:11.145807981 CET	49858	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:11.148929119 CET	49858	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:11.148936033 CET	443	49858	34.120.208.123	192.168.2.5
Nov 24, 2024 12:50:11.149185896 CET	443	49858	34.120.208.123	192.168.2.5
Nov 24, 2024 12:50:11.151848078 CET	49858	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:11.151940107 CET	49858	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:11.151989937 CET	443	49858	34.120.208.123	192.168.2.5
Nov 24, 2024 12:50:11.152673006 CET	49858	443	192.168.2.5	34.120.208.123
Nov 24, 2024 12:50:11.221386909 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:11.425534010 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:11.428889036 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:11.471146107 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:11.548917055 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:11.758085966 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:11.802881002 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:21.428854942 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:21.548300982 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:21.767544031 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:21.887209892 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:31.557698011 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:31.677278042 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:31.896368027 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:32.016124964 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:41.682066917 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:41.803754091 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:42.020780087 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:42.172046900 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:42.263777018 CET	49931	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:50:42.263802052 CET	443	49931	34.107.243.93	192.168.2.5
Nov 24, 2024 12:50:42.264153004 CET	49931	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:50:42.265614986 CET	49931	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:50:42.265630007 CET	443	49931	34.107.243.93	192.168.2.5
Nov 24, 2024 12:50:43.589600086 CET	443	49931	34.107.243.93	192.168.2.5
Nov 24, 2024 12:50:43.592329025 CET	49931	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:50:43.598031044 CET	49931	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:50:43.598052025 CET	443	49931	34.107.243.93	192.168.2.5
Nov 24, 2024 12:50:43.598129034 CET	49931	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:50:43.598220110 CET	443	49931	34.107.243.93	192.168.2.5
Nov 24, 2024 12:50:43.601085901 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:43.602422953 CET	49931	443	192.168.2.5	34.107.243.93
Nov 24, 2024 12:50:43.720664978 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:43.924726009 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:43.928435087 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:43.973120928 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:44.049985886 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:44.255095005 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:44.307183981 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:53.931509972 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:54.052202940 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:50:54.270173073 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:50:54.389941931 CET	80	49732	34.107.221.82	192.168.2.5
Nov 24, 2024 12:51:04.060054064 CET	49720	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:51:04.179568052 CET	80	49720	34.107.221.82	192.168.2.5
Nov 24, 2024 12:51:04.398698092 CET	49732	80	192.168.2.5	34.107.221.82
Nov 24, 2024 12:51:04.518194914 CET	80	49732	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 12:49:11.207751989 CET	64833	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:11.345932961 CET	53	64833	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:11.347924948 CET	50245	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:11.485483885 CET	53	50245	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:11.706687927 CET	59006	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:11.715004921 CET	58811	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:11.845053911 CET	53	59006	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:11.846226931 CET	53579	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:11.853399038 CET	65446	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:11.984992981 CET	53	53579	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:11.985681057 CET	60298	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:11.992245913 CET	53	65446	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:11.992846966 CET	55188	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:12.098226070 CET	61334	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:12.126940012 CET	53	60298	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:12.134419918 CET	53	55188	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:12.238892078 CET	53	61334	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:12.338854074 CET	58690	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:12.360054970 CET	57985	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:12.483788013 CET	53	58690	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:12.484340906 CET	58373	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:12.490474939 CET	50555	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:12.502551079 CET	53	57985	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:12.513159990 CET	51738	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:12.628590107 CET	53	58373	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:12.636352062 CET	53	50555	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:12.640358925 CET	60296	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:12.653548002 CET	53	51738	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:12.660315990 CET	50113	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:12.778103113 CET	53	60296	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:12.798954964 CET	53	50113	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:12.999376059 CET	58959	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:13.141343117 CET	53	58959	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:13.142558098 CET	56321	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:13.194763899 CET	63097	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:13.271639109 CET	59908	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:13.272828102 CET	61818	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:13.284651041 CET	53	56321	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:13.285326958 CET	56805	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:13.333050966 CET	53	63097	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:13.409985065 CET	53	59908	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:13.424014091 CET	53	56805	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:13.947031975 CET	56565	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:14.059293985 CET	51974	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:14.196336985 CET	53	51974	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:14.198815107 CET	49422	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:14.335975885 CET	53	49422	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:14.342408895 CET	57708	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:14.479309082 CET	53	57708	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:14.554853916 CET	53	56115	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:14.839294910 CET	63701	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:14.976485014 CET	53	63701	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:14.979681969 CET	59192	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:15.116571903 CET	53	59192	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:17.645451069 CET	51153	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:17.703010082 CET	49312	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:17.782177925 CET	53	51153	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:17.788662910 CET	52467	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:17.843156099 CET	53	49312	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:17.846884966 CET	50188	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:17.927387953 CET	53	52467	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:17.929435015 CET	58279	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:17.983810902 CET	53	50188	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:17.988873005 CET	52465	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:18.067709923 CET	53	58279	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:18.127743959 CET	53	52465	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:23.925926924 CET	56456	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:23.925926924 CET	50523	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:23.926213980 CET	56568	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:24.064743042 CET	53	50523	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.065350056 CET	53	56456	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.065742970 CET	53	56568	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.065749884 CET	63703	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:24.066286087 CET	56466	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:24.066704988 CET	53484	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:24.202996016 CET	53	63703	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.203814983 CET	62884	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:24.204313040 CET	53	56466	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.204914093 CET	62873	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:24.207737923 CET	53	53484	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.208273888 CET	57594	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:24.341319084 CET	53	62884	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.342094898 CET	55208	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:24.342514992 CET	53	62873	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.343168020 CET	62078	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:24.346431971 CET	53	57594	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.347956896 CET	59003	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:24.479291916 CET	53	55208	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.480077982 CET	53	62078	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.489311934 CET	53	59003	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.495291948 CET	55411	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:24.495726109 CET	61180	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:24.509589911 CET	55870	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:24.632308006 CET	53	55411	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.633744001 CET	53	61180	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.638621092 CET	55522	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:24.638820887 CET	62787	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:24.646725893 CET	53	55870	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.776776075 CET	53	55522	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:24.855874062 CET	53	62787	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:30.421299934 CET	64023	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:30.560296059 CET	53	64023	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:39.533123970 CET	55140	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:39.535111904 CET	55662	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:39.583863974 CET	61899	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:39.651864052 CET	52185	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:39.669934034 CET	53	55140	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:39.670872927 CET	60458	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:39.671596050 CET	53	55662	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:39.722563028 CET	53	61899	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:39.723534107 CET	49759	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:39.791409969 CET	53	52185	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:39.861161947 CET	53	49759	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:39.861957073 CET	49618	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:39.905807972 CET	53	60458	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:39.907048941 CET	63403	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:49:40.003801107 CET	53	49618	1.1.1.1	192.168.2.5
Nov 24, 2024 12:49:40.045911074 CET	53	63403	1.1.1.1	192.168.2.5
Nov 24, 2024 12:50:00.847978115 CET	59684	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:50:00.985692024 CET	53	59684	1.1.1.1	192.168.2.5
Nov 24, 2024 12:50:02.099634886 CET	49716	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:50:09.647286892 CET	49794	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:50:09.792685032 CET	53	49794	1.1.1.1	192.168.2.5
Nov 24, 2024 12:50:11.098433018 CET	55395	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:50:42.124433041 CET	56705	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:50:42.262701988 CET	53	56705	1.1.1.1	192.168.2.5
Nov 24, 2024 12:50:42.263935089 CET	64637	53	192.168.2.5	1.1.1.1
Nov 24, 2024 12:50:42.400995970 CET	53	64637	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 12:49:11.207751989 CET	192.168.2.5	1.1.1.1	0xc07b	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:11.347924948 CET	192.168.2.5	1.1.1.1	0x97	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 12:49:11.706687927 CET	192.168.2.5	1.1.1.1	0x3989	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:11.715004921 CET	192.168.2.5	1.1.1.1	0xc5fb	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:11.846226931 CET	192.168.2.5	1.1.1.1	0xa9fc	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:11.853399038 CET	192.168.2.5	1.1.1.1	0x62f7	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:11.985681057 CET	192.168.2.5	1.1.1.1	0xf54	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 24, 2024 12:49:11.992846966 CET	192.168.2.5	1.1.1.1	0x6471	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 12:49:12.098226070 CET	192.168.2.5	1.1.1.1	0x7771	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:12.338854074 CET	192.168.2.5	1.1.1.1	0x55f2	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:12.360054970 CET	192.168.2.5	1.1.1.1	0x6aba	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:12.484340906 CET	192.168.2.5	1.1.1.1	0x88f0	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 12:49:12.490474939 CET	192.168.2.5	1.1.1.1	0x78ee	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:12.513159990 CET	192.168.2.5	1.1.1.1	0x477f	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:12.640358925 CET	192.168.2.5	1.1.1.1	0x3727	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 12:49:12.660315990 CET	192.168.2.5	1.1.1.1	0xffed	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 12:49:12.999376059 CET	192.168.2.5	1.1.1.1	0x1419	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:13.142558098 CET	192.168.2.5	1.1.1.1	0x7b88	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:13.194763899 CET	192.168.2.5	1.1.1.1	0xd2ca	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:13.271639109 CET	192.168.2.5	1.1.1.1	0xec76	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:13.272828102 CET	192.168.2.5	1.1.1.1	0x4e29	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:13.285326958 CET	192.168.2.5	1.1.1.1	0xbf96	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 12:49:13.947031975 CET	192.168.2.5	1.1.1.1	0x3e30	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:14.059293985 CET	192.168.2.5	1.1.1.1	0xb41c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:14.198815107 CET	192.168.2.5	1.1.1.1	0x2b4e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:14.342408895 CET	192.168.2.5	1.1.1.1	0x38f6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 12:49:14.839294910 CET	192.168.2.5	1.1.1.1	0x9400	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:14.979681969 CET	192.168.2.5	1.1.1.1	0x5fd4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 12:49:17.645451069 CET	192.168.2.5	1.1.1.1	0x6a9e	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:17.703010082 CET	192.168.2.5	1.1.1.1	0x897	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:17.788662910 CET	192.168.2.5	1.1.1.1	0xdee9	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:17.846884966 CET	192.168.2.5	1.1.1.1	0x146f	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:17.929435015 CET	192.168.2.5	1.1.1.1	0x49e1	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 12:49:17.988873005 CET	192.168.2.5	1.1.1.1	0xac0f	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 12:49:23.925926924 CET	192.168.2.5	1.1.1.1	0x3c6d	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:23.925926924 CET	192.168.2.5	1.1.1.1	0xb131	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:23.926213980 CET	192.168.2.5	1.1.1.1	0xde32	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.065749884 CET	192.168.2.5	1.1.1.1	0xb4c2	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.066286087 CET	192.168.2.5	1.1.1.1	0x3281	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.066704988 CET	192.168.2.5	1.1.1.1	0xa5d0	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.203814983 CET	192.168.2.5	1.1.1.1	0xbda	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 24, 2024 12:49:24.204914093 CET	192.168.2.5	1.1.1.1	0x538f	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 24, 2024 12:49:24.208273888 CET	192.168.2.5	1.1.1.1	0x21d	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 24, 2024 12:49:24.342094898 CET	192.168.2.5	1.1.1.1	0x9529	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.343168020 CET	192.168.2.5	1.1.1.1	0x954	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.347956896 CET	192.168.2.5	1.1.1.1	0x5bc7	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 12:49:24.495291948 CET	192.168.2.5	1.1.1.1	0xc58b	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.495726109 CET	192.168.2.5	1.1.1.1	0x7477	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.509589911 CET	192.168.2.5	1.1.1.1	0xc48b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 12:49:24.638621092 CET	192.168.2.5	1.1.1.1	0x9bdd	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 24, 2024 12:49:24.638820887 CET	192.168.2.5	1.1.1.1	0x5896	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 24, 2024 12:49:30.421299934 CET	192.168.2.5	1.1.1.1	0xc972	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 12:49:39.533123970 CET	192.168.2.5	1.1.1.1	0xfaac	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:39.535111904 CET	192.168.2.5	1.1.1.1	0xb24f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 12:49:39.583863974 CET	192.168.2.5	1.1.1.1	0xaf8e	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:39.651864052 CET	192.168.2.5	1.1.1.1	0x38bd	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 12:49:39.670872927 CET	192.168.2.5	1.1.1.1	0xe59c	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:39.723534107 CET	192.168.2.5	1.1.1.1	0x26c	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:39.861957073 CET	192.168.2.5	1.1.1.1	0x5286	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 12:49:39.907048941 CET	192.168.2.5	1.1.1.1	0xbf6b	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 24, 2024 12:50:00.847978115 CET	192.168.2.5	1.1.1.1	0xa07c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 12:50:02.099634886 CET	192.168.2.5	1.1.1.1	0x8209	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:50:09.647286892 CET	192.168.2.5	1.1.1.1	0x7a42	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 12:50:11.098433018 CET	192.168.2.5	1.1.1.1	0xbc73	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:50:42.124433041 CET	192.168.2.5	1.1.1.1	0x8358	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:50:42.263935089 CET	192.168.2.5	1.1.1.1	0xdbd0	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 12:49:11.204338074 CET	1.1.1.1	192.168.2.5	0xa0aa	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:11.345932961 CET	1.1.1.1	192.168.2.5	0xc07b	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:11.845053911 CET	1.1.1.1	192.168.2.5	0x3989	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:11.852344990 CET	1.1.1.1	192.168.2.5	0xc5fb	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:11.852344990 CET	1.1.1.1	192.168.2.5	0xc5fb	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:11.984992981 CET	1.1.1.1	192.168.2.5	0xa9fc	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:11.992245913 CET	1.1.1.1	192.168.2.5	0x62f7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:12.126940012 CET	1.1.1.1	192.168.2.5	0xf54	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 24, 2024 12:49:12.134419918 CET	1.1.1.1	192.168.2.5	0x6471	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 12:49:12.238892078 CET	1.1.1.1	192.168.2.5	0x7771	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:12.483788013 CET	1.1.1.1	192.168.2.5	0x55f2	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:12.489366055 CET	1.1.1.1	192.168.2.5	0xdd04	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:12.489366055 CET	1.1.1.1	192.168.2.5	0xdd04	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:12.502551079 CET	1.1.1.1	192.168.2.5	0x6aba	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:12.502551079 CET	1.1.1.1	192.168.2.5	0x6aba	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:12.636352062 CET	1.1.1.1	192.168.2.5	0x78ee	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:12.653548002 CET	1.1.1.1	192.168.2.5	0x477f	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:13.141343117 CET	1.1.1.1	192.168.2.5	0x1419	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:13.141343117 CET	1.1.1.1	192.168.2.5	0x1419	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:13.141343117 CET	1.1.1.1	192.168.2.5	0x1419	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:13.284651041 CET	1.1.1.1	192.168.2.5	0x7b88	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:13.333050966 CET	1.1.1.1	192.168.2.5	0xd2ca	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:13.409985065 CET	1.1.1.1	192.168.2.5	0xec76	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:13.409985065 CET	1.1.1.1	192.168.2.5	0xec76	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:13.410698891 CET	1.1.1.1	192.168.2.5	0x4e29	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:13.410698891 CET	1.1.1.1	192.168.2.5	0x4e29	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:13.424014091 CET	1.1.1.1	192.168.2.5	0xbf96	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 12:49:14.174665928 CET	1.1.1.1	192.168.2.5	0x3e30	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:14.196336985 CET	1.1.1.1	192.168.2.5	0xb41c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:14.335975885 CET	1.1.1.1	192.168.2.5	0x2b4e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:14.799746037 CET	1.1.1.1	192.168.2.5	0x1603	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:14.824337006 CET	1.1.1.1	192.168.2.5	0xa4be	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:14.824337006 CET	1.1.1.1	192.168.2.5	0xa4be	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:14.976485014 CET	1.1.1.1	192.168.2.5	0x9400	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:17.782177925 CET	1.1.1.1	192.168.2.5	0x6a9e	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:17.782177925 CET	1.1.1.1	192.168.2.5	0x6a9e	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:17.782177925 CET	1.1.1.1	192.168.2.5	0x6a9e	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:17.824179888 CET	1.1.1.1	192.168.2.5	0x6bf8	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:17.843156099 CET	1.1.1.1	192.168.2.5	0x897	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:17.843156099 CET	1.1.1.1	192.168.2.5	0x897	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:17.927387953 CET	1.1.1.1	192.168.2.5	0xdee9	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:17.983810902 CET	1.1.1.1	192.168.2.5	0x146f	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.064743042 CET	1.1.1.1	192.168.2.5	0xb131	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:24.064743042 CET	1.1.1.1	192.168.2.5	0xb131	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.064743042 CET	1.1.1.1	192.168.2.5	0xb131	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.064743042 CET	1.1.1.1	192.168.2.5	0xb131	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.064743042 CET	1.1.1.1	192.168.2.5	0xb131	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.064743042 CET	1.1.1.1	192.168.2.5	0xb131	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.064743042 CET	1.1.1.1	192.168.2.5	0xb131	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.064743042 CET	1.1.1.1	192.168.2.5	0xb131	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.064743042 CET	1.1.1.1	192.168.2.5	0xb131	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.065350056 CET	1.1.1.1	192.168.2.5	0x3c6d	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:24.065350056 CET	1.1.1.1	192.168.2.5	0x3c6d	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.065742970 CET	1.1.1.1	192.168.2.5	0xde32	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:24.065742970 CET	1.1.1.1	192.168.2.5	0xde32	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.202996016 CET	1.1.1.1	192.168.2.5	0xb4c2	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.202996016 CET	1.1.1.1	192.168.2.5	0xb4c2	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.202996016 CET	1.1.1.1	192.168.2.5	0xb4c2	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.202996016 CET	1.1.1.1	192.168.2.5	0xb4c2	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.202996016 CET	1.1.1.1	192.168.2.5	0xb4c2	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.202996016 CET	1.1.1.1	192.168.2.5	0xb4c2	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.202996016 CET	1.1.1.1	192.168.2.5	0xb4c2	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.202996016 CET	1.1.1.1	192.168.2.5	0xb4c2	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.204313040 CET	1.1.1.1	192.168.2.5	0x3281	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.207737923 CET	1.1.1.1	192.168.2.5	0xa5d0	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.341319084 CET	1.1.1.1	192.168.2.5	0xbda	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 12:49:24.341319084 CET	1.1.1.1	192.168.2.5	0xbda	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 12:49:24.341319084 CET	1.1.1.1	192.168.2.5	0xbda	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 12:49:24.341319084 CET	1.1.1.1	192.168.2.5	0xbda	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 12:49:24.342514992 CET	1.1.1.1	192.168.2.5	0x538f	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 24, 2024 12:49:24.346431971 CET	1.1.1.1	192.168.2.5	0x21d	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 24, 2024 12:49:24.479291916 CET	1.1.1.1	192.168.2.5	0x9529	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:24.479291916 CET	1.1.1.1	192.168.2.5	0x9529	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.479291916 CET	1.1.1.1	192.168.2.5	0x9529	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.479291916 CET	1.1.1.1	192.168.2.5	0x9529	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.479291916 CET	1.1.1.1	192.168.2.5	0x9529	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.480077982 CET	1.1.1.1	192.168.2.5	0x954	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.480077982 CET	1.1.1.1	192.168.2.5	0x954	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.480077982 CET	1.1.1.1	192.168.2.5	0x954	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.480077982 CET	1.1.1.1	192.168.2.5	0x954	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.632308006 CET	1.1.1.1	192.168.2.5	0xc58b	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.633744001 CET	1.1.1.1	192.168.2.5	0x7477	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.633744001 CET	1.1.1.1	192.168.2.5	0x7477	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.633744001 CET	1.1.1.1	192.168.2.5	0x7477	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:24.633744001 CET	1.1.1.1	192.168.2.5	0x7477	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:39.650299072 CET	1.1.1.1	192.168.2.5	0x412c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:39.650299072 CET	1.1.1.1	192.168.2.5	0x412c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:39.669934034 CET	1.1.1.1	192.168.2.5	0xfaac	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:39.669934034 CET	1.1.1.1	192.168.2.5	0xfaac	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:39.669934034 CET	1.1.1.1	192.168.2.5	0xfaac	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:39.669934034 CET	1.1.1.1	192.168.2.5	0xfaac	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:39.722563028 CET	1.1.1.1	192.168.2.5	0xaf8e	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:39.722563028 CET	1.1.1.1	192.168.2.5	0xaf8e	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:39.861161947 CET	1.1.1.1	192.168.2.5	0x26c	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:39.905807972 CET	1.1.1.1	192.168.2.5	0xe59c	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:39.905807972 CET	1.1.1.1	192.168.2.5	0xe59c	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:39.905807972 CET	1.1.1.1	192.168.2.5	0xe59c	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:39.905807972 CET	1.1.1.1	192.168.2.5	0xe59c	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:49:40.045911074 CET	1.1.1.1	192.168.2.5	0xbf6b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 12:49:40.045911074 CET	1.1.1.1	192.168.2.5	0xbf6b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 12:49:40.045911074 CET	1.1.1.1	192.168.2.5	0xbf6b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 12:49:40.045911074 CET	1.1.1.1	192.168.2.5	0xbf6b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 12:49:43.158195019 CET	1.1.1.1	192.168.2.5	0xf633	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:49:43.158195019 CET	1.1.1.1	192.168.2.5	0xf633	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:50:02.239829063 CET	1.1.1.1	192.168.2.5	0x8209	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:50:02.239829063 CET	1.1.1.1	192.168.2.5	0x8209	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:50:09.644089937 CET	1.1.1.1	192.168.2.5	0x2872	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:50:11.247397900 CET	1.1.1.1	192.168.2.5	0xbc73	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 12:50:11.247397900 CET	1.1.1.1	192.168.2.5	0xbc73	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 12:50:42.262701988 CET	1.1.1.1	192.168.2.5	0x8358	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	6500	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 12:49:11.974562883 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 12:49:13.180685043 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 65461 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49719	34.107.221.82	80	6500	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 12:49:13.534415007 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 12:49:14.637512922 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 19:39:57 GMT Age: 58157 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49720	34.107.221.82	80	6500	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 12:49:13.997148037 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 12:49:15.149741888 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 65462 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 12:49:17.686271906 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 12:49:18.027502060 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 65465 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 12:49:19.252218008 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 12:49:19.577430964 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 65467 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 12:49:24.348841906 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 12:49:24.672914028 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 65472 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 12:49:29.462088108 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 12:49:29.785980940 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 65477 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 12:49:31.755484104 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 12:49:32.081231117 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 65479 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 12:49:33.033456087 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 12:49:33.360280991 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 65481 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 12:49:34.730544090 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 12:49:35.055459976 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 65482 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 12:49:40.834398031 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 12:49:41.166686058 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 65488 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 12:49:42.256366968 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 12:49:42.580044985 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 65490 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 12:49:52.588988066 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 12:50:02.099323034 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 12:50:02.424249887 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 65510 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 12:50:11.097901106 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 12:50:11.425534010 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 65519 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 12:50:21.428854942 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 12:50:31.557698011 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 12:50:41.682066917 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 12:50:43.601085901 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 12:50:43.924726009 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 65551 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 12:50:53.931509972 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 12:51:04.060054064 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49729	34.107.221.82	80	6500	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 12:49:17.782701969 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49732	34.107.221.82	80	6500	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 12:49:18.152024984 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 12:49:19.298264980 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 43812 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 12:49:24.300165892 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 12:49:24.623577118 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 43817 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 12:49:25.219697952 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 12:49:25.554223061 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 43818 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 12:49:30.422486067 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 12:49:30.765149117 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 43823 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 12:49:32.085196972 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 12:49:32.417069912 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 43825 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 12:49:33.363010883 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 12:49:33.695383072 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 43826 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 12:49:35.058017969 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 12:49:35.385072947 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 43828 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 12:49:41.169569969 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 12:49:41.493170977 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 43834 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 12:49:42.583558083 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 12:49:42.907154083 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 43835 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 12:49:52.921099901 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 12:50:02.427356005 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 12:50:02.766120911 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 43855 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 12:50:11.428889036 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 12:50:11.758085966 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 43864 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 12:50:21.767544031 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 12:50:31.896368027 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 12:50:42.020780087 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 12:50:43.928435087 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 12:50:44.255095005 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 43897 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 12:50:54.270173073 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 12:51:04.398698092 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	06:49:04
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x290000
File size:	923'136 bytes
MD5 hash:	734C2298958280863CAD3C352A220423
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:49:04
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xe10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:49:04
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:49:06
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xe10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:49:06
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:49:07
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xe10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:49:07
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:49:07
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xe10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:49:07
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:49:07
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xe10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:49:07
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:49:07
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:49:07
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:49:07
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	06:49:08
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5359dab-6852-45d1-9873-e9b6cd21ec60} 6500 "\\.\pipe\gecko-crash-server-pipe.6500" 1482fa6f310 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	06:49:10
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4068 -parentBuildID 20230927232528 -prefsHandle 2448 -prefMapHandle 3808 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bec29b8f-dfc2-4585-825b-2c5e8cd8351e} 6500 "\\.\pipe\gecko-crash-server-pipe.6500" 148402f8110 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	06:49:14
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5016 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5008 -prefMapHandle 5004 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f0445bd-cc5c-4405-a740-06c3bfed3971} 6500 "\\.\pipe\gecko-crash-server-pipe.6500" 148417fc110 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.7%
Total number of Nodes:	1577
Total number of Limit Nodes:	50

Executed Functions

Function 002942DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0029430D

Part of subcall function 00296B57: _wcslen.LIBCMT ref: 00296B6A

GetCurrentProcess.KERNEL32(?,0032CB64,00000000,?,?), ref: 00294422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00294429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00294454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00294466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00294474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0029447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002944A0

Strings

|O, xrefs: 002D36F8
kernel32.dll, xrefs: 0029444F
GetNativeSystemInfo, xrefs: 00294460

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 0cb12b0a302cf3c2fb077a47931e81d993f9fca1a9f4a4163124140de76e0c68
Instruction ID: 8126457cda971717a25427a1c3b2db31232c9c21d6931885a48f35acf1a331ac
Opcode Fuzzy Hash: 0cb12b0a302cf3c2fb077a47931e81d993f9fca1a9f4a4163124140de76e0c68
Instruction Fuzzy Hash: 8BA1827EA2A2C1DFCB13DB69BC415997FAC6B36300F2CD899D04393B21D2E04915CB66

Function 002942A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,002950AA,?,?,00000000,00000000), ref: 002942B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002950AA,?,?,00000000,00000000), ref: 002942C9
LoadResource.KERNEL32(?,00000000,?,?,002950AA,?,?,00000000,00000000,?,?,?,?,?,?,00294F20), ref: 002D35BE
SizeofResource.KERNEL32(?,00000000,?,?,002950AA,?,?,00000000,00000000,?,?,?,?,?,?,00294F20), ref: 002D35D3
LockResource.KERNEL32(002950AA,?,?,002950AA,?,?,00000000,00000000,?,?,?,?,?,?,00294F20,?), ref: 002D35E6

Strings

SCRIPT, xrefs: 002942BF

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 363b0fc7c17888230a0670244e1ad4dd47ce986a929ab2f04b8e4353c1242b6c
Instruction ID: feea47379860fcf94170c866862272c65d37ee46acb6377ed521bb4a47b4e215
Opcode Fuzzy Hash: 363b0fc7c17888230a0670244e1ad4dd47ce986a929ab2f04b8e4353c1242b6c
Instruction Fuzzy Hash: 40115A70610701AFEB229B65DC48F6B7BBDEFC5B51F20856EB80296250DB71D8118620

Function 002D2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00292B6B

Part of subcall function 00293A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00361418,?,00292E7F,?,?,?,00000000), ref: 00293A78

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00352224), ref: 002D2C10
ShellExecuteW.SHELL32(00000000,?,?,00352224), ref: 002D2C17

Strings

runas, xrefs: 002D2C0B

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 1e9702fc2381a73e128e7086c9b9279b0abf2435b63a53fd04690279ce5701c7
Instruction ID: f614176004e09a8ccbc6292bd6a55f7f8a0ad1f3ea81f79dc6aad74d43265076
Opcode Fuzzy Hash: 1e9702fc2381a73e128e7086c9b9279b0abf2435b63a53fd04690279ce5701c7
Instruction Fuzzy Hash: 8F112931128301AACF16FF64D861EBE77E8AFA1355F48542DF582430A2CF61896ECB52

Function 002FD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 002FD501
Process32FirstW.KERNEL32(00000000,?), ref: 002FD50F
Process32NextW.KERNEL32(00000000,?), ref: 002FD52F
CloseHandle.KERNELBASE(00000000), ref: 002FD5DC

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 00e0c6dd6f219e8d72d0a0145961a1033c0e98d7bc9b0dd35d9559b4ef5e293f
Instruction ID: 632cf4764b21039416263ba666ecb6bac859645e0ad31712dcb2b9c4aa1c3594
Opcode Fuzzy Hash: 00e0c6dd6f219e8d72d0a0145961a1033c0e98d7bc9b0dd35d9559b4ef5e293f
Instruction Fuzzy Hash: 0631C2711183059FD701EF64C881ABFBBF8FF99394F50092DF581821A2EB71A959CB92

Function 002FDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,002D5222), ref: 002FDBCE
GetFileAttributesW.KERNELBASE(?), ref: 002FDBDD
FindFirstFileW.KERNEL32(?,?), ref: 002FDBEE
FindClose.KERNEL32(00000000), ref: 002FDBFA

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: f6b4dd954889eacba83cdc58fc90db1309ecd72abdf7714a62f1541905c9c067
Instruction ID: 56ece6027dc8255dcfa32599bf584522f635a337a0e4e26d0ca3c7b484e68d37
Opcode Fuzzy Hash: f6b4dd954889eacba83cdc58fc90db1309ecd72abdf7714a62f1541905c9c067
Instruction Fuzzy Hash: 05F0A030830A1897C2316F78AC0E8BEB76D9E01374F904B1BF976C20E0EBB0596686D5

Function 002B4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(002C28E9,?,002B4CBE,002C28E9,003588B8,0000000C,002B4E15,002C28E9,00000002,00000000,?,002C28E9), ref: 002B4D09
TerminateProcess.KERNEL32(00000000,?,002B4CBE,002C28E9,003588B8,0000000C,002B4E15,002C28E9,00000002,00000000,?,002C28E9), ref: 002B4D10
ExitProcess.KERNEL32 ref: 002B4D22

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 13298cdbf78ed4704b6457094c3bb412000b4d28c4fa722e92236a5effa94ca3
Instruction ID: 6aca6ee40cc8dc0ff53bcb76e7a49b74c29bf05e7ec691df3567d2a63387af6d
Opcode Fuzzy Hash: 13298cdbf78ed4704b6457094c3bb412000b4d28c4fa722e92236a5effa94ca3
Instruction Fuzzy Hash: 52E0B631020549ABCF22BF54DD4AA983B6DEB45795F108418FD058A123CB39EDA2DB84

Function 0029BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#6, xrefs: 002E07CE

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#6
API String ID: 3964851224-3668136890
Opcode ID: 160dcd4d755a9ba52c5625e458581896adcd3ff41e582a14120af4706e37627b
Instruction ID: 390ab1b81fdab4ddc464cb998bf97e5276832d41fbc563a2f29160a9860f78ba
Opcode Fuzzy Hash: 160dcd4d755a9ba52c5625e458581896adcd3ff41e582a14120af4706e37627b
Instruction Fuzzy Hash: 1BA27D706283418FDB14CF15C480B2AB7E5BF89304F64896DE89A8B352D771ECA5CF92

Function 0031AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0031B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0031B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0031B1D4
_wcslen.LIBCMT ref: 0031B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0031B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0031B236
_wcslen.LIBCMT ref: 0031B332

Part of subcall function 003005A7: GetStdHandle.KERNEL32(000000F6), ref: 003005C6

_wcslen.LIBCMT ref: 0031B34B
_wcslen.LIBCMT ref: 0031B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0031B3B6
GetLastError.KERNEL32(00000000), ref: 0031B407
CloseHandle.KERNEL32(?), ref: 0031B439
CloseHandle.KERNEL32(00000000), ref: 0031B44A
CloseHandle.KERNEL32(00000000), ref: 0031B45C
CloseHandle.KERNEL32(00000000), ref: 0031B46E
CloseHandle.KERNEL32(?), ref: 0031B4E3

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 02bbfee4add3b53bdcb8d0fc527d873f49cb83673c7e12254d6390f430c0b464
Instruction ID: a19407530a0d1a9186c96940b83cb2950c59c783d651782cd832e8ab9a43c926
Opcode Fuzzy Hash: 02bbfee4add3b53bdcb8d0fc527d873f49cb83673c7e12254d6390f430c0b464
Instruction Fuzzy Hash: D1F19E315183409FCB1AEF24C891BAEBBE5AF89310F15895DF8958B2A2CB31DC55CF52

Function 0029D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0029D807
timeGetTime.WINMM ref: 0029DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0029DB28
TranslateMessage.USER32(?), ref: 0029DB7B
DispatchMessageW.USER32(?), ref: 0029DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0029DB9F
Sleep.KERNELBASE(0000000A), ref: 0029DBB1

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 0aad26b8135331c76e55bdb5503ebb32ee69fc7f22610984f984802865e80293
Instruction ID: 465535a3b4f8e18a551ff5f4c44054f163e62a233aba8ada4f3c33cd11302434
Opcode Fuzzy Hash: 0aad26b8135331c76e55bdb5503ebb32ee69fc7f22610984f984802865e80293
Instruction Fuzzy Hash: F2422430668382DFDB29DF25C844B6AB7E4BF46304F54852DE45687291C7B0E878DF82

Function 00292CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00292D07
RegisterClassExW.USER32(00000030), ref: 00292D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00292D42
InitCommonControlsEx.COMCTL32(?), ref: 00292D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00292D6F
LoadIconW.USER32(000000A9), ref: 00292D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00292D94

Strings

TaskbarCreated, xrefs: 00292D37
+, xrefs: 00292CF0
AutoIt v3 GUI, xrefs: 00292D23
0, xrefs: 00292CE9

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 02efbf56dfe933917aeed6e2ed8a9c07fe6401404b6421778d01af09ebeb92f4
Instruction ID: 70f06ea46b15e5eb2975150ee93d5486a6f7cbde35787025f948410b01b06aae
Opcode Fuzzy Hash: 02efbf56dfe933917aeed6e2ed8a9c07fe6401404b6421778d01af09ebeb92f4
Instruction Fuzzy Hash: 4F21E0B5921218AFDB12DFA8E889BDDBBF8FB08701F14911AF611A62A0D7B14544CF91

Function 002D065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002D039A: CreateFileW.KERNELBASE(00000000,00000000,?,002D0704,?,?,00000000,?,002D0704,00000000,0000000C), ref: 002D03B7

GetLastError.KERNEL32 ref: 002D076F
__dosmaperr.LIBCMT ref: 002D0776
GetFileType.KERNELBASE(00000000), ref: 002D0782
GetLastError.KERNEL32 ref: 002D078C
__dosmaperr.LIBCMT ref: 002D0795
CloseHandle.KERNEL32(00000000), ref: 002D07B5
CloseHandle.KERNEL32(?), ref: 002D08FF
GetLastError.KERNEL32 ref: 002D0931
__dosmaperr.LIBCMT ref: 002D0938

Strings

H, xrefs: 002D08BD

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b11b4b2d1ffe3fcc20639acddbc5303ada93630ffd40544325cf0d6370e4bf8a
Instruction ID: d1057fe8f61ad61c5194c3d0f65c4bb1dcd5fd5e569b20474c839768007489ee
Opcode Fuzzy Hash: b11b4b2d1ffe3fcc20639acddbc5303ada93630ffd40544325cf0d6370e4bf8a
Instruction Fuzzy Hash: 93A12432A201059FDF19EF68DC92BAE7BA4AB46320F14415EF815DF3A1D7719C22CB91

Function 0029344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00293A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00361418,?,00292E7F,?,?,?,00000000), ref: 00293A78

Part of subcall function 00293357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00293379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0029356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002D318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002D31CE
RegCloseKey.ADVAPI32(?), ref: 002D3210
_wcslen.LIBCMT ref: 002D3277
_wcslen.LIBCMT ref: 002D3286

Strings

\Include\, xrefs: 00293527
Software\AutoIt v3\AutoIt, xrefs: 00293560
Include, xrefs: 002D3184, 002D31C5
\, xrefs: 002D328C

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 928419b62e9441dd5a608f0c95d38f5f7709d64f13f29acfcd58986fbec47eee
Instruction ID: 0ea35ad04f8c0b55d7d3409b061d2c0c1a2a8e5784664c9583138e96b5b2d5ad
Opcode Fuzzy Hash: 928419b62e9441dd5a608f0c95d38f5f7709d64f13f29acfcd58986fbec47eee
Instruction Fuzzy Hash: EE71B2755247019EC716EF65DC818ABBBECFF95340F51882EF445832A0EBB08A58CF52

Function 00292B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00292B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00292B9D
LoadIconW.USER32(00000063), ref: 00292BB3
LoadIconW.USER32(000000A4), ref: 00292BC5
LoadIconW.USER32(000000A2), ref: 00292BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00292BEF
RegisterClassExW.USER32(?), ref: 00292C40

Part of subcall function 00292CD4: GetSysColorBrush.USER32(0000000F), ref: 00292D07
Part of subcall function 00292CD4: RegisterClassExW.USER32(00000030), ref: 00292D31
Part of subcall function 00292CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00292D42
Part of subcall function 00292CD4: InitCommonControlsEx.COMCTL32(?), ref: 00292D5F
Part of subcall function 00292CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00292D6F
Part of subcall function 00292CD4: LoadIconW.USER32(000000A9), ref: 00292D85
Part of subcall function 00292CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00292D94

Strings

0, xrefs: 00292C0F
#, xrefs: 00292C16
AutoIt v3, xrefs: 00292C2F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 857e9f4aab46ae88c9deaab68de7b4ceaa52cfe77690b3acdb736d1e53fd1c22
Instruction ID: ed653e03cb3035e7e5820c22e85956b91164e8785f5bdd5dbbca1770bd0988db
Opcode Fuzzy Hash: 857e9f4aab46ae88c9deaab68de7b4ceaa52cfe77690b3acdb736d1e53fd1c22
Instruction Fuzzy Hash: 04213978E20314AFDB229FA5EC45A9D7FB8FB08B50F28801AE501A67A0D7F10540DF90

Function 00293170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0029316A,?,?), ref: 002931D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0029316A,?,?), ref: 00293204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00293227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0029316A,?,?), ref: 00293232
CreatePopupMenu.USER32 ref: 00293246
PostQuitMessage.USER32(00000000), ref: 00293267

Strings

TaskbarCreated, xrefs: 0029322D

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 9c5d914d864b33b092cf4ae8ae0384fbc176ab779854aaaa3d68111f8bec5a49
Instruction ID: 5af5b4a2de79735d5b44b32fb565f2543b99fc555abeeb1ed13142eb79be476d
Opcode Fuzzy Hash: 9c5d914d864b33b092cf4ae8ae0384fbc176ab779854aaaa3d68111f8bec5a49
Instruction Fuzzy Hash: D2415835634205ABDF269F789C09B7D365EEB05340F18412AF916C62B1CBE09E31DBA1

Function 00291410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00291459
CoUninitialize.COMBASE ref: 002914F8
UnregisterHotKey.USER32(?), ref: 002916DD
DestroyWindow.USER32(?), ref: 002D24B9
FreeLibrary.KERNEL32(?), ref: 002D251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 002D254B

Strings

close all, xrefs: 00291454

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 69cf0928ff6c28239278899558bf3984e9ae46249ea8ac3936218aa9c683a84a
Instruction ID: 794f1174faf2bf486a670b693fc2552cf9d2b9d3954b6f0da7d76d47e4efc891
Opcode Fuzzy Hash: 69cf0928ff6c28239278899558bf3984e9ae46249ea8ac3936218aa9c683a84a
Instruction Fuzzy Hash: E7D17931621213CFCB29EF15D595A29F7A8BF15700F5442AEE44A6B351CB30AC36CF90

Function 00292C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00292C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00292CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00291CAD,?), ref: 00292CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00291CAD,?), ref: 00292CCF

Strings

edit, xrefs: 00292CAC
AutoIt v3, xrefs: 00292C89, 00292C8E, 00292C8F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b3b60f3f12021565c498395b2d18a79a02a424b68ab6f32e323eb85e78a54860
Instruction ID: 23016a8085e0d2982da331bccce3fb5a334a2f5cf3d45062b16e3b04822a09ba
Opcode Fuzzy Hash: b3b60f3f12021565c498395b2d18a79a02a424b68ab6f32e323eb85e78a54860
Instruction Fuzzy Hash: 1BF0DA795502907AEB731717AC08E7B2EBDD7CAF50F24905EF901A26A0C6E11851EAB1

Function 00293B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00293B0F,SwapMouseButtons,00000004,?), ref: 00293B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00293B0F,SwapMouseButtons,00000004,?), ref: 00293B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00293B0F,SwapMouseButtons,00000004,?), ref: 00293B83

Strings

Control Panel\Mouse, xrefs: 00293B3E

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a9ff659bc3d89ab229b1e1c8222778748e698ac596f9576e5f3538f27bd2e6e9
Instruction ID: ba35a5ecd74590f890e76441fc4240102a74aa01b403b5090810f1e901a5c24d
Opcode Fuzzy Hash: a9ff659bc3d89ab229b1e1c8222778748e698ac596f9576e5f3538f27bd2e6e9
Instruction Fuzzy Hash: 58112AB5520209FFDF21CFA5DC54EAEB7BCEF04748F108459A805D7210D271DE5197A0

Function 00293923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002D33A2

Part of subcall function 00296B57: _wcslen.LIBCMT ref: 00296B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00293A04

Strings

Line: , xrefs: 002D33EB

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: a7d4aafd5a1de64e7908be9b2eb607e4cea8b978182c489a285b3020ea3dae37
Instruction ID: 379dbcc82a63e6518ba6fa825c7f5fdc898218e4c98c8d76f1d5d0783dc73d3e
Opcode Fuzzy Hash: a7d4aafd5a1de64e7908be9b2eb607e4cea8b978182c489a285b3020ea3dae37
Instruction Fuzzy Hash: 2731D671428300AADB22EF10DC45BEFB7DCAB40710F14455EF59A93191DBB09A68CBC2

Function 00292DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 002D2C8C

Part of subcall function 00293AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00293A97,?,?,00292E7F,?,?,?,00000000), ref: 00293AC2

Part of subcall function 00292DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00292DC4

Strings

X, xrefs: 002D2C5A
`e5, xrefs: 002D2C85

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e5
API String ID: 779396738-3892304799
Opcode ID: c813219a9e42b84462f748d3846b6d2b06b27e3256f0145d43c06abea33b5afe
Instruction ID: fbe533b1f1f42135f41c3c407d28d41bd5e71eb257c6665f07b97807eafc0710
Opcode Fuzzy Hash: c813219a9e42b84462f748d3846b6d2b06b27e3256f0145d43c06abea33b5afe
Instruction Fuzzy Hash: 3E219371A20258AFDF41EF94C845BEE7BFCAF49305F40805AE405B7241DBB45A5D8FA1

Function 002AFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 002B0668

Part of subcall function 002B32A4: RaiseException.KERNEL32(?,?,?,002B068A,?,00361444,?,?,?,?,?,?,002B068A,00291129,00358738,00291129), ref: 002B3304

__CxxThrowException@8.LIBVCRUNTIME ref: 002B0685

Strings

Unknown exception, xrefs: 002B0692

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 1007df19de10e24c95c92805fd58bba00f4467bb31aed276b05b53e5567f34e4
Instruction ID: 250b25e098943570e8e3f27e773d719083ed9c3b9a583ade72766a85e6fb1f43
Opcode Fuzzy Hash: 1007df19de10e24c95c92805fd58bba00f4467bb31aed276b05b53e5567f34e4
Instruction Fuzzy Hash: B6F0C83492020D77CF16BAA4D886CDF776C5E00390B604171F924955A2EF71DA35CE80

Function 002910F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00291BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00291BF4
Part of subcall function 00291BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00291BFC
Part of subcall function 00291BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00291C07
Part of subcall function 00291BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00291C12
Part of subcall function 00291BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00291C1A
Part of subcall function 00291BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00291C22

Part of subcall function 00291B4A: RegisterWindowMessageW.USER32(00000004,?,002912C4), ref: 00291BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0029136A
OleInitialize.OLE32 ref: 00291388
CloseHandle.KERNEL32(00000000,00000000), ref: 002D24AB

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 6713515db3295bb45eb6a3f13cf024134d85a87540a0f8d331dac9955e7feb1a
Instruction ID: c0715901b7e0164eaff67f060f211640c2647fa66403354364352f78f98cbbec
Opcode Fuzzy Hash: 6713515db3295bb45eb6a3f13cf024134d85a87540a0f8d331dac9955e7feb1a
Instruction Fuzzy Hash: 5C71DCB89213018EC787DF7AE855659BAF8BB8A344B5CC22AD60BC7261EBB04450CF45

Function 002FC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00293923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00293A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002FC259
KillTimer.USER32(?,00000001,?,?), ref: 002FC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002FC270

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 189b5ee97145ca0b844d6d5e6a5742c71ee8563ab6322f2ed13568ad15732dc4
Instruction ID: 83fcd763447ac3b5847bd4949161ce4d6044c488e0fcbe76f445c54103ec943a
Opcode Fuzzy Hash: 189b5ee97145ca0b844d6d5e6a5742c71ee8563ab6322f2ed13568ad15732dc4
Instruction Fuzzy Hash: 6331E37091034CAFEB328F648955BEBFBECAF02344F1404AED6DA93241C7B45A94CB51

Function 002C86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,002C85CC,?,00358CC8,0000000C), ref: 002C8704
GetLastError.KERNEL32(?,002C85CC,?,00358CC8,0000000C), ref: 002C870E
__dosmaperr.LIBCMT ref: 002C8739

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: ecec73210f00c5637aa605fad307512f87f72db0779ff4a88dd07f2cf1079203
Instruction ID: 9fbc284a29320f4b8c13bd798512b3d4b5f572520b508491f32196d7accbc30a
Opcode Fuzzy Hash: ecec73210f00c5637aa605fad307512f87f72db0779ff4a88dd07f2cf1079203
Instruction Fuzzy Hash: 8401AB32A30A7026C22566306845F7F674C4B81778F39834DF9088B0D2DEE0ECE18580

Function 0029DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0029DB7B
DispatchMessageW.USER32(?), ref: 0029DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0029DB9F
Sleep.KERNELBASE(0000000A), ref: 0029DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 002E1CC9

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 1491f7e59b8dcf2ecaf7a34c04d448191219287ea17350cec6c6c307678d954b
Instruction ID: aa68bb92875669118e5d3a74fd6a4fe0d54ed0aa5c5f395ce0e9a5514531eea7
Opcode Fuzzy Hash: 1491f7e59b8dcf2ecaf7a34c04d448191219287ea17350cec6c6c307678d954b
Instruction Fuzzy Hash: 67F05E306643819BEB30CB618C59FEA73BCEB45310F505A29E65AC30C0DB70A4999B26

Function 002A1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002A17F6

Strings

CALL, xrefs: 002A17C6

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 4fe10497c4928ed6583e441c1e2bfd20359e29d33dab1a103ab36760b14757ef
Instruction ID: effaf7392b4d6b4b40d0bc2217c9ee12b05346a8a808eeeb45f06a0f639fdbb9
Opcode Fuzzy Hash: 4fe10497c4928ed6583e441c1e2bfd20359e29d33dab1a103ab36760b14757ef
Instruction Fuzzy Hash: 6022CB706283429FC714CF14C484A2ABBF5BF9A364F54895DF4968B3A1DB71E861CF82

Function 00293837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00293908

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: e8f93f9d7a2d9a8d392c4f8e4f30acd578f94f412aabbf03b99814bac38df0fe
Instruction ID: 499ce21719f3d212f719040928a136dee431906ce1df736b06cfe463f817057e
Opcode Fuzzy Hash: e8f93f9d7a2d9a8d392c4f8e4f30acd578f94f412aabbf03b99814bac38df0fe
Instruction Fuzzy Hash: E531A270514301DFD761EF24D88479BBBE8FB49708F14092EF59A87340E7B1AA54CB92

Function 002AF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 002AF661

Part of subcall function 0029D730: GetInputState.USER32 ref: 0029D807

Sleep.KERNEL32(00000000), ref: 002EF2DE

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: c57fd33f01718372c5f954bd32e3452ae5021ce9fd20e72b85c65224cc5aeea1
Instruction ID: a1c27c635958192795e4e0d3a2bc7b50fce03a3680375cccd5a866757a20e09b
Opcode Fuzzy Hash: c57fd33f01718372c5f954bd32e3452ae5021ce9fd20e72b85c65224cc5aeea1
Instruction Fuzzy Hash: 11F08C312606059FD354EFB9E649B6AB7E8EF46760F00002AE859C7260DB70A820CF91

Function 00294ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00294E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00294EDD,?,00361418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00294E9C
Part of subcall function 00294E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00294EAE
Part of subcall function 00294E90: FreeLibrary.KERNEL32(00000000,?,?,00294EDD,?,00361418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00294EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00361418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00294EFD

Part of subcall function 00294E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002D3CDE,?,00361418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00294E62
Part of subcall function 00294E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00294E74
Part of subcall function 00294E59: FreeLibrary.KERNEL32(00000000,?,?,002D3CDE,?,00361418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00294E87

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 2460c120eb7f1a0dd624abbcc31263cc3bee9fb14edf65b63079949c08577476
Instruction ID: c10c14dc5bb987e952c16a76376624ccbfcaaa3cfea71f08f6eaef1a9bc9519c
Opcode Fuzzy Hash: 2460c120eb7f1a0dd624abbcc31263cc3bee9fb14edf65b63079949c08577476
Instruction Fuzzy Hash: 3511E732630206AACF25FF60DC02FAD77A59F40754F10842EF582A61D1EE749E269B50

Function 002C8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 002C8440

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: fa9e0f1045cb9ec96d8b45ebcb7887f183d92ed47daf98379db5263a43d98f14
Instruction ID: 91ee184f496e5e035ea4056f8aa7839476bdf632846b8f3916f337564eaca4d7
Opcode Fuzzy Hash: fa9e0f1045cb9ec96d8b45ebcb7887f183d92ed47daf98379db5263a43d98f14
Instruction Fuzzy Hash: 5011487190410AAFCB19DF58E941E9A7BF9EF48300F108169F808AB312DA30DA21CBA5

Function 002C5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002C4C7D: RtlAllocateHeap.NTDLL(00000008,00291129,00000000,?,002C2E29,00000001,00000364,?,?,?,002BF2DE,002C3863,00361444,?,002AFDF5,?), ref: 002C4CBE

_free.LIBCMT ref: 002C506C

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 36237e4ae68254038da4d07dbbc1e6e7dbd036f850d2f734439f990d24356630
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: F7012672214705ABE3318E659881F5AFBE8FB89370F25061DE58483280EA70A945CAB4

Function 002BE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 04e08bfec3ce9cebd5c5b45508e23641068da055b3468e28706671c89a219a72
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: D8F0F432530E149ADA313E698C05FDA379C9F523B4F110719F921921D2DF7098258EA6

Function 002C4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00291129,00000000,?,002C2E29,00000001,00000364,?,?,?,002BF2DE,002C3863,00361444,?,002AFDF5,?), ref: 002C4CBE

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f06b3d40b29425d9ab20fbfe29bff6648f77d5a84131a56186c4726c51fc4e67
Instruction ID: 945722d7c91b9f2e6ee8f9428027edeb893b133d25395749055111597fab0af3
Opcode Fuzzy Hash: f06b3d40b29425d9ab20fbfe29bff6648f77d5a84131a56186c4726c51fc4e67
Instruction Fuzzy Hash: 21F0B43163262566DB217F629C15F9B3788AF417F1B14431BFC15A62B1CA70DA3186E0

Function 002C3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00361444,?,002AFDF5,?,?,0029A976,00000010,00361440,002913FC,?,002913C6,?,00291129), ref: 002C3852

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bf90e0c77767026b9dc7279be56e0751b39eadf37904439b0d13a7458a7aecec
Instruction ID: 52f22f583ff765d38cb1ab5d790c413f9cc2bf0e1895e6ec5c32f5eb7ce43cba
Opcode Fuzzy Hash: bf90e0c77767026b9dc7279be56e0751b39eadf37904439b0d13a7458a7aecec
Instruction Fuzzy Hash: 8DE0E53213422656E6316E669C01FDA3659AB427F0F158B29BC1592591CB60DD2189E0

Function 00294F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00361418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00294F6D

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3177df1c7b9d712fa50d17b972987c217309d5c4640f3632941507b456674ebc
Instruction ID: 3a06ac9668b8f0e4ddfb24ac0a830f64053971643bb9c4a5d1cf42bf16fddf52
Opcode Fuzzy Hash: 3177df1c7b9d712fa50d17b972987c217309d5c4640f3632941507b456674ebc
Instruction Fuzzy Hash: 2AF01571125753CFDF34AF64D494C66BBE4AF143293208A6EE1EA82A21C771A865DF10

Function 00322A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00322A66

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: af75b05b967cd48c0e745956ea4b8499f22c1cc14801736276bc84d9e174f05e
Instruction ID: 39c55341d1003e897977f9d8db0e431ab7529bc75073da27ba5f09967b749ede
Opcode Fuzzy Hash: af75b05b967cd48c0e745956ea4b8499f22c1cc14801736276bc84d9e174f05e
Instruction Fuzzy Hash: 56E04F3636112ABAC715EA30EC808FFB35CEB543D5B10453AAD1AD6950DF30999586A0

Function 002930F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0029314E

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 39b2bef86f0173e6874f60e286329f7dc78f7dbf39e71dcdfb9369aa8215a2e0
Instruction ID: 6bc051d26b1cc49dbc32065f6cec6dd10f468561426e45c105c4140c5f355f38
Opcode Fuzzy Hash: 39b2bef86f0173e6874f60e286329f7dc78f7dbf39e71dcdfb9369aa8215a2e0
Instruction Fuzzy Hash: 4CF0A7709243049FEB93DF24DC457DA7BFCA701708F1400E9E14996291D7B05798CF81

Function 00292DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00292DC4

Part of subcall function 00296B57: _wcslen.LIBCMT ref: 00296B6A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: bedc8c610bc4c594ebc2fa3705c6460824f0061f7fa685866d6157246cf6821a
Instruction ID: c7d30a388b049a451fa5b2d6504cce26efd4c4df489b16f321e3ee5c68e5d002
Opcode Fuzzy Hash: bedc8c610bc4c594ebc2fa3705c6460824f0061f7fa685866d6157246cf6821a
Instruction Fuzzy Hash: C0E0CD726002245BCB219398DC05FDA77DDDFC8790F040075FD09E7248D960AD948950

Function 00292B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00293837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00293908

Part of subcall function 0029D730: GetInputState.USER32 ref: 0029D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00292B6B

Part of subcall function 002930F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0029314E

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: b9a7f46d641170a7460bbe1df1e6bf481a23a60927ea610e4cf6a1e1566b1d22
Instruction ID: 1e3b9b221f34bb5caac891d8e0a19902bf7d8651648ff77d4fcda97d0fc7303e
Opcode Fuzzy Hash: b9a7f46d641170a7460bbe1df1e6bf481a23a60927ea610e4cf6a1e1566b1d22
Instruction Fuzzy Hash: A3E07D3132020407CE09FB7698225BDF39D9FD1351F80143EF14283163CF2445694B12

Function 002D039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,002D0704,?,?,00000000,?,002D0704,00000000,0000000C), ref: 002D03B7

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 675399fe3cd8eddbef796d05341bf5911eaab9617cb579469b340c574a464421
Instruction ID: c028277aa4816ae1e211623591a6a2e22c921bb0a5d981c82f3a6539754d716b
Opcode Fuzzy Hash: 675399fe3cd8eddbef796d05341bf5911eaab9617cb579469b340c574a464421
Instruction Fuzzy Hash: 35D06C3205010DBBDF128F84DD06EDA3BAAFB48714F014000BE1856020C732E832AB90

Function 00291CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00291CBC

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 9df96732d0556ff270bbab2acc8f6f2d0464d8a04cb399e6a8414ed5ed57d8e0
Instruction ID: c57fe1669cf40bba00de3618fbfb10f6b3226f7bdfd4e419af95bf742a3d7932
Opcode Fuzzy Hash: 9df96732d0556ff270bbab2acc8f6f2d0464d8a04cb399e6a8414ed5ed57d8e0
Instruction Fuzzy Hash: F1C09B352803049FF2274781BC4AF15775CA759B00F14C001F70A555E3C3E15410D650

Non-executed Functions

Function 00329576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 002A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002A9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0032961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0032965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0032969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003296C9
SendMessageW.USER32 ref: 003296F2
GetKeyState.USER32(00000011), ref: 0032978B
GetKeyState.USER32(00000009), ref: 00329798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003297AE
GetKeyState.USER32(00000010), ref: 003297B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003297E9
SendMessageW.USER32 ref: 00329810
SendMessageW.USER32(?,00001030,?,00327E95), ref: 00329918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0032992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00329941
SetCapture.USER32(?), ref: 0032994A
ClientToScreen.USER32(?,?), ref: 003299AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003299BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003299D6
ReleaseCapture.USER32 ref: 003299E1
GetCursorPos.USER32(?), ref: 00329A19
ScreenToClient.USER32(?,?), ref: 00329A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00329A80
SendMessageW.USER32 ref: 00329AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00329AEB
SendMessageW.USER32 ref: 00329B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00329B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00329B4A
GetCursorPos.USER32(?), ref: 00329B68
ScreenToClient.USER32(?,?), ref: 00329B75
GetParent.USER32(?), ref: 00329B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00329BFA
SendMessageW.USER32 ref: 00329C2B
ClientToScreen.USER32(?,?), ref: 00329C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00329CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00329CDE
SendMessageW.USER32 ref: 00329D01
ClientToScreen.USER32(?,?), ref: 00329D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00329D82

Part of subcall function 002A9944: GetWindowLongW.USER32(?,000000EB), ref: 002A9952

GetWindowLongW.USER32(?,000000F0), ref: 00329E05

Strings

p#6, xrefs: 00329990
@GUI_DRAGID, xrefs: 0032997D
F, xrefs: 00329D07

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#6
API String ID: 3429851547-615714836
Opcode ID: ae623ca829a30ac37b9ae1ffa40370763c72d21a3eeba71f65df7d0142444bed
Instruction ID: d24c099c9159a78f62c57df20f9b2a9bd8d3415a96a5538634886e5c141e66a6
Opcode Fuzzy Hash: ae623ca829a30ac37b9ae1ffa40370763c72d21a3eeba71f65df7d0142444bed
Instruction Fuzzy Hash: D342AE34204210AFDB22CF28DC44BAABBE9FF49720F15461EF699872A1D771D861CF91

Function 00324873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003248F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00324908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00324927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0032494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0032495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0032497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003249AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003249D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00324A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00324A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00324A7E
IsMenu.USER32(?), ref: 00324A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00324AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00324B20
GetWindowLongW.USER32(?,000000F0), ref: 00324B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00324BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00324C82
wsprintfW.USER32 ref: 00324CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00324CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00324CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00324D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00324D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00324D5A

Strings

%d/%02d/%02d, xrefs: 00324CA8

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 5c7d678ddcd70efbdd6bfc849a4eceb3cde3b7c6effc259727d951ee943afd9b
Instruction ID: 3d8265afd6e1bf9ffa6d3f5261477900250054b353e43636a0660c2624f6f0d9
Opcode Fuzzy Hash: 5c7d678ddcd70efbdd6bfc849a4eceb3cde3b7c6effc259727d951ee943afd9b
Instruction Fuzzy Hash: A4122431610224ABEB268F28ED49FAEBBF8EF85710F144119F915DB2E1DB749941CF50

Function 002AF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 002AF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002EF474
IsIconic.USER32(00000000), ref: 002EF47D
ShowWindow.USER32(00000000,00000009), ref: 002EF48A
SetForegroundWindow.USER32(00000000), ref: 002EF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002EF4AA
GetCurrentThreadId.KERNEL32 ref: 002EF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002EF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 002EF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 002EF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 002EF4DE
SetForegroundWindow.USER32(00000000), ref: 002EF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 002EF4F6
keybd_event.USER32(00000012,00000000), ref: 002EF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 002EF50B
keybd_event.USER32(00000012,00000000), ref: 002EF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 002EF519
keybd_event.USER32(00000012,00000000), ref: 002EF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 002EF528
keybd_event.USER32(00000012,00000000), ref: 002EF52D
SetForegroundWindow.USER32(00000000), ref: 002EF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 002EF557

Strings

Shell_TrayWnd, xrefs: 002EF46F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: e130a8f6f7ff831d246708e41da0ef3e9df38c8762ab93884531b4c3668f5d2b
Instruction ID: 2834f78c95bbfc0febc3ea3480150d7a1fc0ad62262bf69b0d8d72882661a4c3
Opcode Fuzzy Hash: e130a8f6f7ff831d246708e41da0ef3e9df38c8762ab93884531b4c3668f5d2b
Instruction Fuzzy Hash: 2F319A71AA02187FEB316FB65C49FBF7E6CEB44B50F501029F601F61D1C6B05D119AA0

Function 002F1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002F16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002F170D
Part of subcall function 002F16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002F173A
Part of subcall function 002F16C3: GetLastError.KERNEL32 ref: 002F174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 002F1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002F12A8
CloseHandle.KERNEL32(?), ref: 002F12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002F12D1
GetProcessWindowStation.USER32 ref: 002F12EA
SetProcessWindowStation.USER32(00000000), ref: 002F12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 002F1310

Part of subcall function 002F10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002F11FC), ref: 002F10D4
Part of subcall function 002F10BF: CloseHandle.KERNEL32(?,?,002F11FC), ref: 002F10E9

Strings

winsta0, xrefs: 002F12CC
Z5, xrefs: 002F1392
, xrefs: 002F125A
default, xrefs: 002F130B

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z5
API String ID: 22674027-2776224703
Opcode ID: 77c914cf721268e1451fa4565a4631dddc1cd22963fc9462bd6def9ab3a4a2a2
Instruction ID: 55ec2666941d2e32d9d3b1c62a63f9bd00a452a3a8049c73dbdd3acc3225ed6c
Opcode Fuzzy Hash: 77c914cf721268e1451fa4565a4631dddc1cd22963fc9462bd6def9ab3a4a2a2
Instruction Fuzzy Hash: 3D818A7192020AEBDF259FA4CD49FFEBBB9AF44740F144129FA11A61A0C7309965CB60

Function 002F0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002F10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002F1114
Part of subcall function 002F10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,002F0B9B,?,?,?), ref: 002F1120
Part of subcall function 002F10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002F0B9B,?,?,?), ref: 002F112F
Part of subcall function 002F10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002F0B9B,?,?,?), ref: 002F1136
Part of subcall function 002F10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002F114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002F0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002F0C00
GetLengthSid.ADVAPI32(?), ref: 002F0C17
GetAce.ADVAPI32(?,00000000,?), ref: 002F0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002F0C6D
GetLengthSid.ADVAPI32(?), ref: 002F0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 002F0C8C
HeapAlloc.KERNEL32(00000000), ref: 002F0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 002F0CB4
CopySid.ADVAPI32(00000000), ref: 002F0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002F0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002F0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 002F0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002F0D45
HeapFree.KERNEL32(00000000), ref: 002F0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002F0D55
HeapFree.KERNEL32(00000000), ref: 002F0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002F0D65
HeapFree.KERNEL32(00000000), ref: 002F0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 002F0D78
HeapFree.KERNEL32(00000000), ref: 002F0D7F

Part of subcall function 002F1193: GetProcessHeap.KERNEL32(00000008,002F0BB1,?,00000000,?,002F0BB1,?), ref: 002F11A1
Part of subcall function 002F1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,002F0BB1,?), ref: 002F11A8
Part of subcall function 002F1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,002F0BB1,?), ref: 002F11B7

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 161bbf4e06826936d9cd883e0c315c16c0b75bb9c906b2c247ffd3370e217f32
Instruction ID: b5e7563a9ed91eccd7ae243d86dbe3758c69055349dfc2d47e44162cf1a9a832
Opcode Fuzzy Hash: 161bbf4e06826936d9cd883e0c315c16c0b75bb9c906b2c247ffd3370e217f32
Instruction Fuzzy Hash: 5A716D7191020AABDF21DFA4DC85FBEBBBDFF04740F048529EA14E6192D771A915CB60

Function 0030EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0032CC08), ref: 0030EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0030EB37
GetClipboardData.USER32(0000000D), ref: 0030EB43
CloseClipboard.USER32 ref: 0030EB4F
GlobalLock.KERNEL32(00000000), ref: 0030EB87
CloseClipboard.USER32 ref: 0030EB91
GlobalUnlock.KERNEL32(00000000), ref: 0030EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0030EBC9
GetClipboardData.USER32(00000001), ref: 0030EBD1
GlobalLock.KERNEL32(00000000), ref: 0030EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0030EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0030EC38
GetClipboardData.USER32(0000000F), ref: 0030EC44
GlobalLock.KERNEL32(00000000), ref: 0030EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0030EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0030EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0030ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0030ECF3
CountClipboardFormats.USER32 ref: 0030ED14
CloseClipboard.USER32 ref: 0030ED59

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: d02b114c1e89aa9d2f3733ddd7acf44732c0596ce1c082b77a826a8ad558a55b
Instruction ID: 4a90d1335bea9eaa8ebac0a0c622151288209470b96e748c30be2e2e2bceeb68
Opcode Fuzzy Hash: d02b114c1e89aa9d2f3733ddd7acf44732c0596ce1c082b77a826a8ad558a55b
Instruction Fuzzy Hash: 4661DF352043019FD712EF24D8A5F2EB7A8EF88714F08595DF856972E1CB31E946CBA2

Function 0030698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003069BE
FindClose.KERNEL32(00000000), ref: 00306A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00306A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00306A75

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00306AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00306ADF

Strings

%03d, xrefs: 00306DA2
%02d, xrefs: 00306C00, 00306C0A, 00306C5A, 00306CAA, 00306CFA, 00306D4A
%4d, xrefs: 00306BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00306B32
%4d%02d%02d%02d%02d%02d, xrefs: 00306B6A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d93ca16442cba66c6cd2d31835775a7505935e96f9899d34da580731c7e24edf
Instruction ID: 156968e90863bb7c42d6157bc6a494616ef2292992d6bed05449fe0b37623f5d
Opcode Fuzzy Hash: d93ca16442cba66c6cd2d31835775a7505935e96f9899d34da580731c7e24edf
Instruction Fuzzy Hash: FDD161B2518300AFC710EBA4C996EAFB7ECAF88704F44491EF585C7191EB34DA54CB62

Function 00309642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00309663
GetFileAttributesW.KERNEL32(?), ref: 003096A1
SetFileAttributesW.KERNEL32(?,?), ref: 003096BB
FindNextFileW.KERNEL32(00000000,?), ref: 003096D3
FindClose.KERNEL32(00000000), ref: 003096DE
FindFirstFileW.KERNEL32(*.*,?), ref: 003096FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0030974A
SetCurrentDirectoryW.KERNEL32(00356B7C), ref: 00309768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00309772
FindClose.KERNEL32(00000000), ref: 0030977F
FindClose.KERNEL32(00000000), ref: 0030978F

Strings

*.*, xrefs: 003096F5

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 9a1251d08290f078f121b59bc12805137cb3809f797abf31ed844b9954203efb
Instruction ID: 591c249fc9065f9b3c9e059a813e4afc7bfc51be8394f4b0156b416a4108c0cb
Opcode Fuzzy Hash: 9a1251d08290f078f121b59bc12805137cb3809f797abf31ed844b9954203efb
Instruction Fuzzy Hash: AB31E032552219AECF22EFB4EC19BDE77ACAF09320F10459AF905E21E1DB30DE458A50

Function 0030979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 003097BE
FindNextFileW.KERNEL32(00000000,?), ref: 00309819
FindClose.KERNEL32(00000000), ref: 00309824
FindFirstFileW.KERNEL32(*.*,?), ref: 00309840
SetCurrentDirectoryW.KERNEL32(?), ref: 00309890
SetCurrentDirectoryW.KERNEL32(00356B7C), ref: 003098AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 003098B8
FindClose.KERNEL32(00000000), ref: 003098C5
FindClose.KERNEL32(00000000), ref: 003098D5

Part of subcall function 002FDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002FDB00

Strings

*.*, xrefs: 0030983B

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 79cfb84fc1a9e99f9f1c7b613767d6941377c0b3f5329491fb6f6f47368f0ef2
Instruction ID: 96aaf3082257e380458b2e2503d57283bee18689f47967363c3c9560d5a0b563
Opcode Fuzzy Hash: 79cfb84fc1a9e99f9f1c7b613767d6941377c0b3f5329491fb6f6f47368f0ef2
Instruction Fuzzy Hash: 3031E6325026196EDF22EFB4EC59BDE77AC9F06320F11856AE910A32E1DB30DD45CE60

Function 0031BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0031C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0031B6AE,?,?), ref: 0031C9B5
Part of subcall function 0031C998: _wcslen.LIBCMT ref: 0031C9F1
Part of subcall function 0031C998: _wcslen.LIBCMT ref: 0031CA68
Part of subcall function 0031C998: _wcslen.LIBCMT ref: 0031CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0031BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0031BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0031BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0031C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0031C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0031C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0031C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0031C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0031C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0031C382
RegCloseKey.ADVAPI32(00000000), ref: 0031C38F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: eb4b2deeff4953bfd2b7f32053daeb74399403c66f6cf583f1cbe9fa57fc6837
Instruction ID: 8a5e81c0af7784498b737691fcc4c60f1bcb47f38d326d6180d4f40a0e96fc4f
Opcode Fuzzy Hash: eb4b2deeff4953bfd2b7f32053daeb74399403c66f6cf583f1cbe9fa57fc6837
Instruction Fuzzy Hash: BA024D716142009FDB19CF28C895E6ABBE5AF49314F19C89DF84ACB2A2D731EC46CF51

Function 00308195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00308257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00308267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00308273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00308310
SetCurrentDirectoryW.KERNEL32(?), ref: 00308324
SetCurrentDirectoryW.KERNEL32(?), ref: 00308356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0030838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00308395

Strings

*.*, xrefs: 0030839B

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 4b3c989bef8364476645fdcb568e6d171f0c93bb45a0c6a435aa285eb5453369
Instruction ID: 6aa1a68b04a1964cad261c2d67644d5956d1ab944c89350ccea1e2dc57434c02
Opcode Fuzzy Hash: 4b3c989bef8364476645fdcb568e6d171f0c93bb45a0c6a435aa285eb5453369
Instruction Fuzzy Hash: A6616A765183059FCB11EF64C8509AEB3E8FF89310F04892EF98987261EB31E955CF92

Function 002FD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00293AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00293A97,?,?,00292E7F,?,?,?,00000000), ref: 00293AC2

Part of subcall function 002FE199: GetFileAttributesW.KERNEL32(?,002FCF95), ref: 002FE19A

FindFirstFileW.KERNEL32(?,?), ref: 002FD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 002FD1DD
MoveFileW.KERNEL32(?,?), ref: 002FD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 002FD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 002FD237

Part of subcall function 002FD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,002FD21C,?,?), ref: 002FD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 002FD253
FindClose.KERNEL32(00000000), ref: 002FD264

Strings

\*.*, xrefs: 002FD0CD, 002FD0D6, 002FD0EB

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: d3a252aeb997c669889c3cd5e3d004ccaaae0f7294e4d0665d92c9686baaaffa
Instruction ID: 437c15ecd0068113ae1c00c35c6b92fe8eeb9bbdb3c78a3bf9cf61f86a70a3e3
Opcode Fuzzy Hash: d3a252aeb997c669889c3cd5e3d004ccaaae0f7294e4d0665d92c9686baaaffa
Instruction Fuzzy Hash: 0C617D3182120D9BCF05EFA4CA929FDB77AAF15340F204169E90677192EB316F59CFA1

Function 0030ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0030ED91
EmptyClipboard.USER32 ref: 0030ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0030EDAC
CloseClipboard.USER32 ref: 0030EEA3

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: dc368efd6842b0cc471d733819d377214a2d36479de2b57f368f0782a3169e9a
Instruction ID: 273c5b21ddc0d00cbfa7dc29d6bb3318260bca05dd9cece5685f8316477d133a
Opcode Fuzzy Hash: dc368efd6842b0cc471d733819d377214a2d36479de2b57f368f0782a3169e9a
Instruction Fuzzy Hash: DD41DD35215611AFD722CF15D898B19BBE9EF44318F19C49DE41A8BAA2C731FC42CBC0

Function 002FE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002F16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002F170D
Part of subcall function 002F16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002F173A
Part of subcall function 002F16C3: GetLastError.KERNEL32 ref: 002F174A

ExitWindowsEx.USER32(?,00000000), ref: 002FE932

Strings

, xrefs: 002FE95C
@, xrefs: 002FE925
SeShutdownPrivilege, xrefs: 002FE902
, xrefs: 002FE920

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 184fcad2be8fb7d25c1fc4db7c692835da5163c7eb2b9e317733f9d031a273a1
Instruction ID: bb6430180c3513ebed9e72d59f4786a33edced1f834a6b46a70b3ddd0a7d5505
Opcode Fuzzy Hash: 184fcad2be8fb7d25c1fc4db7c692835da5163c7eb2b9e317733f9d031a273a1
Instruction Fuzzy Hash: FC01F772630219ABEF252A749C86FBEB25C9B047C1F160535FE02E21E1D5E05C6085A0

Function 00311204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00311276
WSAGetLastError.WSOCK32 ref: 00311283
bind.WSOCK32(00000000,?,00000010), ref: 003112BA
WSAGetLastError.WSOCK32 ref: 003112C5
closesocket.WSOCK32(00000000), ref: 003112F4
listen.WSOCK32(00000000,00000005), ref: 00311303
WSAGetLastError.WSOCK32 ref: 0031130D
closesocket.WSOCK32(00000000), ref: 0031133C

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: e40d69997aeea0d8925c65861dc81d3989831bb5934e149a7ffaa2f56be8e0aa
Instruction ID: 2c5379a6c3184c996dd2a6d5c88935c15469d4e322be1bc8c4f5cc85c3040ba4
Opcode Fuzzy Hash: e40d69997aeea0d8925c65861dc81d3989831bb5934e149a7ffaa2f56be8e0aa
Instruction Fuzzy Hash: FF41B3356001409FD725DF24C484BA9BBE5AF4A318F19848CD9568F2E6C771ECC2CBE1

Function 002CB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002CB9D4
_free.LIBCMT ref: 002CB9F8
_free.LIBCMT ref: 002CBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00333700), ref: 002CBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0036121C,000000FF,00000000,0000003F,00000000,?,?), ref: 002CBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00361270,000000FF,?,0000003F,00000000,?), ref: 002CBC36
_free.LIBCMT ref: 002CBD4B

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 4158417ddfc841e80b637a220b196afd2287c569b00d31d12ab708548bb30b48
Instruction ID: 2d41a78109166ce80c71d7dbd6034ecc60f29ecd015393ae30a0d61d5e1d36e3
Opcode Fuzzy Hash: 4158417ddfc841e80b637a220b196afd2287c569b00d31d12ab708548bb30b48
Instruction Fuzzy Hash: 5FC128719242469FCB22DF788C52FAA7BB8EF41310F18479EE490D7251DB709E21CB50

Function 002FD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00293AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00293A97,?,?,00292E7F,?,?,?,00000000), ref: 00293AC2

Part of subcall function 002FE199: GetFileAttributesW.KERNEL32(?,002FCF95), ref: 002FE19A

FindFirstFileW.KERNEL32(?,?), ref: 002FD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 002FD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 002FD481
FindClose.KERNEL32(00000000), ref: 002FD498
FindClose.KERNEL32(00000000), ref: 002FD4A1

Strings

\*.*, xrefs: 002FD3F2

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 01695b4ee2abb6df8c717694c62567d52700622bd3723739ccf571703edd576f
Instruction ID: 1b6ba967fbfbaa6f4813f8c267bb95552972f43e214d0b73630b14e09edd4966
Opcode Fuzzy Hash: 01695b4ee2abb6df8c717694c62567d52700622bd3723739ccf571703edd576f
Instruction Fuzzy Hash: EE31A2310283459BC711EF64D8518BFB7E8BEA1354F404E2DF5D593191EB30AA19DBA3

Function 002CE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 002CE645

Strings

1#SNAN, xrefs: 002CF844
1#INF, xrefs: 002CF852
1#QNAN, xrefs: 002CF84B
1#IND, xrefs: 002CF83D

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 5834db453391bbc2f3aa68c440aad6148ddd5096e7ec1359577e180963af6a95
Instruction ID: a1ac2871eddae808fe55e8dc008b317f5ec453e3bc098c0de078e6f4397b1bfd
Opcode Fuzzy Hash: 5834db453391bbc2f3aa68c440aad6148ddd5096e7ec1359577e180963af6a95
Instruction Fuzzy Hash: BFC23A72E246298FDF65CE289D40BEAB7B6EB44344F1542EED40DE7240E774AE918F40

Function 0030648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003064DC
CoInitialize.OLE32(00000000), ref: 00306639
CoCreateInstance.OLE32(0032FCF8,00000000,00000001,0032FB68,?), ref: 00306650
CoUninitialize.OLE32 ref: 003068D4

Strings

.lnk, xrefs: 003064BA, 00306524, 003065E0

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 57fb2e653b833b0f588549d72ad184dcf147f5dbc8d9a50d890d2720a81d5a17
Instruction ID: b4501e9e8b573d0b041bbc041e514821f1f0ad6af9964a62d0265bf106a2cc00
Opcode Fuzzy Hash: 57fb2e653b833b0f588549d72ad184dcf147f5dbc8d9a50d890d2720a81d5a17
Instruction Fuzzy Hash: D1D17A715182019FC705EF24C891E6BB7E8FF99304F10496DF5958B2A1EB30ED59CBA2

Function 003122DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 003122E8

Part of subcall function 0030E4EC: GetWindowRect.USER32(?,?), ref: 0030E504

GetDesktopWindow.USER32 ref: 00312312
GetWindowRect.USER32(00000000), ref: 00312319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00312355
GetCursorPos.USER32(?), ref: 00312381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003123DF

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: c4b3568522cefe9db3377294ac0a6924a72004e595f89c3d1aaabb1ba6339f97
Instruction ID: 80c7a24c6f2430a953baa63f0e3027f7df72d98e22c06d1025dc1198b73a0456
Opcode Fuzzy Hash: c4b3568522cefe9db3377294ac0a6924a72004e595f89c3d1aaabb1ba6339f97
Instruction Fuzzy Hash: 25310072104305AFCB26DF14C849BABBBADFF88310F00091DF99497191DB34EA59CB92

Function 00309B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00309B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00309C8B

Part of subcall function 00303874: GetInputState.USER32 ref: 003038CB
Part of subcall function 00303874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00303966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00309BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00309C75

Strings

*.*, xrefs: 00309B5D

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 765b087ee2a95f56bc40a068d041dccf9efddc99e3a0db2a1ff66c9cd2a056ec
Instruction ID: b1a063ace1ba6c61ad6e0b7e0af55cab635cc4c65b71fd717e93cc95bb06dc70
Opcode Fuzzy Hash: 765b087ee2a95f56bc40a068d041dccf9efddc99e3a0db2a1ff66c9cd2a056ec
Instruction Fuzzy Hash: BB417171D0120A9FDF16DF64C855BEE7BB8EF05310F24419AE805A61D2EB309E95CFA0

Function 002A997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 002A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002A9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 002A9A4E
GetSysColor.USER32(0000000F), ref: 002A9B23
SetBkColor.GDI32(?,00000000), ref: 002A9B36

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: d3afe7d6b559630d62f099b5e89c837ceaed30c03fc461217e58106ae29ec3a8
Instruction ID: 68cc143478f25473c3eacf806bbaf323f794666e02546d58005db40784adab99
Opcode Fuzzy Hash: d3afe7d6b559630d62f099b5e89c837ceaed30c03fc461217e58106ae29ec3a8
Instruction Fuzzy Hash: 58A16A70178591BFE729EE3F9C48E7B269DDB83304F14410AF502CA596CE619DB1D272

Function 00311806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0031304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0031307A
Part of subcall function 0031304E: _wcslen.LIBCMT ref: 0031309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0031185D
WSAGetLastError.WSOCK32 ref: 00311884
bind.WSOCK32(00000000,?,00000010), ref: 003118DB
WSAGetLastError.WSOCK32 ref: 003118E6
closesocket.WSOCK32(00000000), ref: 00311915

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 302552fe3027f98f88c31468f68adcb85fbefe6744193d7948784f06dbca8894
Instruction ID: cd7d90441412d9e4f0b4dd7ee6de4ef5ba8e8230b983c83d09980159101cea15
Opcode Fuzzy Hash: 302552fe3027f98f88c31468f68adcb85fbefe6744193d7948784f06dbca8894
Instruction Fuzzy Hash: FD51E571A102009FDB11AF24C886FAA77E5AB49718F54C05CF9155F3D3D771AD418BE1

Function 00321C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00321CC0
IsWindowEnabled.USER32 ref: 00321CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00321CDB
IsIconic.USER32 ref: 00321CE9
IsZoomed.USER32 ref: 00321CF7

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 454f0bed9588da7d56663ad3cbc1d53cab7bb9f74d5b1fe00f8bdadb45ced393
Instruction ID: dd9d35bf0de1d0a28fd8eee629b02e067c1695f8bee969039e3b9186ead21f41
Opcode Fuzzy Hash: 454f0bed9588da7d56663ad3cbc1d53cab7bb9f74d5b1fe00f8bdadb45ced393
Instruction Fuzzy Hash: CF21D6357402305FD7228F1AE844B6A7BA9EFA5314F1A806CE8458B351CB71EC42CB90

Function 00298060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0029813C
VUUU, xrefs: 0029843C
VUUU, xrefs: 002983E8
VUUU, xrefs: 002983FA
VUUU, xrefs: 002D5DF0

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 9b430fd5b118890b9a71340b343e8f812f72383f38d5c7c20628424ffd2bda94
Instruction ID: 60394f8d4a2ae2243f5fa1546bf0ce8b54a73b064e7b7d962f4100c034b02f84
Opcode Fuzzy Hash: 9b430fd5b118890b9a71340b343e8f812f72383f38d5c7c20628424ffd2bda94
Instruction Fuzzy Hash: 19A29371E2062ACBDF24CF58C8447ADB7B1BF55314F2881AAE815AB385DB709DA1CF50

Function 002F8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002F82AA

Strings

tb5, xrefs: 002F84F4
(, xrefs: 002F82F0
|, xrefs: 002F82DA

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb5$|
API String ID: 1659193697-3934612968
Opcode ID: d9261d6b3545ebb18e04d1bb48501d446a6c54ffc528f74395478e37423b23c5
Instruction ID: 4575d361f0811e6279518dc728916e28a15a208e959ba59279046836328eb2ca
Opcode Fuzzy Hash: d9261d6b3545ebb18e04d1bb48501d446a6c54ffc528f74395478e37423b23c5
Instruction Fuzzy Hash: B8324775A1060A9FCB28CF59C081A6AF7F0FF48750B11C56EE59ADB3A1EB70E951CB40

Function 002FAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 002FAAAC
SetKeyboardState.USER32(00000080), ref: 002FAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 002FAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 002FAB88

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ff8ee0957df7bf513aa0161325fe304909d4674c4dfaecfff2ab629f6e8849dd
Instruction ID: 8ec8596e08832535156cd2bc97b3786c0229a5cfd672a08d4bb9b0cac558e9a9
Opcode Fuzzy Hash: ff8ee0957df7bf513aa0161325fe304909d4674c4dfaecfff2ab629f6e8849dd
Instruction Fuzzy Hash: 7C311AB0A6020DAEFB358F64CC05BFAF7AAAB54354F04422AF689561D0D37489A5C762

Function 0030CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0030CE89
GetLastError.KERNEL32(?,00000000), ref: 0030CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0030CEFE

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 27b796459045d46e78d3aa68c31457fbf8ba3a30b56a1a8fa8f847f90e45ea45
Instruction ID: 09026a082c7b131b38fced99fec01c9624529ece3e93ae942c83077cd7b5282b
Opcode Fuzzy Hash: 27b796459045d46e78d3aa68c31457fbf8ba3a30b56a1a8fa8f847f90e45ea45
Instruction Fuzzy Hash: 4F21EDB15217059BDB32CF65C998BAB77FCEB00355F205A2EE646D2191E730EE05CB50

Function 00305C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00305CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00305D17
FindClose.KERNEL32(?), ref: 00305D5F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 0d300aa4f4ea6db5c5c27c27b568f5bbb3854e7a2847ef2e9f436a365c58d96f
Instruction ID: 3b5f51c584f226ea78b1757765844f7292a3173d77e06b4a3bdce6701173dae0
Opcode Fuzzy Hash: 0d300aa4f4ea6db5c5c27c27b568f5bbb3854e7a2847ef2e9f436a365c58d96f
Instruction Fuzzy Hash: E851A835604A019FC715DF28C4A4E9AB7E4FF09324F14855EE99A8B3A2DB30EC05CF91

Function 002C2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 002C271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002C2724
UnhandledExceptionFilter.KERNEL32(?), ref: 002C2731

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 943a6bf52d06df73de2cdecdd3d2de955d0276afaecdbc8087a7a3575ba5b2e0
Instruction ID: e4f847d3ce4d046ea3c2c2ebbd546bfa600288f2a000e72334014255d03ac36d
Opcode Fuzzy Hash: 943a6bf52d06df73de2cdecdd3d2de955d0276afaecdbc8087a7a3575ba5b2e0
Instruction Fuzzy Hash: 3131C4749113189BCB22DF64DC88BDDB7B8AF08350F5046EAE41CA7261EB349F958F44

Function 003051CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003051DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00305238
SetErrorMode.KERNEL32(00000000), ref: 003052A1

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: eaf7ca77a63c55a466b6e9256848aa7ececafdedaddc2b3c78acab10c1b341e6
Instruction ID: a695a2fc7d837d559c8edec6bc6b38d5309ba7e88b8c000ac5ba7e9a83b1e0f3
Opcode Fuzzy Hash: eaf7ca77a63c55a466b6e9256848aa7ececafdedaddc2b3c78acab10c1b341e6
Instruction Fuzzy Hash: E1318E35A10608DFDB01DF54D895EAEBBB8FF08314F058499E805AB3A2DB31E856CF90

Function 002F16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 002AFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 002B0668
Part of subcall function 002AFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 002B0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002F170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002F173A
GetLastError.KERNEL32 ref: 002F174A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: e60d680269cc1adaf08d6194722d19f34529daa4758296a1647d3e588f172466
Instruction ID: 57416acd80f56249e7e72475efd0cf2ea1c63906ce9377b94298414334ff571b
Opcode Fuzzy Hash: e60d680269cc1adaf08d6194722d19f34529daa4758296a1647d3e588f172466
Instruction Fuzzy Hash: 8411C1B2420309EFE728AF54DC86D6AB7BDFB05754B20852EE05653241EB70FC62CE60

Function 002FD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002FD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 002FD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002FD650

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 3f7eb037e56445ffe818e743df54c33aa5c34573856e410206a513b63266df74
Instruction ID: 9648248ea618fb4c5a8e766f4a251974c0462350098829b1b4969953e531ee7f
Opcode Fuzzy Hash: 3f7eb037e56445ffe818e743df54c33aa5c34573856e410206a513b63266df74
Instruction Fuzzy Hash: 1B11A175E01228BFDB218F94EC45FAFBFBCEB45B60F108125F904E7290C6704A018BA1

Function 002F1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 002F168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002F16A1
FreeSid.ADVAPI32(?), ref: 002F16B1

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3746bf611e86ae7f7ddc21c98948f7f0c86be209957f504922316683f267d126
Instruction ID: fce6425a40555c216e2de765d520149a174f5618745921dbd1cbe7a5ff44c8a6
Opcode Fuzzy Hash: 3746bf611e86ae7f7ddc21c98948f7f0c86be209957f504922316683f267d126
Instruction Fuzzy Hash: 9EF0F47196030DFBDB00DFE49C89EAEBBBCFB08744F508565E501E2181E774EA448A54

Function 002CC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 002CC36C

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: b3e0664c809ae60b4879f18b6252bb7c5e04c25887e063512fc0ca6499f96fd6
Instruction ID: b28a8848a4fe3c67d30e42678b547d648bb8a10bf4605a58a1cf94d4ef49d6a1
Opcode Fuzzy Hash: b3e0664c809ae60b4879f18b6252bb7c5e04c25887e063512fc0ca6499f96fd6
Instruction Fuzzy Hash: 2D413872910259AFCB249FB9DC48EAB77B8EB84354F2043ADF909C7180E6719D51CB50

Function 002ED27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 002ED28C

Strings

X64, xrefs: 002ED2A8

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 0b450dbd9c8b94a7a5483456a3554429410261c5682b64544486a36edf67f618
Instruction ID: c8f52b85665a9034baceb78c126759aaa8d16bed5b3d6a2aa4b1e97b605d3413
Opcode Fuzzy Hash: 0b450dbd9c8b94a7a5483456a3554429410261c5682b64544486a36edf67f618
Instruction Fuzzy Hash: 48D0CAB482512DEBCFA0CBA0EC88DDEB3BCBB04305F104296F606A2000DBB096498F20

Function 002BCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: b4a7cc07b33c45516e3b3149c90d87c0f1509228ed107ffc52afa852f20d3d0c
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 4E022D71E1011A9BDF14CFA9C8806EEFBF5EF48354F25816AD819EB384D730AD518B90

Function 0029CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 002E0C40
p#6, xrefs: 0029CF7F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#6
API String ID: 0-2657690292
Opcode ID: 85a3ce8c0e505232f0ed6f583cb11817cc52e9b7e1babc1df1f7c2151c3ff642
Instruction ID: 24d5f42cc63581f38d423bfbd2712ede261439c828d803cf7d92df83a9b3e0cd
Opcode Fuzzy Hash: 85a3ce8c0e505232f0ed6f583cb11817cc52e9b7e1babc1df1f7c2151c3ff642
Instruction Fuzzy Hash: 7132B070930219DBCF14DF90C994AEDB7B5FF05304F64406AE806AB292D7B5AE66CF60

Function 003068EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00306918
FindClose.KERNEL32(00000000), ref: 00306961

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 2630fbfc10bcc42ff9b367525fb4c70710ede0f5b7173c6162a742d9da8b1982
Instruction ID: 670d0c33a29468d850db61ca0960a76b1a1608fc82dea44766f6ba454f178117
Opcode Fuzzy Hash: 2630fbfc10bcc42ff9b367525fb4c70710ede0f5b7173c6162a742d9da8b1982
Instruction Fuzzy Hash: 6D11D0316142009FCB10CF29C485A1ABBE4FF84328F15C69DF4698FAA2CB30EC05CB90

Function 003037B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00314891,?,?,00000035,?), ref: 003037E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00314891,?,?,00000035,?), ref: 003037F4

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 2e4e684a688867aafd72f283df79db9fd7c6f8317eb4906f99cd894d2a49032f
Instruction ID: 804aae0edbedfc22e4c419403132fa20d482cc1e2bcca60ff36e16dca0fe6905
Opcode Fuzzy Hash: 2e4e684a688867aafd72f283df79db9fd7c6f8317eb4906f99cd894d2a49032f
Instruction Fuzzy Hash: F7F0EC706153146AEB3157659C4DFDB365DEFC8771F000169F505D22C1D9605D44C6B0

Function 002FB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 002FB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 002FB270

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 8325c853794b0be51c2f14891c3519e7e9e21ac1fec294136c02621546f537e1
Instruction ID: b9f1e331b00cf43ac5933e115aea274198d71cef4f1deaee882cdaa729ceb35f
Opcode Fuzzy Hash: 8325c853794b0be51c2f14891c3519e7e9e21ac1fec294136c02621546f537e1
Instruction Fuzzy Hash: 2FF06D7081424EABDF168FA0C805BBEBBB4FF04305F108019F951A5192C379C6119F94

Function 002F10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002F11FC), ref: 002F10D4
CloseHandle.KERNEL32(?,?,002F11FC), ref: 002F10E9

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: db10b8691d0e989e22205aaa3febe88cc11bbd197000750d81a1a7d50219a918
Instruction ID: 7d3b627788f5ee76ef1f71a979cd39686eeae1399d1124c80f2b086f1bad99c0
Opcode Fuzzy Hash: db10b8691d0e989e22205aaa3febe88cc11bbd197000750d81a1a7d50219a918
Instruction Fuzzy Hash: 80E01A32024600AFE7662B61FD05E7777A9EB04320F20882DB5A5804B1DA62ACA1DB54

Function 002C676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002C6766,?,?,00000008,?,?,002CFEFE,00000000), ref: 002C6998

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 326be09cf1785aad5181d08d03420a6915a0351f904bda3dda52b209e3f8a161
Instruction ID: 1dacb00be8e52d4b9d5e4fa33c13b7db170123210077a2790791be6db559b974
Opcode Fuzzy Hash: 326be09cf1785aad5181d08d03420a6915a0351f904bda3dda52b209e3f8a161
Instruction Fuzzy Hash: DAB128316206099FD715CF28C48AB657BA0FF45364F25875CE89ACF2A2C335E9A5CB40

Function 002AB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 002E851F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: dbda7978041a84c730662a8b5b5c2b0e508bc5bf398967a7d20e486f57fb390d
Instruction ID: 1ec062609a1ec1de6c676172f8d6d603226614c43fb67ffd6dba818a341b3862
Opcode Fuzzy Hash: dbda7978041a84c730662a8b5b5c2b0e508bc5bf398967a7d20e486f57fb390d
Instruction Fuzzy Hash: F8128F75D202299FCB15CF59C8906EEB7B5FF49310F50819AE849EB242EB709E91CF90

Function 0030EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0030EABD

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 3ba05551eb1f070cf7d5ecc8406214af819933c1c88d2f318dab807dcbbd5b24
Instruction ID: c0f263a2b37518a473ef32649f16dd853c7f0173181780c46fa3fb5bb5e47ca5
Opcode Fuzzy Hash: 3ba05551eb1f070cf7d5ecc8406214af819933c1c88d2f318dab807dcbbd5b24
Instruction Fuzzy Hash: F4E04F323202049FC711EF69D814E9AF7EDAF98760F01841AFC49C73A1DB70E8418BA0

Function 002B09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002B03EE), ref: 002B09DA

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 35aeef99629e5b1252cfe0e2791bf85f1496c1fc94197ecf6facc5b0922f3ec9
Instruction ID: e75bbda58f16263775c7957c5f2dace0c44ceb5f29242262706f2f8a72d1d078
Opcode Fuzzy Hash: 35aeef99629e5b1252cfe0e2791bf85f1496c1fc94197ecf6facc5b0922f3ec9
Instruction Fuzzy Hash:

Function 002B781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 002B798B

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 52b513d07cbc8c57825a84feec6ff82cca8f42d3497100b9e8ef54df2b63169b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 8651997163CB075BDB388D78885E7FE23999BC23C0F180919D886D7282CA55EE71E752

Function 00302046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&6, xrefs: 00302053

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID: 0&6
API String ID: 0-3612224063
Opcode ID: 9499de7c88fdf5971fae966f0d0efe0d3acd438c8e422f2d129715ee269a72c1
Instruction ID: 0a2a87e2e347e12ed261a557ef2b2a6c0081d23f375b531947c6415a5c928d00
Opcode Fuzzy Hash: 9499de7c88fdf5971fae966f0d0efe0d3acd438c8e422f2d129715ee269a72c1
Instruction Fuzzy Hash: FC21A5326216118BDB29CE79C82767B73E9A754310F15862EE4A7C77D0DE75A904CB80

Function 002C6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83119085f3946dd519417b409e405caff63d6c4709f89932635c6a89829d5697
Instruction ID: 767e4a8cc0f054a7788a7594d6104c2627ae8c27638490ae44ba6ea09d1c5b49
Opcode Fuzzy Hash: 83119085f3946dd519417b409e405caff63d6c4709f89932635c6a89829d5697
Instruction Fuzzy Hash: 39323132D39F014DD7239A34D862336A64DAFB73D5F14D33BE82AB59A5EB29C4834500

Function 002ACC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da78b631b5c875e9fd686ab85b00569ea696972523e68d78c63d5a6026df222
Instruction ID: c9c6d5bb8fd26a6a56e1e78d019be96257057b421eac9a5ada7f45da73d079d6
Opcode Fuzzy Hash: 3da78b631b5c875e9fd686ab85b00569ea696972523e68d78c63d5a6026df222
Instruction Fuzzy Hash: F2323C31A741868BCF28CFAAC49067D77A2EB46314FB8456BD459CB3A1D630DDA3DB40

Function 00297920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c441ff0281385b232e6dfa46e850976ba9de9fcab4cd3dd743277f4d151e26b8
Instruction ID: 26e9c3ce1a3f4eab99710f3a2b7a034af484f11e9cc9bc7eb8e641b2755a8ab4
Opcode Fuzzy Hash: c441ff0281385b232e6dfa46e850976ba9de9fcab4cd3dd743277f4d151e26b8
Instruction Fuzzy Hash: AE22B070A2061ADFDF14CFA4D981AAEB3F5FF44304F10452AE816A7391EB75AD64CB50

Function 002991C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c964a5a0de10c523a3ad51cfbbcc08b309b3aaa0c55f8b8b6f3c0dc869c91503
Instruction ID: 4b6c8e9137bee4c6404c372f3f56922e7a0b6c4e0712745876ca2deeffb2f4e6
Opcode Fuzzy Hash: c964a5a0de10c523a3ad51cfbbcc08b309b3aaa0c55f8b8b6f3c0dc869c91503
Instruction Fuzzy Hash: 2B02B4B0A20206EBDF05DF54D981AADB7B5FF44344F11816AE8069B390EB75AE70CF91

Function 002C9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcfa8584d1f25981ebf3b152873cb2588b46458d64ac38a65498c39c979853bd
Instruction ID: 40f99d90353abf8b7d47ecdecff4672ef2490a2c8e8e42f97411a212ef141ace
Opcode Fuzzy Hash: fcfa8584d1f25981ebf3b152873cb2588b46458d64ac38a65498c39c979853bd
Instruction Fuzzy Hash: F0B10224E2AF414DD32396398871336B75CAFBB6E5F91D71BFC2674D22EB2286834140

Function 002B1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 392b5db992ccb33e9c9bc22bd4135ca5c442f2f7f7ddafabbb9d80368c54f63b
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 939188721280E34ADB2D4A3E85740BEFFE15A923E135A079ED4F2CA1C5FE24D974D620

Function 002B19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 2b5c229f5a82870001d8525ecbdc54f624c921eaa70d57615ac8e35951d0ab55
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 4291B5322290E34EDB2D4A7A85740BEFFE15A923E135A079ED4F2CA1C5FE14D574D620

Function 002B7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b5eb7c7c7de849bddbabaaaa76059ab5e4a5b0e9cc81fbad33912da025170e9
Instruction ID: 4faf05cb94aaa6c5b2506116cc9bf209c0af4c6e228136af5bdf38d1d5b66261
Opcode Fuzzy Hash: 0b5eb7c7c7de849bddbabaaaa76059ab5e4a5b0e9cc81fbad33912da025170e9
Instruction Fuzzy Hash: 7D61797123870B66DE749D288C95BFE2398DFC17C8F14091EE942DB2C1DA519E72CB15

Function 002B7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37aa404c656a583fd6f7678d84c65609923d69d335afed156d2da829ebe15389
Instruction ID: 185dc03b56ca8791cb3e757325aa89266cfec63673d5d08adf98b5636f0c2842
Opcode Fuzzy Hash: 37aa404c656a583fd6f7678d84c65609923d69d335afed156d2da829ebe15389
Instruction Fuzzy Hash: 7A61773123870B56DA384E2888A5BFE2398DFC27C0F140959E983DF681DB62ED72C755

Function 002B1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 938ff434bb5edcd02cb1a7241d7016bef90679fd3d0b7e6bb2699d1d207d74be
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 4E8178335290E349EB6D4A3985344BEFFE16A923E135A079DD4F2CB1C1EE14D574E620

Function 002AD064 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1f079c23ba94735dacb82d67a4d8d02802de9894537dd7a69d6d637ac59fe2
Instruction ID: 2ae0f58a6b90661e177563d8f312fae4c1fd1805fdbc8ed3cd15574ac21ed94d
Opcode Fuzzy Hash: 4b1f079c23ba94735dacb82d67a4d8d02802de9894537dd7a69d6d637ac59fe2
Instruction Fuzzy Hash: A15136A684FBC25FD7274B348CBA144FFB0AE6B5103284ADFC4C14A1C7E6990199CB5A

Function 00312ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00312B30
DeleteObject.GDI32(00000000), ref: 00312B43
DestroyWindow.USER32 ref: 00312B52
GetDesktopWindow.USER32 ref: 00312B6D
GetWindowRect.USER32(00000000), ref: 00312B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00312CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00312CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00312CF8
GetClientRect.USER32(00000000,?), ref: 00312D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00312D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00312D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00312D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00312D80
GlobalLock.KERNEL32(00000000), ref: 00312D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00312D98
GlobalUnlock.KERNEL32(00000000), ref: 00312DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00312DA8
GlobalFree.KERNEL32(00000000), ref: 00312DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00312DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0032FC38,00000000), ref: 00312DDB
GlobalFree.KERNEL32(00000000), ref: 00312DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00312E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00312E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00312E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0031303F

Strings

AutoIt v3, xrefs: 00312CF2
, xrefs: 00312FC5
static, xrefs: 00312D3A, 00312E91
DISPLAY, xrefs: 00312EA2

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 3b10d9b853beaf08905fcc9d6060c8fb6e1941d69251f27dc69f9a9f52458b1b
Instruction ID: 3893fa725d041ff1ab77f9eb51e2a284836d4b498c854b24506751fbb493dfd3
Opcode Fuzzy Hash: 3b10d9b853beaf08905fcc9d6060c8fb6e1941d69251f27dc69f9a9f52458b1b
Instruction Fuzzy Hash: B4026975910204EFDB26DF64CD89EAE7BB9EF48310F148518F915AB2A1CB70AD51CFA0

Function 003270D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0032712F
GetSysColorBrush.USER32(0000000F), ref: 00327160
GetSysColor.USER32(0000000F), ref: 0032716C
SetBkColor.GDI32(?,000000FF), ref: 00327186
SelectObject.GDI32(?,?), ref: 00327195
InflateRect.USER32(?,000000FF,000000FF), ref: 003271C0
GetSysColor.USER32(00000010), ref: 003271C8
CreateSolidBrush.GDI32(00000000), ref: 003271CF
FrameRect.USER32(?,?,00000000), ref: 003271DE
DeleteObject.GDI32(00000000), ref: 003271E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00327230
FillRect.USER32(?,?,?), ref: 00327262
GetWindowLongW.USER32(?,000000F0), ref: 00327284

Part of subcall function 003273E8: GetSysColor.USER32(00000012), ref: 00327421
Part of subcall function 003273E8: SetTextColor.GDI32(?,?), ref: 00327425
Part of subcall function 003273E8: GetSysColorBrush.USER32(0000000F), ref: 0032743B
Part of subcall function 003273E8: GetSysColor.USER32(0000000F), ref: 00327446
Part of subcall function 003273E8: GetSysColor.USER32(00000011), ref: 00327463
Part of subcall function 003273E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00327471
Part of subcall function 003273E8: SelectObject.GDI32(?,00000000), ref: 00327482
Part of subcall function 003273E8: SetBkColor.GDI32(?,00000000), ref: 0032748B
Part of subcall function 003273E8: SelectObject.GDI32(?,?), ref: 00327498
Part of subcall function 003273E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003274B7
Part of subcall function 003273E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003274CE
Part of subcall function 003273E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003274DB

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: e281731d5ea749690db056ef90a3693c6df5559791bf2d52ff04c8631d021490
Instruction ID: 78089ea5b4ffa6bd76e7faae791cf42cdbb0527d54b6e8addbf5ba8c60bed13c
Opcode Fuzzy Hash: e281731d5ea749690db056ef90a3693c6df5559791bf2d52ff04c8631d021490
Instruction Fuzzy Hash: 13A1AE72018311EFDB229F60DC48A6F7BA9FF49320F101A1DFA62961E1D771E945CB92

Function 002A8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 002A8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 002E6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 002E6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 002E6F43

Part of subcall function 002A8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002A8BE8,?,00000000,?,?,?,?,002A8BBA,00000000,?), ref: 002A8FC5

SendMessageW.USER32(?,00001053), ref: 002E6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 002E6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 002E6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 002E6FB7

Strings

0, xrefs: 002E6DCF

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 93f153bf5975fbff0ee0ecfdd8fbc71ee941d1b8f6d8a56cb40cb79296009916
Instruction ID: 02a426a249b2e04e8f57719e6d94d47c9bed0c8c3189fcaafde565426f5bfa73
Opcode Fuzzy Hash: 93f153bf5975fbff0ee0ecfdd8fbc71ee941d1b8f6d8a56cb40cb79296009916
Instruction Fuzzy Hash: 6A12BF30220282DFDB26CF15C958BA9B7E5FB65340F988469F485CB661CB71EC62CF91

Function 00312711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0031273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0031286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003128A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003128B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00312900
GetClientRect.USER32(00000000,?), ref: 0031290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00312955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00312964
GetStockObject.GDI32(00000011), ref: 00312974
SelectObject.GDI32(00000000,00000000), ref: 00312978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00312988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00312991
DeleteDC.GDI32(00000000), ref: 0031299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003129C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 003129DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00312A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00312A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00312A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00312A77
GetStockObject.GDI32(00000011), ref: 00312A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00312A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00312A97

Strings

msctls_progress32, xrefs: 00312A13
AutoIt v3, xrefs: 003128F8
static, xrefs: 0031294F, 00312A71
DISPLAY, xrefs: 0031295A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: f7bcb8c88ecfe1eaa0ee86f1ee67511a0d2afe48024c562fa7196a7737df2412
Instruction ID: b4a7aaa4d1a4ad653e20411db3d77d59cc6a2a93507f8027a281fd8ffe45bb0d
Opcode Fuzzy Hash: f7bcb8c88ecfe1eaa0ee86f1ee67511a0d2afe48024c562fa7196a7737df2412
Instruction Fuzzy Hash: C0B17C75A10205AFEB25DF68DC4AEAF7BA9EB08710F148118F915E72A0D770ED50CF94

Function 00304ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00304AED
GetDriveTypeW.KERNEL32(?,0032CB68,?,\\.\,0032CC08), ref: 00304BCA
SetErrorMode.KERNEL32(00000000,0032CB68,?,\\.\,0032CC08), ref: 00304D36

Strings

\\.\, xrefs: 00304B3F
iSCSI, xrefs: 00304CC2
RAID, xrefs: 00304CBB
1394, xrefs: 00304C9F
Removable, xrefs: 00304C10, 00304C15
SSA, xrefs: 00304CA6
USB, xrefs: 00304CB4
PhysicalDrive, xrefs: 00304B76
CDROM, xrefs: 00304BFB
Network, xrefs: 00304C02
Fixed, xrefs: 00304C09
ATAPI, xrefs: 00304C91
Fibre, xrefs: 00304CAD
MMC, xrefs: 00304CDE
FileBackedVirtual, xrefs: 00304CEC
Unknown, xrefs: 00304BED, 00304C83
RAMDisk, xrefs: 00304BF4
SCSI, xrefs: 00304C8A
SSD, xrefs: 00304C4A
SATA, xrefs: 00304CD0
ATA, xrefs: 00304C98
SAS, xrefs: 00304CC9
Virtual, xrefs: 00304CE5

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: c829e2e4b36c842d2bc0a9449ec3dd720f885df7b357dd3fdce54abca6fa3b2b
Instruction ID: a10e02980d4890b53e6abc3fdda4c1a15afd69fbd36ef5c9b137442876b56afc
Opcode Fuzzy Hash: c829e2e4b36c842d2bc0a9449ec3dd720f885df7b357dd3fdce54abca6fa3b2b
Instruction Fuzzy Hash: BE61F6B0202205FBDB07DF28CAA2DBCB7B4AB44301B644415FD06AB6E5DB31DE45DB41

Function 003273E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00327421
SetTextColor.GDI32(?,?), ref: 00327425
GetSysColorBrush.USER32(0000000F), ref: 0032743B
GetSysColor.USER32(0000000F), ref: 00327446
CreateSolidBrush.GDI32(?), ref: 0032744B
GetSysColor.USER32(00000011), ref: 00327463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00327471
SelectObject.GDI32(?,00000000), ref: 00327482
SetBkColor.GDI32(?,00000000), ref: 0032748B
SelectObject.GDI32(?,?), ref: 00327498
InflateRect.USER32(?,000000FF,000000FF), ref: 003274B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003274CE
GetWindowLongW.USER32(00000000,000000F0), ref: 003274DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0032752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00327554
InflateRect.USER32(?,000000FD,000000FD), ref: 00327572
DrawFocusRect.USER32(?,?), ref: 0032757D
GetSysColor.USER32(00000011), ref: 0032758E
SetTextColor.GDI32(?,00000000), ref: 00327596
DrawTextW.USER32(?,003270F5,000000FF,?,00000000), ref: 003275A8
SelectObject.GDI32(?,?), ref: 003275BF
DeleteObject.GDI32(?), ref: 003275CA
SelectObject.GDI32(?,?), ref: 003275D0
DeleteObject.GDI32(?), ref: 003275D5
SetTextColor.GDI32(?,?), ref: 003275DB
SetBkColor.GDI32(?,?), ref: 003275E5

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 6ca17e42776268fefc03b53209f6504286354e96bcd71b3e2a9e3cbed3a4f54f
Instruction ID: bc1ff9153faae70e3e62eb6a46bc61cfaf14576b177d1baa41b034a2017dcc35
Opcode Fuzzy Hash: 6ca17e42776268fefc03b53209f6504286354e96bcd71b3e2a9e3cbed3a4f54f
Instruction Fuzzy Hash: 85617F72900218AFDF129FA4DC49EAEBFB9FF09720F215115F911AB2A1D774A941CF90

Function 00320FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00321128
GetDesktopWindow.USER32 ref: 0032113D
GetWindowRect.USER32(00000000), ref: 00321144
GetWindowLongW.USER32(?,000000F0), ref: 00321199
DestroyWindow.USER32(?), ref: 003211B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003211ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0032120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0032121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00321232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00321245
IsWindowVisible.USER32(00000000), ref: 003212A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003212BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003212D0
GetWindowRect.USER32(00000000,?), ref: 003212E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0032130E
GetMonitorInfoW.USER32(00000000,?), ref: 00321328
CopyRect.USER32(?,?), ref: 0032133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 003213AA

Strings

(, xrefs: 0032131B
0, xrefs: 003210D3
tooltips_class32, xrefs: 003211E6

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 83ec2ec79eec06887ded0a5fa0c36aa11b70e47e664ef3f2099bd9f26ec975af
Instruction ID: 60c2cfbcff71e0a66cf2eafd32633025a4aa28cfc0cb27fac89b806d038534fa
Opcode Fuzzy Hash: 83ec2ec79eec06887ded0a5fa0c36aa11b70e47e664ef3f2099bd9f26ec975af
Instruction Fuzzy Hash: 03B19871618350AFDB11DF24D984B6EBBE9FF98310F00891CF9999B2A1C731E845CB92

Function 00320241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003202E5
_wcslen.LIBCMT ref: 0032031F
_wcslen.LIBCMT ref: 00320389
_wcslen.LIBCMT ref: 003203F1
_wcslen.LIBCMT ref: 00320475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003204C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00320504

Part of subcall function 002AF9F2: _wcslen.LIBCMT ref: 002AF9FD

Part of subcall function 002F223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002F2258
Part of subcall function 002F223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002F228A

Strings

FINDITEM, xrefs: 00320627
SELECTALL, xrefs: 00320515
DESELECT, xrefs: 0032059C
SELECT, xrefs: 00320548
SELECTINVERT, xrefs: 0032057E
GETSUBITEMCOUNT, xrefs: 00320384, 0032039F
GETSELECTEDCOUNT, xrefs: 00320470, 0032048B
VIEWCHANGE, xrefs: 00320675
SELECTCLEAR, xrefs: 0032052D
GETSELECTED, xrefs: 003205E1
GETITEMCOUNT, xrefs: 00320316, 00320337
ISSELECTED, xrefs: 003204DD
GETTEXT, xrefs: 003203EC, 00320407

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: aa6ea4a7d4f87079a03b4458aaef187f2aa613a1bdc89c8788337bacc63a2efb
Instruction ID: f2d4bfab2dc28da40f6cecb35daa15377e0f252b8c88657c5d98bc637d5b74b6
Opcode Fuzzy Hash: aa6ea4a7d4f87079a03b4458aaef187f2aa613a1bdc89c8788337bacc63a2efb
Instruction Fuzzy Hash: 63E1B0312182118FCB1ADF24E59083EB3E6FF89314B55496DF8969B7A2DB30ED49CB41

Function 002A8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002A8968
GetSystemMetrics.USER32(00000007), ref: 002A8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002A899B
GetSystemMetrics.USER32(00000008), ref: 002A89A3
GetSystemMetrics.USER32(00000004), ref: 002A89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002A89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002A89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002A8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002A8A3C
GetClientRect.USER32(00000000,000000FF), ref: 002A8A5A
GetStockObject.GDI32(00000011), ref: 002A8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 002A8A81

Part of subcall function 002A912D: GetCursorPos.USER32(?), ref: 002A9141
Part of subcall function 002A912D: ScreenToClient.USER32(00000000,?), ref: 002A915E
Part of subcall function 002A912D: GetAsyncKeyState.USER32(00000001), ref: 002A9183
Part of subcall function 002A912D: GetAsyncKeyState.USER32(00000002), ref: 002A919D

SetTimer.USER32(00000000,00000000,00000028,002A90FC), ref: 002A8AA8

Strings

AutoIt v3 GUI, xrefs: 002A8A20

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 3f0d96a70cec35d37b88096444c0af63e92f7a68cdc911b569b4f005fda7df99
Instruction ID: 3443cd03c532f9fa76b91a040ba6ea253a2600bef1b6fc2eae6c8e7fa67b9d59
Opcode Fuzzy Hash: 3f0d96a70cec35d37b88096444c0af63e92f7a68cdc911b569b4f005fda7df99
Instruction Fuzzy Hash: FEB1AC31A2020A9FDB15DFA9CC49BAE7BB8FB49314F144229FA15E7290DB74E851CF50

Function 002F0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002F10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002F1114
Part of subcall function 002F10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,002F0B9B,?,?,?), ref: 002F1120
Part of subcall function 002F10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002F0B9B,?,?,?), ref: 002F112F
Part of subcall function 002F10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002F0B9B,?,?,?), ref: 002F1136
Part of subcall function 002F10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002F114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002F0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002F0E29
GetLengthSid.ADVAPI32(?), ref: 002F0E40
GetAce.ADVAPI32(?,00000000,?), ref: 002F0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002F0E96
GetLengthSid.ADVAPI32(?), ref: 002F0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 002F0EB5
HeapAlloc.KERNEL32(00000000), ref: 002F0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 002F0EDD
CopySid.ADVAPI32(00000000), ref: 002F0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002F0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002F0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 002F0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002F0F6E
HeapFree.KERNEL32(00000000), ref: 002F0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002F0F7E
HeapFree.KERNEL32(00000000), ref: 002F0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002F0F8E
HeapFree.KERNEL32(00000000), ref: 002F0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 002F0FA1
HeapFree.KERNEL32(00000000), ref: 002F0FA8

Part of subcall function 002F1193: GetProcessHeap.KERNEL32(00000008,002F0BB1,?,00000000,?,002F0BB1,?), ref: 002F11A1
Part of subcall function 002F1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,002F0BB1,?), ref: 002F11A8
Part of subcall function 002F1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,002F0BB1,?), ref: 002F11B7

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 428438ae0d4d0478eeea739f256f19d2dc8bad935518a904662ded87784b622e
Instruction ID: 0b5e7141e4e673b02a0920e437504a2ddd741a3df8762ae0719f2d9a30b5eed0
Opcode Fuzzy Hash: 428438ae0d4d0478eeea739f256f19d2dc8bad935518a904662ded87784b622e
Instruction Fuzzy Hash: 4871517191020AEBDB219FA5DC45FBEFBBCBF04340F144229FA15A6251DB719915CB60

Function 0031C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0031C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0032CC08,00000000,?,00000000,?,?), ref: 0031C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0031C5A4
_wcslen.LIBCMT ref: 0031C5F4
_wcslen.LIBCMT ref: 0031C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0031C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0031C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0031C84D
RegCloseKey.ADVAPI32(?), ref: 0031C881
RegCloseKey.ADVAPI32(00000000), ref: 0031C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0031C960

Strings

REG_SZ, xrefs: 0031C644
REG_BINARY, xrefs: 0031C913
REG_QWORD, xrefs: 0031C8C3
REG_DWORD, xrefs: 0031C804
REG_MULTI_SZ, xrefs: 0031C6F5
REG_EXPAND_SZ, xrefs: 0031C5CD

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 044b318bb63a212a6bb69a94c87a5f6bc5f9b0092c228a51ebee30bc9aaa52a2
Instruction ID: db2ff47741efde009ef42d8f335562327db713080cf9061d2203de9d64256227
Opcode Fuzzy Hash: 044b318bb63a212a6bb69a94c87a5f6bc5f9b0092c228a51ebee30bc9aaa52a2
Instruction Fuzzy Hash: BE127B356282019FDB19DF14C891A6AB7E5FF88714F15885CF88A9B3A2DB31EC51CF81

Function 0032091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003209C6
_wcslen.LIBCMT ref: 00320A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00320A54
_wcslen.LIBCMT ref: 00320A8A
_wcslen.LIBCMT ref: 00320B06
_wcslen.LIBCMT ref: 00320B81

Part of subcall function 002AF9F2: _wcslen.LIBCMT ref: 002AF9FD

Part of subcall function 002F2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002F2BFA

Strings

EXISTS, xrefs: 00320B7C, 00320B97
GETSELECTED, xrefs: 00320C4E
UNCHECK, xrefs: 00320D3E
CHECK, xrefs: 00320A85, 00320AA0
ISCHECKED, xrefs: 00320CE1
COLLAPSE, xrefs: 00320B01, 00320B1C
GETITEMCOUNT, xrefs: 00320C1E
GETTOTALCOUNT, xrefs: 003209F2, 00320A17
SELECT, xrefs: 00320D11
GETTEXT, xrefs: 00320C97
EXPAND, xrefs: 00320BF8

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 66ff4efc2003b28361383a0473b09704f83109c6bbf8b4b007ab64c4298780b7
Instruction ID: 13119e012c137856442e840dfa055c35f81a192a142bf9f018e5c99653118ff3
Opcode Fuzzy Hash: 66ff4efc2003b28361383a0473b09704f83109c6bbf8b4b007ab64c4298780b7
Instruction Fuzzy Hash: 70E1DD352183218FCB19DF24D49092AB7E2BF98314F52895DF8969B762DB30ED49CF81

Function 0031C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0031B6AE,?,?), ref: 0031C9B5
_wcslen.LIBCMT ref: 0031C9F1
_wcslen.LIBCMT ref: 0031CA68
_wcslen.LIBCMT ref: 0031CA9E
_wcslen.LIBCMT ref: 0031CAF9
_wcslen.LIBCMT ref: 0031CB2F
_wcslen.LIBCMT ref: 0031CB7F

Strings

HKCU, xrefs: 0031CBCE
HKU, xrefs: 0031CBF0
HKEY_LOCAL_MACHINE, xrefs: 0031CA62, 0031CA67
HKEY_USERS, xrefs: 0031CBDF
HKEY_CURRENT_USER, xrefs: 0031CBBD
HKEY_CURRENT_CONFIG, xrefs: 0031CB79, 0031CB7E
HKEY_CLASSES_ROOT, xrefs: 0031CAF3, 0031CAF8
HKCC, xrefs: 0031CBAC
HKLM, xrefs: 0031CA98, 0031CA9D
HKCR, xrefs: 0031CB29, 0031CB2E

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 91c3eebb914573d7bea84e5891c70e73f13886ff490a1b2657ca4198ebf92b17
Instruction ID: 469dca3dae7cd7b534845cf5456b4a25be9afb60f3b4ec39298518588e4ed6aa
Opcode Fuzzy Hash: 91c3eebb914573d7bea84e5891c70e73f13886ff490a1b2657ca4198ebf92b17
Instruction Fuzzy Hash: 707136326A412A8BCB2BDE6CD9415FF3395AF68750B126128FC5697280E630CDD5C790

Function 0032833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0032835A
_wcslen.LIBCMT ref: 0032836E
_wcslen.LIBCMT ref: 00328391
_wcslen.LIBCMT ref: 003283B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003283F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00325BF2), ref: 0032844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00328487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003284CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00328501
FreeLibrary.KERNEL32(?), ref: 0032850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0032851D
DestroyIcon.USER32(?,?,?,?,?,00325BF2), ref: 0032852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00328549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00328555

Strings

.dll, xrefs: 003283AB
.exe, xrefs: 00328388
.icl, xrefs: 00328368

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 70724a2432d64c1620275ee5006b33771331d680650d119988b9dd6c0c6dd4fb
Instruction ID: e4dec572eb1755b7c86f2bdbd156e9956ca6ad0dca733ccb0ba24c936da98cd0
Opcode Fuzzy Hash: 70724a2432d64c1620275ee5006b33771331d680650d119988b9dd6c0c6dd4fb
Instruction Fuzzy Hash: 3E61EF71510225BBEB26DF64EC81BFE77ACBF08B11F204609F815D60D1DB74AA90CBA0

Function 00297778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Bad directive syntax error, xrefs: 002D519A
#notrayicon, xrefs: 002977E7
#include, xrefs: 00297847
", xrefs: 002D5153
#comments-start, xrefs: 0029785F, 002978B1
#comments-end, xrefs: 002978D9
', xrefs: 002D5169
#pragma compile, xrefs: 002977D3
Cannot parse #include, xrefs: 002D5279
Unterminated group of comments, xrefs: 002D528C
#cs, xrefs: 00297873, 002978C5
#ce, xrefs: 002978ED
#OnAutoItStartRegister, xrefs: 00297817
#include-once, xrefs: 0029782F
#requireadmin, xrefs: 002977FF

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: ae10305a80376e5e6edfcb0380b573d773083fa02bc7dc02d6638494f89381c5
Instruction ID: 3262ceee0407f91b67167b83ee3ae67e4e1da3c3326948e5a4920baac33b3797
Opcode Fuzzy Hash: ae10305a80376e5e6edfcb0380b573d773083fa02bc7dc02d6638494f89381c5
Instruction Fuzzy Hash: C381F671674616ABDF25AF60DC42FEE77A9BF15340F004025FC08AA292EBB0D975CA91

Function 00303E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00303EF8
_wcslen.LIBCMT ref: 00303F03
_wcslen.LIBCMT ref: 00303F5A
_wcslen.LIBCMT ref: 00303F98
GetDriveTypeW.KERNEL32(?), ref: 00303FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0030401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00304059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00304087

Strings

open , xrefs: 00303FE5
wait, xrefs: 00304044
type cdaudio alias cd wait, xrefs: 00304001
close, xrefs: 00303EFE, 00303F18
set cd door , xrefs: 00304028
closed, xrefs: 00303F08, 00303F2D, 00303F46, 00303F7E, 00303F97
open, xrefs: 00303F54, 00303F59
close cd wait, xrefs: 00304072

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 3d4bcdb898837a4ca79733d84642c2a688fda8af606f9766c975c1b858d1bed5
Instruction ID: 8e4cc1b28c6f3476ce81ea526544f1d05480e18f7991286ff6eac9eb3f586ef5
Opcode Fuzzy Hash: 3d4bcdb898837a4ca79733d84642c2a688fda8af606f9766c975c1b858d1bed5
Instruction Fuzzy Hash: 3A7113726142029FC711EF24C89186FB7F8EF94768F50492DF995932A1EB30EE49CB91

Function 002F5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 002F5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002F5A40
SetWindowTextW.USER32(?,?), ref: 002F5A57
GetDlgItem.USER32(?,000003EA), ref: 002F5A6C
SetWindowTextW.USER32(00000000,?), ref: 002F5A72
GetDlgItem.USER32(?,000003E9), ref: 002F5A82
SetWindowTextW.USER32(00000000,?), ref: 002F5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 002F5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 002F5AC3
GetWindowRect.USER32(?,?), ref: 002F5ACC
_wcslen.LIBCMT ref: 002F5B33
SetWindowTextW.USER32(?,?), ref: 002F5B6F
GetDesktopWindow.USER32 ref: 002F5B75
GetWindowRect.USER32(00000000), ref: 002F5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 002F5BD3
GetClientRect.USER32(?,?), ref: 002F5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 002F5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 002F5C2F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: ce8327dd0b3ae6228e31d4e21eb2753d09a3dcb3f8be8b6b35cd0b825f6a3fb4
Instruction ID: 2c1e1384658b8205f7fe97d3691d9f664dce0afaaf85a48b98a472ce8d9aff60
Opcode Fuzzy Hash: ce8327dd0b3ae6228e31d4e21eb2753d09a3dcb3f8be8b6b35cd0b825f6a3fb4
Instruction Fuzzy Hash: 1E719D31910B1AAFDB21DFA8CE85AAEFBF5FF48744F104528E242A25A0D774E910CF50

Function 0030FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0030FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0030FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0030FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0030FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0030FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0030FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0030FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0030FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0030FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0030FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0030FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0030FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0030FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0030FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0030FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0030FECC
GetCursorInfo.USER32(?), ref: 0030FEDC
GetLastError.KERNEL32 ref: 0030FF1E

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: fcea61cd97f827eef682c288db5f9973336cde792a2eab6085561e7a39192640
Instruction ID: 0180490c1e3e13a4880125beb27a19b915b52ebec0d69a9fad89060a4c005cfc
Opcode Fuzzy Hash: fcea61cd97f827eef682c288db5f9973336cde792a2eab6085561e7a39192640
Instruction Fuzzy Hash: 934155B0D0531A6EDB20DF7A8C8585EBFE8FF04754B50452AE11DE7681DB78A901CE91

Function 002F30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002F318D
_wcslen.LIBCMT ref: 002F31F8

Strings

TEXT, xrefs: 002F347C
INSTANCE, xrefs: 002F3453
[5, xrefs: 002F339A
CLASSNN, xrefs: 002F31F3, 002F3204
NAME, xrefs: 002F3335, 002F3346
REGEXPCLASS, xrefs: 002F3255, 002F3266
CLASS, xrefs: 002F3188, 002F31A5

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[5
API String ID: 176396367-3062731613
Opcode ID: 6502921835f628f9bfb357df4bd0a3e78f7cfb30bd2aca04ee624db0a8769d41
Instruction ID: efea00ff2f5dc3939948857b571588cb15c25716e3290cbf8edc67ad3eabdde6
Opcode Fuzzy Hash: 6502921835f628f9bfb357df4bd0a3e78f7cfb30bd2aca04ee624db0a8769d41
Instruction Fuzzy Hash: 6FE1E732A2051B9BCB14DFB4C451AFEFBB0BF44790F544139EA56E7240DB30AEA58B90

Function 002B00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002B00C6

Part of subcall function 002B00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0036070C,00000FA0,3C7563CA,?,?,?,?,002D23B3,000000FF), ref: 002B011C
Part of subcall function 002B00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002D23B3,000000FF), ref: 002B0127
Part of subcall function 002B00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002D23B3,000000FF), ref: 002B0138
Part of subcall function 002B00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 002B014E
Part of subcall function 002B00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002B015C
Part of subcall function 002B00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002B016A
Part of subcall function 002B00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002B0195
Part of subcall function 002B00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002B01A0

___scrt_fastfail.LIBCMT ref: 002B00E7

Part of subcall function 002B00A3: __onexit.LIBCMT ref: 002B00A9

Strings

kernel32.dll, xrefs: 002B0133
WakeAllConditionVariable, xrefs: 002B0162
SleepConditionVariableCS, xrefs: 002B0154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 002B0122
InitializeConditionVariable, xrefs: 002B0148

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: add3ad1ce41b7d29a1fbd3b365b812acf4cb798a97aced1e41532c3f4a2e034c
Instruction ID: 8bd9b934ae2398785f256cd85608f35f0bc6452c5339fc796621b736bc6a0ce1
Opcode Fuzzy Hash: add3ad1ce41b7d29a1fbd3b365b812acf4cb798a97aced1e41532c3f4a2e034c
Instruction Fuzzy Hash: 8621FC326747116FD7276FA4AD46BAF73A8DB05B91F004539F805A3291DFB49C108E94

Function 003044C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0032CC08), ref: 00304527
_wcslen.LIBCMT ref: 0030453B
_wcslen.LIBCMT ref: 00304599
_wcslen.LIBCMT ref: 003045F4
_wcslen.LIBCMT ref: 0030463F
_wcslen.LIBCMT ref: 003046A7

Part of subcall function 002AF9F2: _wcslen.LIBCMT ref: 002AF9FD

GetDriveTypeW.KERNEL32(?,00356BF0,00000061), ref: 00304743

Strings

ramdisk, xrefs: 003046F1
fixed, xrefs: 00304635, 0030463A
unknown, xrefs: 00304708
cdrom, xrefs: 0030458F, 00304594
all, xrefs: 00304531, 00304536
removable, xrefs: 003045EA, 003045EF
network, xrefs: 0030469D, 003046A2

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 378a17f71c7fe3551aa40c2b80d3e842e919fd2a10bfa8a4114ca61150a50dd1
Instruction ID: 6f3610440aea6327f9869fef67b33a890a543ef24c9c11f7ce2bb89a0e7c55cf
Opcode Fuzzy Hash: 378a17f71c7fe3551aa40c2b80d3e842e919fd2a10bfa8a4114ca61150a50dd1
Instruction Fuzzy Hash: 2DB143B16093029FC711DF28C8A0A6EB3E4BFA6720F51491DF696C32D1E731DA44CB92

Function 0032911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 002A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002A9BB2

DragQueryPoint.SHELL32(?,?), ref: 00329147

Part of subcall function 00327674: ClientToScreen.USER32(?,?), ref: 0032769A
Part of subcall function 00327674: GetWindowRect.USER32(?,?), ref: 00327710
Part of subcall function 00327674: PtInRect.USER32(?,?,00328B89), ref: 00327720

SendMessageW.USER32(?,000000B0,?,?), ref: 003291B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003291BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003291DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00329225
SendMessageW.USER32(?,000000B0,?,?), ref: 0032923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00329255
SendMessageW.USER32(?,000000B1,?,?), ref: 00329277
DragFinish.SHELL32(?), ref: 0032927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00329371

Strings

@GUI_DROPID, xrefs: 0032929E
@GUI_DRAGFILE, xrefs: 00329320
p#6, xrefs: 003292BB
@GUI_DRAGID, xrefs: 003292E9

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#6
API String ID: 221274066-3220421060
Opcode ID: f43e435afc8f083b5cd2e30c714744fee705ee65de963d46305eed6abad28bb6
Instruction ID: ac733c4edf2a34168c6cfd3c472744091bfabf3255ebd023702d1d6f1ffdaff0
Opcode Fuzzy Hash: f43e435afc8f083b5cd2e30c714744fee705ee65de963d46305eed6abad28bb6
Instruction Fuzzy Hash: F1617971118301AFC702EF64DC85EAFBBE8FF88750F40091EF595921A0DB309A59CBA2

Function 0029326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00361990), ref: 002D2F8D
GetMenuItemCount.USER32(00361990), ref: 002D303D
GetCursorPos.USER32(?), ref: 002D3081
SetForegroundWindow.USER32(00000000), ref: 002D308A
TrackPopupMenuEx.USER32(00361990,00000000,?,00000000,00000000,00000000), ref: 002D309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002D30A9

Strings

0, xrefs: 0029327D

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: f678a5eb45c6f4c40cfdc6e41821a0e3219a24cc51ffb227654b906db5d8bf51
Instruction ID: 4d2bccb3070a6121b15588071d1005963d028744878967cc11b973dd90813917
Opcode Fuzzy Hash: f678a5eb45c6f4c40cfdc6e41821a0e3219a24cc51ffb227654b906db5d8bf51
Instruction Fuzzy Hash: 0171F671664216BEEB218F24CC49FAABF68FF05364F204217F914662E0C7B1AD24DB91

Function 00326CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00326DEB

Part of subcall function 00296B57: _wcslen.LIBCMT ref: 00296B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00326E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00326E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00326E94
DestroyWindow.USER32(?), ref: 00326EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00290000,00000000), ref: 00326EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00326EFD
GetDesktopWindow.USER32 ref: 00326F16
GetWindowRect.USER32(00000000), ref: 00326F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00326F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00326F4D

Part of subcall function 002A9944: GetWindowLongW.USER32(?,000000EB), ref: 002A9952

Strings

0, xrefs: 00326D98
tooltips_class32, xrefs: 00326E58, 00326EDD

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 201c60eadcd3775b7083cb7e994a78aee73aaa3c1df8bd0641eb37ba25c62720
Instruction ID: 7ec5ace94ee89c21b5749a3021f584edb6d27df2ecab6c184de46fc5e3709109
Opcode Fuzzy Hash: 201c60eadcd3775b7083cb7e994a78aee73aaa3c1df8bd0641eb37ba25c62720
Instruction Fuzzy Hash: C1716674104244AFDB22CF18ED59FAABBE9FF89304F19441DF98997261C770A906CF52

Function 0030C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0030C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0030C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0030C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0030C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0030C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0030C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0030C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0030C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0030C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0030C5F0
InternetCloseHandle.WININET(00000000), ref: 0030C5FB

Strings

, xrefs: 0030C575

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 9941113d1489d6cbee547ebdbbd2563a760e832b5d01b211742821aeadd11822
Instruction ID: d2c4be335ee3b6ed97cc70ae5e37d571c9dd83157a86a1d765d1f83fa3b224d9
Opcode Fuzzy Hash: 9941113d1489d6cbee547ebdbbd2563a760e832b5d01b211742821aeadd11822
Instruction Fuzzy Hash: 69518AB4511208BFDB228F65CD98AAB7BBCFF09344F00661DF94596690DB34E905DBA0

Function 0032856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00328592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003285A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003285AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003285BA
GlobalLock.KERNEL32(00000000), ref: 003285C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003285D7
GlobalUnlock.KERNEL32(00000000), ref: 003285E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003285E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003285F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0032FC38,?), ref: 00328611
GlobalFree.KERNEL32(00000000), ref: 00328621
GetObjectW.GDI32(?,00000018,?), ref: 00328641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00328671
DeleteObject.GDI32(?), ref: 00328699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003286AF

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 4ea46220ca5b8a30c63c8f42ff362e6738837da4c1145c89e19f05d1fad52bd8
Instruction ID: 47088c23fa159e7cdb221142043ee5c84e81e76eff85a50c1916fe66ae2261f6
Opcode Fuzzy Hash: 4ea46220ca5b8a30c63c8f42ff362e6738837da4c1145c89e19f05d1fad52bd8
Instruction Fuzzy Hash: A5412975601218AFDB229FA5DC48EAE7BBCEF89711F108458F905E7260DB30AD02CB60

Function 003014BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00301502
VariantCopy.OLEAUT32(?,?), ref: 0030150B
VariantClear.OLEAUT32(?), ref: 00301517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003015FB
VarR8FromDec.OLEAUT32(?,?), ref: 00301657
VariantInit.OLEAUT32(?), ref: 00301708
SysFreeString.OLEAUT32(?), ref: 0030178C
VariantClear.OLEAUT32(?), ref: 003017D8
VariantClear.OLEAUT32(?), ref: 003017E7
VariantInit.OLEAUT32(00000000), ref: 00301823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00301625
Default, xrefs: 003016AF

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: b951d49f445d48ae612ab7766371f722baeacbcedbfd4bd54567f9edfccd04af
Instruction ID: 0765eaae1a6525ea533ebc82ad043ac3575ca60fbf25ec7a10f30c7d4bfd5b36
Opcode Fuzzy Hash: b951d49f445d48ae612ab7766371f722baeacbcedbfd4bd54567f9edfccd04af
Instruction Fuzzy Hash: 70D12332A01615DBDB12AFA5D8A5B7DB7B9BF46700F10805AF806AF5C0DB30EC51DBA1

Function 0031B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

Part of subcall function 0031C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0031B6AE,?,?), ref: 0031C9B5
Part of subcall function 0031C998: _wcslen.LIBCMT ref: 0031C9F1
Part of subcall function 0031C998: _wcslen.LIBCMT ref: 0031CA68
Part of subcall function 0031C998: _wcslen.LIBCMT ref: 0031CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0031B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0031B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0031B80A
RegCloseKey.ADVAPI32(?), ref: 0031B87E
RegCloseKey.ADVAPI32(?), ref: 0031B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0031B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0031B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0031B922
FreeLibrary.KERNEL32(00000000), ref: 0031B983
RegCloseKey.ADVAPI32(00000000), ref: 0031B994

Strings

advapi32.dll, xrefs: 0031B8ED
RegDeleteKeyExW, xrefs: 0031B8FE

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: f160951217419837a1b3772dd54990aad27a22ce23d6796d4d6cfc3641c13906
Instruction ID: 237155f8eaf3dd7d6f79b8b7a6b7dda72bae4dac37b1297a35627f186150bbfa
Opcode Fuzzy Hash: f160951217419837a1b3772dd54990aad27a22ce23d6796d4d6cfc3641c13906
Instruction Fuzzy Hash: D0C18C30218241AFD715DF24C495F6AFBE5BF88318F15849CF49A4B6A2CB71EC86CB91

Function 0031255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003125D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003125E8
CreateCompatibleDC.GDI32(?), ref: 003125F4
SelectObject.GDI32(00000000,?), ref: 00312601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0031266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003126AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003126D0
SelectObject.GDI32(?,?), ref: 003126D8
DeleteObject.GDI32(?), ref: 003126E1
DeleteDC.GDI32(?), ref: 003126E8
ReleaseDC.USER32(00000000,?), ref: 003126F3

Strings

(, xrefs: 0031268D

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 716758fa7e8863b718111c63e84b546a95b0500bf8cecaef491bcf5b2a478bfc
Instruction ID: 0df78398b8978b2a1bb5f58bdbe7332188fd48224e8f68da1fde9526315c326c
Opcode Fuzzy Hash: 716758fa7e8863b718111c63e84b546a95b0500bf8cecaef491bcf5b2a478bfc
Instruction Fuzzy Hash: 8961F275D00219EFCF15CFA4D885AAEBBFAFF48310F208529E955A7250D770A951CF90

Function 002CDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 002CDAA1

Part of subcall function 002CD63C: _free.LIBCMT ref: 002CD659
Part of subcall function 002CD63C: _free.LIBCMT ref: 002CD66B
Part of subcall function 002CD63C: _free.LIBCMT ref: 002CD67D
Part of subcall function 002CD63C: _free.LIBCMT ref: 002CD68F
Part of subcall function 002CD63C: _free.LIBCMT ref: 002CD6A1
Part of subcall function 002CD63C: _free.LIBCMT ref: 002CD6B3
Part of subcall function 002CD63C: _free.LIBCMT ref: 002CD6C5
Part of subcall function 002CD63C: _free.LIBCMT ref: 002CD6D7
Part of subcall function 002CD63C: _free.LIBCMT ref: 002CD6E9
Part of subcall function 002CD63C: _free.LIBCMT ref: 002CD6FB
Part of subcall function 002CD63C: _free.LIBCMT ref: 002CD70D
Part of subcall function 002CD63C: _free.LIBCMT ref: 002CD71F
Part of subcall function 002CD63C: _free.LIBCMT ref: 002CD731

_free.LIBCMT ref: 002CDA96

Part of subcall function 002C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002CD7D1,00000000,00000000,00000000,00000000,?,002CD7F8,00000000,00000007,00000000,?,002CDBF5,00000000), ref: 002C29DE
Part of subcall function 002C29C8: GetLastError.KERNEL32(00000000,?,002CD7D1,00000000,00000000,00000000,00000000,?,002CD7F8,00000000,00000007,00000000,?,002CDBF5,00000000,00000000), ref: 002C29F0

_free.LIBCMT ref: 002CDAB8
_free.LIBCMT ref: 002CDACD
_free.LIBCMT ref: 002CDAD8
_free.LIBCMT ref: 002CDAFA
_free.LIBCMT ref: 002CDB0D
_free.LIBCMT ref: 002CDB1B
_free.LIBCMT ref: 002CDB26
_free.LIBCMT ref: 002CDB5E
_free.LIBCMT ref: 002CDB65
_free.LIBCMT ref: 002CDB82
_free.LIBCMT ref: 002CDB9A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 228aedc3d4229887926d46de56c8d6af382c3737b776c7effd958f50d531391e
Instruction ID: c1c95d6629da01c44d553f954a378bec3cb7732a42e0ddcc4c592ef3ada82540
Opcode Fuzzy Hash: 228aedc3d4229887926d46de56c8d6af382c3737b776c7effd958f50d531391e
Instruction Fuzzy Hash: E4315931664B06DFEB22AE38E845F5AB7E8FF00314F21562DE448D7191DE31AC64CB20

Function 002F365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 002F369C
_wcslen.LIBCMT ref: 002F36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 002F3797
GetClassNameW.USER32(?,?,00000400), ref: 002F380C
GetDlgCtrlID.USER32(?), ref: 002F385D
GetWindowRect.USER32(?,?), ref: 002F3882
GetParent.USER32(?), ref: 002F38A0
ScreenToClient.USER32(00000000), ref: 002F38A7
GetClassNameW.USER32(?,?,00000100), ref: 002F3921
GetWindowTextW.USER32(?,?,00000400), ref: 002F395D

Strings

%s%u, xrefs: 002F3734

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 89baf320043f5d625722023ebc3c6c5828fbab9ac8bf135701f684834375cb0d
Instruction ID: 1da83ad0e7cc6dfb131e2f6da1098f0aef229ecbaadbe1871e5437234d9eceac
Opcode Fuzzy Hash: 89baf320043f5d625722023ebc3c6c5828fbab9ac8bf135701f684834375cb0d
Instruction Fuzzy Hash: 1391B47122460BAFD715DF24C885BFAF7A8FF44390F008529FA99C6150DB70EA65CB91

Function 002F4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 002F4994
GetWindowTextW.USER32(?,?,00000400), ref: 002F49DA
_wcslen.LIBCMT ref: 002F49EB
CharUpperBuffW.USER32(?,00000000), ref: 002F49F7
_wcsstr.LIBVCRUNTIME ref: 002F4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 002F4A64
GetWindowTextW.USER32(?,?,00000400), ref: 002F4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 002F4AE6
GetClassNameW.USER32(?,?,00000400), ref: 002F4B20
GetWindowRect.USER32(?,?), ref: 002F4B8B

Strings

ThumbnailClass, xrefs: 002F4A6F, 002F4AF1

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 9195a880c0c39dcbfb096b38bf91a34256c0356dfd744d3bfc25928d4e88f7aa
Instruction ID: 9d58e8c9b4b958cb831714be12a57fac96161d2411282ddf8ea1f4d8622b438e
Opcode Fuzzy Hash: 9195a880c0c39dcbfb096b38bf91a34256c0356dfd744d3bfc25928d4e88f7aa
Instruction Fuzzy Hash: 8891C13102420A9FDB04EF14C880BBBB7A8FF44794F04447AEE859A196DBB0ED55CBA1

Function 00328D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002A9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00328D5A
GetFocus.USER32 ref: 00328D6A
GetDlgCtrlID.USER32(00000000), ref: 00328D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00328E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00328ECF
GetMenuItemCount.USER32(?), ref: 00328EEC
GetMenuItemID.USER32(?,00000000), ref: 00328EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00328F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00328F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00328FA1

Strings

0, xrefs: 00328E9F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: be2374d1d896a0715f48143774facc271f924fa2e07b7c4232fc0031e8c75219
Instruction ID: 4ec96cd4e871dd8a70fc2f4856fadd1698bbdd3cd3241669c9694995b79271a2
Opcode Fuzzy Hash: be2374d1d896a0715f48143774facc271f924fa2e07b7c4232fc0031e8c75219
Instruction Fuzzy Hash: A5810071509321AFDB22CF24E984AABBBE9FF88314F15091DF984D7291DB30D905CBA1

Function 002FDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 002FDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 002FDC46
_wcslen.LIBCMT ref: 002FDC50
_wcsstr.LIBVCRUNTIME ref: 002FDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 002FDCBC

Strings

04090000, xrefs: 002FDCF2
%u.%u.%u.%u, xrefs: 002FDD9A
\VarFileInfo\Translation, xrefs: 002FDCB4
StringFileInfo\, xrefs: 002FDC8F
DefaultLangCodepage, xrefs: 002FDD1F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 1f94b5180d1e271148a1fc668f23f51decdd7e98d6e84a833b91803bd0483aae
Instruction ID: fbd80deb4532615806a922e3edd22351fd2a8c03c8f64b9983c9348246cc1175
Opcode Fuzzy Hash: 1f94b5180d1e271148a1fc668f23f51decdd7e98d6e84a833b91803bd0483aae
Instruction Fuzzy Hash: 134157329642057BEB15BB74DC43EFF77ACEF56790F100069FA00A6192EB7499218EA4

Function 0031CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0031CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0031CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0031CD48

Part of subcall function 0031CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0031CCAA
Part of subcall function 0031CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0031CCBD
Part of subcall function 0031CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0031CCCF
Part of subcall function 0031CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0031CD05
Part of subcall function 0031CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0031CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0031CCF3

Strings

advapi32.dll, xrefs: 0031CCB8
RegDeleteKeyExW, xrefs: 0031CCC9

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 81c2beffa8c75d9b56dcd2f807ca573dca7e6c4fba7d18620ad1b6a92dd370ed
Instruction ID: 1cfa05a56706c6e25637e3dda158bac4bccc7886492fe08e8b85ebf2d0a4892e
Opcode Fuzzy Hash: 81c2beffa8c75d9b56dcd2f807ca573dca7e6c4fba7d18620ad1b6a92dd370ed
Instruction Fuzzy Hash: 16318E71951129BBDB368B50DC88EFFBB7CEF09740F011169E906E2250DA709E86DAE0

Function 00303D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00303D40
_wcslen.LIBCMT ref: 00303D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00303D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00303DBE
RemoveDirectoryW.KERNEL32(?), ref: 00303DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00303E55
CloseHandle.KERNEL32(00000000), ref: 00303E60
CloseHandle.KERNEL32(00000000), ref: 00303E6B

Strings

:, xrefs: 00303D82
\??\%s, xrefs: 00303D5B
\, xrefs: 00303D77

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 93c4f229b0c69885d7637f51261f4b6079855cc8aa9dfbd5355b60be991eb429
Instruction ID: dc61273001bc930486654f9daac80e73c814a918fb93621b43ae684e4b7f48fa
Opcode Fuzzy Hash: 93c4f229b0c69885d7637f51261f4b6079855cc8aa9dfbd5355b60be991eb429
Instruction Fuzzy Hash: 3A318176910209ABDB229BA0DC49FEF37BCEF89740F1141AAF605D61A0EB7497458B24

Function 002FE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 002FE6B4

Part of subcall function 002AE551: timeGetTime.WINMM(?,?,002FE6D4), ref: 002AE555

Sleep.KERNEL32(0000000A), ref: 002FE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 002FE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 002FE727
SetActiveWindow.USER32 ref: 002FE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002FE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 002FE773
Sleep.KERNEL32(000000FA), ref: 002FE77E
IsWindow.USER32 ref: 002FE78A
EndDialog.USER32(00000000), ref: 002FE79B

Strings

BUTTON, xrefs: 002FE719

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 2b58c413b5b84533c9d990d55a618860d5f1fcfbda0bc1ffc0676baeca54c415
Instruction ID: 39ad79794bc19dc95ec5bee663197d000154f7d4ea976dbdb5660521be37126d
Opcode Fuzzy Hash: 2b58c413b5b84533c9d990d55a618860d5f1fcfbda0bc1ffc0676baeca54c415
Instruction Fuzzy Hash: 4F21C570220609AFEF135F25EC8DA3ABB6DF755788F165439F60281171DBF1AC218B20

Function 002FE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002FEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002FEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002FEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 002FEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 002FEAA7

Strings

open , xrefs: 002FEA0C
close PlayMe, xrefs: 002FEA6E, 002FEA9B
play PlayMe, xrefs: 002FEAA2
play PlayMe wait, xrefs: 002FEA91
status PlayMe mode, xrefs: 002FEA58
alias PlayMe, xrefs: 002FEA36

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 31b7adafe90fd408f19c03c249fa7eb3d7316a201ec6e37d004ff710979ae636
Instruction ID: 6534685abe62ccfaebcd492d63f7c023feb901907e24e28d27a14d510e433a1d
Opcode Fuzzy Hash: 31b7adafe90fd408f19c03c249fa7eb3d7316a201ec6e37d004ff710979ae636
Instruction Fuzzy Hash: 101194316A021D79EB21A765DC4ADFFAA7CEBD1F40F400429B801A30E0EB700959C9B0

Function 002F5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 002F5CE2
GetWindowRect.USER32(00000000,?), ref: 002F5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 002F5D59
GetDlgItem.USER32(?,00000002), ref: 002F5D69
GetWindowRect.USER32(00000000,?), ref: 002F5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 002F5DCF
GetDlgItem.USER32(?,000003E9), ref: 002F5DDD
GetWindowRect.USER32(00000000,?), ref: 002F5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 002F5E31
GetDlgItem.USER32(?,000003EA), ref: 002F5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 002F5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 002F5E67

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 63629d0cb8c597898d076ac3cd4096fe5812fa9f30ea56ad4a1d2197cddd4568
Instruction ID: 1423bcab131e126f1782dafcb8c5de0dccbea03213a83e775fe0a038df0f473a
Opcode Fuzzy Hash: 63629d0cb8c597898d076ac3cd4096fe5812fa9f30ea56ad4a1d2197cddd4568
Instruction Fuzzy Hash: 3A512E70B10619AFDB18CF68CD89AAEBBB9FB48340F148129FA15E6290D7709E15CB50

Function 002A8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 002A8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002A8BE8,?,00000000,?,?,?,?,002A8BBA,00000000,?), ref: 002A8FC5

DestroyWindow.USER32(?), ref: 002A8C81
KillTimer.USER32(00000000,?,?,?,?,002A8BBA,00000000,?), ref: 002A8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 002E6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,002A8BBA,00000000,?), ref: 002E69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,002A8BBA,00000000,?), ref: 002E69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,002A8BBA,00000000), ref: 002E69D4
DeleteObject.GDI32(00000000), ref: 002E69E6

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 0a128e74adf87747af806c876a615584b966211198f7b00587dd8580d4f33988
Instruction ID: f72d7fbebf3edbcd38679cbf6edaaf9612f50582a27b3dbf2c1d0d9a8e4a3952
Opcode Fuzzy Hash: 0a128e74adf87747af806c876a615584b966211198f7b00587dd8580d4f33988
Instruction Fuzzy Hash: 8961BE31422641DFCB3A9F15D948B29BBF6FB51362F58852DE04297660CBB1ACA1CF90

Function 002A9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 002A9944: GetWindowLongW.USER32(?,000000EB), ref: 002A9952

GetSysColor.USER32(0000000F), ref: 002A9862

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: b05ca01a742add027a1ebf37ca07c6aaacbe1cca495a2e3e910956c681f8a745
Instruction ID: f10413d36742be5f0b37fa72670b74b282344f78cb498d08978e8489d213d4be
Opcode Fuzzy Hash: b05ca01a742add027a1ebf37ca07c6aaacbe1cca495a2e3e910956c681f8a745
Instruction Fuzzy Hash: E041F731120641AFDB315F3A9C84BB93BA9EB07730F544609F9B2871E1CB759CA2DB10

Function 002C8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.+, xrefs: 002C903A, 002C8FD0, 002C8FF2

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID: .+
API String ID: 0-85632910
Opcode ID: 034b5b5858b8eb4329142613810519cf0f408f4b1051c72d38223e524d2ab4a9
Instruction ID: cefede731d79dd90aff5624a7c240b03afa1c28efc27b683921cfb087786630e
Opcode Fuzzy Hash: 034b5b5858b8eb4329142613810519cf0f408f4b1051c72d38223e524d2ab4a9
Instruction Fuzzy Hash: 95C1E27592424AAFCB11DFA8CC45FEDBBB4AF09310F04825DF814AB292C77089A1CF61

Function 002F96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,002DF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 002F9717
LoadStringW.USER32(00000000,?,002DF7F8,00000001), ref: 002F9720

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,002DF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 002F9742
LoadStringW.USER32(00000000,?,002DF7F8,00000001), ref: 002F9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 002F9866

Strings

Error: , xrefs: 002F981D
Line %d:, xrefs: 002F97A0
%s (%d) : ==> %s: %s %s, xrefs: 002F984A
Line %d (File "%s"):, xrefs: 002F978F
^ ERROR, xrefs: 002F97FB

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: e9d48b50ca3dab519da595129aeb99c7839a231d14ef1c68df242744ea0476d8
Instruction ID: e1f6b37e1faec2186c80ad5432d6897926f3697f1b8a75d1c91a89e1c56317c8
Opcode Fuzzy Hash: e9d48b50ca3dab519da595129aeb99c7839a231d14ef1c68df242744ea0476d8
Instruction Fuzzy Hash: BF414E72810209AACF05EBE5DD46EFEB378AF15740F500069F60572092EB756FA8CFA1

Function 002F06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00296B57: _wcslen.LIBCMT ref: 00296B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002F07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002F07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002F07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 002F0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 002F082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002F0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002F083C

Strings

\IPC$, xrefs: 002F0784
SOFTWARE\Classes\, xrefs: 002F070E
\CLSID, xrefs: 002F0724

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 37c858c596e11f36b93deb03a9048df7a53475aa030498d44996867bb1808c71
Instruction ID: 4e14685d137b3656072b99c64a8d0c625f8a9c4c611e39a643497400067e343c
Opcode Fuzzy Hash: 37c858c596e11f36b93deb03a9048df7a53475aa030498d44996867bb1808c71
Instruction Fuzzy Hash: C041E572C20229ABDF25EFA4DC95CEDB778BF14790F044169E911A3161EB70AE54CFA0

Function 00313C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00313C5C
CoInitialize.OLE32(00000000), ref: 00313C8A
CoUninitialize.OLE32 ref: 00313C94
_wcslen.LIBCMT ref: 00313D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00313DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00313ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00313F0E
CoGetObject.OLE32(?,00000000,0032FB98,?), ref: 00313F2D
SetErrorMode.KERNEL32(00000000), ref: 00313F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00313FC4
VariantClear.OLEAUT32(?), ref: 00313FD8

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 4c7761b51ae713f24edf0c2ec8a245646f15f3fa8709d508d731a4fc06d08a1a
Instruction ID: da3ee7b8b9bcdefd5a6e2fb5137a0108bc169d183f6df1da8a4ddb81a0c0f13a
Opcode Fuzzy Hash: 4c7761b51ae713f24edf0c2ec8a245646f15f3fa8709d508d731a4fc06d08a1a
Instruction Fuzzy Hash: 49C167716083059FD705DF68C88496BBBE9FF89744F00492DF98A9B250D730EE86CB52

Function 00307A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00307AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00307B8F
SHGetDesktopFolder.SHELL32(?), ref: 00307BA3
CoCreateInstance.OLE32(0032FD08,00000000,00000001,00356E6C,?), ref: 00307BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00307C74
CoTaskMemFree.OLE32(?,?), ref: 00307CCC
SHBrowseForFolderW.SHELL32(?), ref: 00307D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00307D7A
CoTaskMemFree.OLE32(00000000), ref: 00307D81
CoTaskMemFree.OLE32(00000000), ref: 00307DD6
CoUninitialize.OLE32 ref: 00307DDC

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 29318e66b1f83c07122e5a3737f4f80177979e5664ebee077f5931b5186cd54a
Instruction ID: 9eb031dadc790e12e5d9c79cd51baa15d14c3fd24333fbb6872022c61dbfd1c5
Opcode Fuzzy Hash: 29318e66b1f83c07122e5a3737f4f80177979e5664ebee077f5931b5186cd54a
Instruction Fuzzy Hash: 21C14A75A14109AFCB15DFA4C894DAEBBF9FF48304B158499E81ADB261D730EE42CF90

Function 0032541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00325504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00325515
CharNextW.USER32(00000158), ref: 00325544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00325585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0032559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003255AC

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: a45e344c1242bc68d0079b07c14a214fbd25e7c5734aedc80200283ce33b2943
Instruction ID: a9aadf4736b3eb87e50dc190c9d15cbca036dbc97a93ce9815e64a651effefbe
Opcode Fuzzy Hash: a45e344c1242bc68d0079b07c14a214fbd25e7c5734aedc80200283ce33b2943
Instruction Fuzzy Hash: A761C130904628EFDF229F55EC849FEBBB9EF06721F148049F925A7290D7748B81DB60

Function 002EFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 002EFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 002EFB08
VariantInit.OLEAUT32(?), ref: 002EFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 002EFB3A
VariantCopy.OLEAUT32(?,?), ref: 002EFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 002EFBA1
VariantClear.OLEAUT32(?), ref: 002EFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 002EFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002EFBCC
VariantClear.OLEAUT32(?), ref: 002EFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002EFBE9

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: f172d619e157c8633932b6e72aad173a5126fa68e7940eb3708563a6dd817dbe
Instruction ID: 38365c6d4dd5adb3bb66ef928fea4d54058c788ad480be83d08f129c7872c7eb
Opcode Fuzzy Hash: f172d619e157c8633932b6e72aad173a5126fa68e7940eb3708563a6dd817dbe
Instruction Fuzzy Hash: FB418035A20219DFCF11EF65DC549EEBBB9FF08344F508069E806A7261DB30A956CFA0

Function 002F9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 002F9CA1
GetAsyncKeyState.USER32(000000A0), ref: 002F9D22
GetKeyState.USER32(000000A0), ref: 002F9D3D
GetAsyncKeyState.USER32(000000A1), ref: 002F9D57
GetKeyState.USER32(000000A1), ref: 002F9D6C
GetAsyncKeyState.USER32(00000011), ref: 002F9D84
GetKeyState.USER32(00000011), ref: 002F9D96
GetAsyncKeyState.USER32(00000012), ref: 002F9DAE
GetKeyState.USER32(00000012), ref: 002F9DC0
GetAsyncKeyState.USER32(0000005B), ref: 002F9DD8
GetKeyState.USER32(0000005B), ref: 002F9DEA

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6724dd48c952c76fa327e29c7a5875ee1b74d212fa872973b31d9510baa56ed7
Instruction ID: 6f3b41e77709a13ede64feb390ce33ebc3730afa9faee0db2802f29b53a073e7
Opcode Fuzzy Hash: 6724dd48c952c76fa327e29c7a5875ee1b74d212fa872973b31d9510baa56ed7
Instruction Fuzzy Hash: C841E7305247CF69FF319E6488043B5FEA06B16384F14807FCBC6565C2D7A499E8C7A2

Function 0031055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003105BC
inet_addr.WSOCK32(?), ref: 0031061C
gethostbyname.WSOCK32(?), ref: 00310628
IcmpCreateFile.IPHLPAPI ref: 00310636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003106C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003106E5
IcmpCloseHandle.IPHLPAPI(?), ref: 003107B9
WSACleanup.WSOCK32 ref: 003107BF

Strings

Ping, xrefs: 00310676

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 0e46543730c85904e157e72d9d812d8d2c7409dcb8fb8bc25882ff371b1d47c8
Instruction ID: d7baf073198ce81da555c7def1d0969091034b69efe3b36ef7396d65d61aa327
Opcode Fuzzy Hash: 0e46543730c85904e157e72d9d812d8d2c7409dcb8fb8bc25882ff371b1d47c8
Instruction Fuzzy Hash: 9F919E356082019FD72ADF15C489F5ABBE4EF48318F1585A9F4698B6A2C770ECC1CF81

Function 00318CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00318CF3

Part of subcall function 002F8E54: _wcslen.LIBCMT ref: 002F8E77

_wcslen.LIBCMT ref: 00318D4E
_wcslen.LIBCMT ref: 00318D9C
_wcslen.LIBCMT ref: 00318DDC
_wcslen.LIBCMT ref: 00318E6E

Strings

cdecl, xrefs: 00318D48, 00318D4D
winapi, xrefs: 00318D96, 00318D9B
stdcall, xrefs: 00318DD6, 00318DDB
none, xrefs: 00318E65, 00318E6A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: a6362487994ca54a1c8f7af7c97a7d05f01016b324b029d2868f2651f40d96d6
Instruction ID: c30565807fa7f704fd9c102ceac2860e2b2ea25a128c7b0c7faaa6f9187e7476
Opcode Fuzzy Hash: a6362487994ca54a1c8f7af7c97a7d05f01016b324b029d2868f2651f40d96d6
Instruction Fuzzy Hash: DA51B431A001169BCF19DF6CC9508FEB7A5BF69364B214229E826E72C4DB30DD80CBA4

Function 0031372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00313774
CoUninitialize.OLE32 ref: 0031377F
CoCreateInstance.OLE32(?,00000000,00000017,0032FB78,?), ref: 003137D9
IIDFromString.OLE32(?,?), ref: 0031384C
VariantInit.OLEAUT32(?), ref: 003138E4
VariantClear.OLEAUT32(?), ref: 00313936

Strings

NULL Pointer assignment, xrefs: 0031381E
Invalid parameter, xrefs: 00313865
Failed to create object, xrefs: 003137E4, 0031389A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 4b94ff1b36bbbb09a70d0d6fd2131bf73d6f08305d222f15d8acc12105b3280e
Instruction ID: 06a3a2b5d7354ea0696712121041c005eb817ba59b43c468ea9dc1ad22ba3d5f
Opcode Fuzzy Hash: 4b94ff1b36bbbb09a70d0d6fd2131bf73d6f08305d222f15d8acc12105b3280e
Instruction Fuzzy Hash: 6361C071608301AFD716DF54C888FAABBE8EF49710F10481DF9859B291C770EE88CB92

Function 00328B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002A9BB2

Part of subcall function 002A912D: GetCursorPos.USER32(?), ref: 002A9141
Part of subcall function 002A912D: ScreenToClient.USER32(00000000,?), ref: 002A915E
Part of subcall function 002A912D: GetAsyncKeyState.USER32(00000001), ref: 002A9183
Part of subcall function 002A912D: GetAsyncKeyState.USER32(00000002), ref: 002A919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00328B6B
ImageList_EndDrag.COMCTL32 ref: 00328B71
ReleaseCapture.USER32 ref: 00328B77
SetWindowTextW.USER32(?,00000000), ref: 00328C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00328C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00328CFF

Strings

@GUI_DROPID, xrefs: 00328C51
@GUI_DRAGFILE, xrefs: 00328C9A
p#6, xrefs: 00328C71

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#6
API String ID: 1924731296-3007166900
Opcode ID: 53c49f906684c5fc84d4b31a17835b9c15178f335809e7c9e3f2ebc3535a0cdc
Instruction ID: 375b1ef58c5a9d3535a8d2326af48ca1a06eb110e09652f9f0344594f58a5d64
Opcode Fuzzy Hash: 53c49f906684c5fc84d4b31a17835b9c15178f335809e7c9e3f2ebc3535a0cdc
Instruction Fuzzy Hash: EC519A70115310AFEB12DF24DC56FAAB7E8FB88710F00062DF956972A1CB709954CBA2

Function 00303388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003033CF

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003033F0

Strings

Error: , xrefs: 003034D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00303504
^ ERROR , xrefs: 0030349E
Incorrect parameters to object property !, xrefs: 003034AB
"%s" (%d) : ==> %s:, xrefs: 00303522
Line %d (File "%s"):, xrefs: 00303443, 0030345C

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 77dc2838a7c7fd41bd611e6eb158e551a6c6b8ed656d6992539b97e7671fba3e
Instruction ID: 103bd105a7214fc847bd9a935a0862e2b30fb1c366e7335e460b527bb9658c80
Opcode Fuzzy Hash: 77dc2838a7c7fd41bd611e6eb158e551a6c6b8ed656d6992539b97e7671fba3e
Instruction Fuzzy Hash: 7451B271810209AADF16EBE4CD56EEEB37CAF14340F144165F505721A2EB712FA8DF60

Function 002FB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002FB5FC
_wcslen.LIBCMT ref: 002FB608
_wcslen.LIBCMT ref: 002FB64D
_wcslen.LIBCMT ref: 002FB68C
_wcslen.LIBCMT ref: 002FB6C7

Strings

EXISTS, xrefs: 002FB686, 002FB68B
KEYS, xrefs: 002FB647, 002FB64C
APPEND, xrefs: 002FB6C1, 002FB6C6
REMOVE, xrefs: 002FB602, 002FB607

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: ac779a4d6919f974c60250f96c6999823b7fe8f2dc22825218a32b10431179a5
Instruction ID: 49e3d22457c2104f32116fd4f6dfbf631f8fab4ffc6ef38af347db69a627f28b
Opcode Fuzzy Hash: ac779a4d6919f974c60250f96c6999823b7fe8f2dc22825218a32b10431179a5
Instruction Fuzzy Hash: 7241C732A2012B9ACB116F7DCC915BEF7A9AF647D4B244139E621D7284F731CD91C790

Function 00305393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003053A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00305416
GetLastError.KERNEL32 ref: 00305420
SetErrorMode.KERNEL32(00000000,READY), ref: 003054A7

Strings

NOTREADY, xrefs: 0030544B
READONLY, xrefs: 00305452
INVALID, xrefs: 00305459
READY, xrefs: 00305460, 00305468
UNKNOWN, xrefs: 00305444

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: aca67840b6d0dfed2000bcca5b944f13d46dba395ffc5da77801419579c58a06
Instruction ID: 7d212ff7db8d7e3eaa9ba5614a62661eb900495f4d1618724dd14b600186fa6f
Opcode Fuzzy Hash: aca67840b6d0dfed2000bcca5b944f13d46dba395ffc5da77801419579c58a06
Instruction Fuzzy Hash: 3131B235A016059FCB12DF69C495EEABBB8FF04305F558069E805CB2A2DB70DD86CF91

Function 00323C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00323C79
SetMenu.USER32(?,00000000), ref: 00323C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00323D10
IsMenu.USER32(?), ref: 00323D24
CreatePopupMenu.USER32 ref: 00323D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00323D5B
DrawMenuBar.USER32 ref: 00323D63

Strings

F, xrefs: 00323D4E
0, xrefs: 00323C54

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 6b6592b084dd2fc2b95ae52125729a3a1206db1f90b3b395b7ed037ca7f1f3ee
Instruction ID: df28d8fb5a2397176e661a989cfaee215ba880cb30b2a85f8508e6bbe717d194
Opcode Fuzzy Hash: 6b6592b084dd2fc2b95ae52125729a3a1206db1f90b3b395b7ed037ca7f1f3ee
Instruction Fuzzy Hash: 9A418974A01219EFDB25CF64E844AAA7BB9FF49340F14002CF946A7360D774EA10CF94

Function 00323A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00323A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00323AA0
GetWindowLongW.USER32(?,000000F0), ref: 00323AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00323AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00323B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00323BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00323BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00323BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00323BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00323C13

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 1446a0c233bcba68facb6333cbabb96a3c4dc563c1b4187020705a2c5b202510
Instruction ID: 034c3b7cf32411f0a860de2f2db6f9dc317fb189a6c4178ce542fb077716f058
Opcode Fuzzy Hash: 1446a0c233bcba68facb6333cbabb96a3c4dc563c1b4187020705a2c5b202510
Instruction Fuzzy Hash: 14616975900218AFDB12DFA8DC81EEEB7F8EB09700F144199FA15AB2A1C774AE45DF50

Function 002FB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002FB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,002FA1E1,?,00000001), ref: 002FB165
GetWindowThreadProcessId.USER32(00000000), ref: 002FB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002FA1E1,?,00000001), ref: 002FB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 002FB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,002FA1E1,?,00000001), ref: 002FB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002FA1E1,?,00000001), ref: 002FB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,002FA1E1,?,00000001), ref: 002FB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,002FA1E1,?,00000001), ref: 002FB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,002FA1E1,?,00000001), ref: 002FB21D

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 7b96a9888fcf7a9f365494850437df28357828121ae13ed2bb0a3b701af310ef
Instruction ID: d690d99fe1040d9802cacb9a92b79efce4521b659fda21ffd30a7da75a2a019f
Opcode Fuzzy Hash: 7b96a9888fcf7a9f365494850437df28357828121ae13ed2bb0a3b701af310ef
Instruction Fuzzy Hash: 5331CE71520209BFEB239F24DC48BBEBBADFB51391F148028FA06D6190D7B49A158F60

Function 002C2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002C2C94

Part of subcall function 002C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002CD7D1,00000000,00000000,00000000,00000000,?,002CD7F8,00000000,00000007,00000000,?,002CDBF5,00000000), ref: 002C29DE
Part of subcall function 002C29C8: GetLastError.KERNEL32(00000000,?,002CD7D1,00000000,00000000,00000000,00000000,?,002CD7F8,00000000,00000007,00000000,?,002CDBF5,00000000,00000000), ref: 002C29F0

_free.LIBCMT ref: 002C2CA0
_free.LIBCMT ref: 002C2CAB
_free.LIBCMT ref: 002C2CB6
_free.LIBCMT ref: 002C2CC1
_free.LIBCMT ref: 002C2CCC
_free.LIBCMT ref: 002C2CD7
_free.LIBCMT ref: 002C2CE2
_free.LIBCMT ref: 002C2CED
_free.LIBCMT ref: 002C2CFB

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ac78bea23ecee6d7ddc2c65aec6967a8d2397208baad799f3a30832e283d941e
Instruction ID: 8a83e8b13b719f9f5380b5219aefa2d2fda8bb438c5bf74cad9c1056319762be
Opcode Fuzzy Hash: ac78bea23ecee6d7ddc2c65aec6967a8d2397208baad799f3a30832e283d941e
Instruction Fuzzy Hash: 8411A776120508EFCB02EF54D882EDD3BA5FF05350F5156A9F9485F222DA31EE649F90

Function 00307DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00307FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00307FC1
GetFileAttributesW.KERNEL32(?), ref: 00307FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00308005
SetCurrentDirectoryW.KERNEL32(?), ref: 00308017
SetCurrentDirectoryW.KERNEL32(?), ref: 00308060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003080B0

Strings

*.*, xrefs: 00308066

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 264703040ef5cdf2a9deadf15afccba4bc25e9a35ad690f42c16843868863f7d
Instruction ID: 8e745369a3d9ed94b01e9cf068f3596e0c405217619658192b1886cb1dd775b3
Opcode Fuzzy Hash: 264703040ef5cdf2a9deadf15afccba4bc25e9a35ad690f42c16843868863f7d
Instruction Fuzzy Hash: 2B81C57291A3059BCB21EF14C464AAEB3E8BF88350F554C6EF885C7290EB35ED45CB52

Function 00295BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00295C7A

Part of subcall function 00295D0A: GetClientRect.USER32(?,?), ref: 00295D30
Part of subcall function 00295D0A: GetWindowRect.USER32(?,?), ref: 00295D71
Part of subcall function 00295D0A: ScreenToClient.USER32(?,?), ref: 00295D99

GetDC.USER32 ref: 002D46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002D4708
SelectObject.GDI32(00000000,00000000), ref: 002D4716
SelectObject.GDI32(00000000,00000000), ref: 002D472B
ReleaseDC.USER32(?,00000000), ref: 002D4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002D47C4

Strings

U, xrefs: 002D4693

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3163570e1b0bda3c391aaac2f6df208dc84903ec6e323f43deff3a739f2ce268
Instruction ID: a9dfd301333249737ba9866cf59a6f4481a8680db2c3d5cb5cf28bfb4cdcaab7
Opcode Fuzzy Hash: 3163570e1b0bda3c391aaac2f6df208dc84903ec6e323f43deff3a739f2ce268
Instruction Fuzzy Hash: 4471F430520206DFDF229F64C984ABA7BB5FF4A350F18426BED565A2A6C330CC61DF50

Function 0030359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003035E4

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

LoadStringW.USER32(00362390,?,00000FFF,?), ref: 0030360A

Strings

Error: , xrefs: 003036EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00303724
"%s" (%d) : ==> %s:, xrefs: 00303742
Line %d (File "%s"):, xrefs: 0030366B
^ ERROR, xrefs: 003036C9

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 11f7b46e1f0ce8d0ad9782825cfb7eb38b58dec6f276d9f0305382b20632feb4
Instruction ID: a826f31dbc101a8f251c1a1b6199d86eb60d9e8d08ed490b3cbe93e40e916b35
Opcode Fuzzy Hash: 11f7b46e1f0ce8d0ad9782825cfb7eb38b58dec6f276d9f0305382b20632feb4
Instruction Fuzzy Hash: 8751AD72810209BBDF16EBA0CC52EEEBB78EF14750F144169F505721A1EB711AE9DFA0

Function 0030C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0030C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0030C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0030C2CA
GetLastError.KERNEL32 ref: 0030C322
SetEvent.KERNEL32(?), ref: 0030C336
InternetCloseHandle.WININET(00000000), ref: 0030C341

Strings

, xrefs: 0030C2BB

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 145e4ce4e7371ac2c4597e118233678cde74d661e5f7754d0b0fce7cfbc4d490
Instruction ID: dad6076fa770d3be228e4916b890b6f06a6bd3e0147f2b82fe5e790a779f0f8d
Opcode Fuzzy Hash: 145e4ce4e7371ac2c4597e118233678cde74d661e5f7754d0b0fce7cfbc4d490
Instruction Fuzzy Hash: 0231B1B5521304AFDB229F648CA8AAF7BFCEB09740F14A61DF44692680DB34DD059B60

Function 002F989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002D3AAF,?,?,Bad directive syntax error,0032CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002F98BC
LoadStringW.USER32(00000000,?,002D3AAF,?), ref: 002F98C3

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 002F9987

Strings

Line %d:, xrefs: 002F9912
%s (%d) : ==> %s.: %s %s, xrefs: 002F98F1
., xrefs: 002F996D
Line %d (File "%s"):, xrefs: 002F992D
Error: , xrefs: 002F9955

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: e9486468c2e557e235c9d5040ffb5a5755a278ef456c5c76ed60912df3ad9098
Instruction ID: 909d9a5e507ad8215ab5a1b5d6201ac491ca7d809d8f3b8b6e9046848876d7cc
Opcode Fuzzy Hash: e9486468c2e557e235c9d5040ffb5a5755a278ef456c5c76ed60912df3ad9098
Instruction Fuzzy Hash: 0A21713186021EABCF12EF90CC06EFD7739BF18705F04446AF515620A1DB7196A8CF50

Function 002F209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002F20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002F20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002F214D

Strings

details, xrefs: 002F20FB
smallicons, xrefs: 002F2115
list, xrefs: 002F212F
largeicons, xrefs: 002F20E1
SHELLDLL_DefView, xrefs: 002F20CC

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 926d3ddba999cdb7afda0ecd7b327b7ece81767447e114e4c1ba18b3f76e4289
Instruction ID: 34d023021174b606582c7b6f0d947f26986b1ebcbb10a3d624d082a4f8d98f1a
Opcode Fuzzy Hash: 926d3ddba999cdb7afda0ecd7b327b7ece81767447e114e4c1ba18b3f76e4289
Instruction Fuzzy Hash: 86112E761B470BF5FA122620DC1BDF7B35CDB06395F200125FF08A40E3EAA1A82D5918

Function 002CCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 002CCEB7
_free.LIBCMT ref: 002CCF22
_free.LIBCMT ref: 002CCF48
_free.LIBCMT ref: 002CCF71
_free.LIBCMT ref: 002CCFA9
_free.LIBCMT ref: 002CCFDA
_free.LIBCMT ref: 002CD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 002CD09C
_free.LIBCMT ref: 002CD0B5

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 1bb7b54edb175fd33ab8d5392c1fb27390f423091166b2c7b37ec88946388ff9
Instruction ID: 36085c091388ca973f4b80d62e3a0912b1a561754b8b46dfd02da1413ba1311b
Opcode Fuzzy Hash: 1bb7b54edb175fd33ab8d5392c1fb27390f423091166b2c7b37ec88946388ff9
Instruction Fuzzy Hash: 85616A71924302AFDB25AFB49C82F6E7BA9EF01310F24436EF948D7251DA719D218B90

Function 002A8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 002E6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002E68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002E68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002E68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002E68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002A8874,00000000,00000000,00000000,000000FF,00000000), ref: 002E6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 002E691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002A8874,00000000,00000000,00000000,000000FF,00000000), ref: 002E692D

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 98888398ffeef00cb85e54c56a4f92d016a935c18d4f9b2977a2eb30a31915e1
Instruction ID: b0e7d60c6ced3af26651789178ab02953b4c33dc1938863eecb9b1fed5e2fb59
Opcode Fuzzy Hash: 98888398ffeef00cb85e54c56a4f92d016a935c18d4f9b2977a2eb30a31915e1
Instruction Fuzzy Hash: 2551AC70620206EFDB21CF25CC55BAA7BB9FF59354F144518F916D72A0DBB0E9A0CB60

Function 0030C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0030C182
GetLastError.KERNEL32 ref: 0030C195
SetEvent.KERNEL32(?), ref: 0030C1A9

Part of subcall function 0030C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0030C272
Part of subcall function 0030C253: GetLastError.KERNEL32 ref: 0030C322
Part of subcall function 0030C253: SetEvent.KERNEL32(?), ref: 0030C336
Part of subcall function 0030C253: InternetCloseHandle.WININET(00000000), ref: 0030C341

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 019e9af66499be4426cbcbf87bf800f138aa45031599786d0ea4a9f4ca0a4e65
Instruction ID: eaf79909ebd0013cc76053b9d00a2230f6827752f12a00d0af46a33c85e224d4
Opcode Fuzzy Hash: 019e9af66499be4426cbcbf87bf800f138aa45031599786d0ea4a9f4ca0a4e65
Instruction Fuzzy Hash: F731A071522705EFDB229FA5DD14A6ABBFCFF18300F046A1DF95686A50C730E811DBA0

Function 002F25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 002F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 002F3A57
Part of subcall function 002F3A3D: GetCurrentThreadId.KERNEL32 ref: 002F3A5E
Part of subcall function 002F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002F25B3), ref: 002F3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002F25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002F25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002F25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002F25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 002F2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 002F2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 002F260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 002F2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 002F2627

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: d772fae9161bfae41caa5b189c13c6bb2860f0dcaf700933bbc0fd26d6cedf6b
Instruction ID: e2ef794c7904bd36dd8005287953eb4142b1bf42d117a0a3deaf0bc1931c8107
Opcode Fuzzy Hash: d772fae9161bfae41caa5b189c13c6bb2860f0dcaf700933bbc0fd26d6cedf6b
Instruction Fuzzy Hash: E401D4307A0614BBFB2067699C8AF69BF5DDF4EB52F101015F328AE0D1C9F224598A69

Function 002F1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,002F1449,?,?,00000000), ref: 002F180C
HeapAlloc.KERNEL32(00000000,?,002F1449,?,?,00000000), ref: 002F1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002F1449,?,?,00000000), ref: 002F1828
GetCurrentProcess.KERNEL32(?,00000000,?,002F1449,?,?,00000000), ref: 002F1830
DuplicateHandle.KERNEL32(00000000,?,002F1449,?,?,00000000), ref: 002F1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002F1449,?,?,00000000), ref: 002F1843
GetCurrentProcess.KERNEL32(002F1449,00000000,?,002F1449,?,?,00000000), ref: 002F184B
DuplicateHandle.KERNEL32(00000000,?,002F1449,?,?,00000000), ref: 002F184E
CreateThread.KERNEL32(00000000,00000000,002F1874,00000000,00000000,00000000), ref: 002F1868

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f6676757b9e88e5bd7c2bb907683024bdb5a5663096f61b615d03072ba81074b
Instruction ID: 6eda53d37c7fcea5b840c83871ae9aa505be75931ee2b2188a2f84b9e15aedf0
Opcode Fuzzy Hash: f6676757b9e88e5bd7c2bb907683024bdb5a5663096f61b615d03072ba81074b
Instruction Fuzzy Hash: D701FBB5250308BFE721ABA5DC4EF6B3BACEB89B00F104414FA04DB1A1CA70A811CB60

Function 002C3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 002C3F0B
__alldvrm.LIBCMT ref: 002C410C
__alldvrm.LIBCMT ref: 002C412E

Strings

}}+, xrefs: 002C3E96, 002C3EF1, 002C3F0A, 002C4090
}}+, xrefs: 002C40CD
}}+, xrefs: 002C3E8A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}+$}}+$}}+
API String ID: 1036877536-3914882194
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: f9b584daed813a3c5cf4bbc098e0f4f65f5d9d70713654fc8dbfa02e82e8f473
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 16A16731D303869FEB25DE18C8A1FAFBBE5EF21350F18466EE5859B281C2748D61CB50

Function 0031A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 002FD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 002FD501
Part of subcall function 002FD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 002FD50F
Part of subcall function 002FD4DC: CloseHandle.KERNELBASE(00000000), ref: 002FD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0031A16D
GetLastError.KERNEL32 ref: 0031A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0031A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0031A268
GetLastError.KERNEL32(00000000), ref: 0031A273
CloseHandle.KERNEL32(00000000), ref: 0031A2C4

Strings

SeDebugPrivilege, xrefs: 0031A18F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 98a01a353d79a9fb8d9070a79398c034a2629d63c4d19e757b09b60bd06cbe15
Instruction ID: d43bda9fbcad3c4e0a89d25bbdde87df94b2cb895de05de625f9a3729f1df23e
Opcode Fuzzy Hash: 98a01a353d79a9fb8d9070a79398c034a2629d63c4d19e757b09b60bd06cbe15
Instruction Fuzzy Hash: F161F330215601AFD725DF14C484F69BBE5AF48318F55849CE4568BBA3C772EC86CF82

Function 00323886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00323925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0032393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00323954
_wcslen.LIBCMT ref: 00323999
SendMessageW.USER32(?,00001057,00000000,?), ref: 003239C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 003239F4

Strings

SysListView32, xrefs: 003238F7

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 9beb422b7d751f264a4dc61583300909d33fc6400002690727814bebd59ae02b
Instruction ID: 646268f6eda176a0145d15e0849586863405c2eebf3770c72b6e2383e988bf46
Opcode Fuzzy Hash: 9beb422b7d751f264a4dc61583300909d33fc6400002690727814bebd59ae02b
Instruction Fuzzy Hash: F241E431A00228ABEF229F64DC45FEE7BA9FF08350F110526F958E7281D3759D94CB90

Function 002FBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002FBCFD
IsMenu.USER32(00000000), ref: 002FBD1D
CreatePopupMenu.USER32 ref: 002FBD53
GetMenuItemCount.USER32(01765740), ref: 002FBDA4
InsertMenuItemW.USER32(01765740,?,00000001,00000030), ref: 002FBDCC

Strings

0, xrefs: 002FBCA8
2, xrefs: 002FBD37

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 696851395c85e185d65a420800a38f0835790fb03835e561402e3571c859dcda
Instruction ID: 16f1f70590f89d5c96e7c085bf882b67f145e29ce1726026d64a80ffa8846007
Opcode Fuzzy Hash: 696851395c85e185d65a420800a38f0835790fb03835e561402e3571c859dcda
Instruction Fuzzy Hash: 3A51B37062020E9BDF22DFA8C888BBEFBF8AF45394F244179E601D7290D7709955CB52

Function 002B2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002B2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 002B2D53
_ValidateLocalCookies.LIBCMT ref: 002B2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 002B2E0C
_ValidateLocalCookies.LIBCMT ref: 002B2E61

Strings

csm, xrefs: 002B2DF6
&H+, xrefs: 002B2DFE, 002B2E07, 002B2E18

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H+$csm
API String ID: 1170836740-3590388639
Opcode ID: 1909a4fbb5a7502bda4cd33ce0972a63eacb8c6cecc63b892b59642df1d48339
Instruction ID: 9f7fcb947df303ea4b4694437203dd2243eb260f67da443181aaf876a22905b8
Opcode Fuzzy Hash: 1909a4fbb5a7502bda4cd33ce0972a63eacb8c6cecc63b892b59642df1d48339
Instruction Fuzzy Hash: 92418334A2030AEBCF10DF68C845ADEBBA5FF45394F148155E814AB392D771EA29CF91

Function 002FC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 002FC913

Strings

blank, xrefs: 002FC895
stop, xrefs: 002FC8E4
warning, xrefs: 002FC8FC
question, xrefs: 002FC8CC
info, xrefs: 002FC8B4

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f3b32ddd4802fb228af0620bc7b61ea71435d075c68c1267ecfd7dfbe818e5e3
Instruction ID: fe955529e96da0c491b1944a84d933691d0774b04ee57ccbcc05fc4abb01c910
Opcode Fuzzy Hash: f3b32ddd4802fb228af0620bc7b61ea71435d075c68c1267ecfd7dfbe818e5e3
Instruction Fuzzy Hash: 15110B316B930FBAE7026B54DD83CFAA79CDF153D5B70003AFA00A7292D7E19E145664

Function 002FDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002FDE42
gethostname.WSOCK32(?,00000100), ref: 002FDE5C
gethostbyname.WSOCK32(?), ref: 002FDE69
inet_ntoa.WSOCK32(?), ref: 002FDEAB
_strcat.LIBCMT ref: 002FDEB9
WSACleanup.WSOCK32 ref: 002FDEDE

Strings

0.0.0.0, xrefs: 002FDE87

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 23120e74be940c2b0fb7e8eb690b5c46cc1157a965b17c2e666a8a7effb8abdd
Instruction ID: c28f79b32002375477fffcf3a5f326828cda75c044bf855f2cd420ca6b827912
Opcode Fuzzy Hash: 23120e74be940c2b0fb7e8eb690b5c46cc1157a965b17c2e666a8a7effb8abdd
Instruction Fuzzy Hash: A6113631824119AFCB31BF34DC4AEEEB7ACDF10790F010179F6459A091EFB09A918E60

Function 002FED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 002FED2A
_wcslen.LIBCMT ref: 002FED3B
_wcslen.LIBCMT ref: 002FED79
_wcslen.LIBCMT ref: 002FEDAF
_wcslen.LIBCMT ref: 002FEDDF
_wcslen.LIBCMT ref: 002FEDEF
_wcslen.LIBCMT ref: 002FEE2B
_wcslen.LIBCMT ref: 002FEE5A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: a3691a9455e8a1cdf411d981faa6f9ff2c6d472d8539e4d48a46d6d3023c9cc7
Instruction ID: f105b9c7950889173063da0bd98440fc80116a191d89864e6dbbebfa80b91172
Opcode Fuzzy Hash: a3691a9455e8a1cdf411d981faa6f9ff2c6d472d8539e4d48a46d6d3023c9cc7
Instruction Fuzzy Hash: 6441B565C2025876DB11FBF48C8AADFB7ACAF45390F508462EA14E3122FB34D265C7A5

Function 002AF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,002E682C,00000004,00000000,00000000), ref: 002AF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,002E682C,00000004,00000000,00000000), ref: 002EF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,002E682C,00000004,00000000,00000000), ref: 002EF454

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 739b2f1d32f6dd8889640f0d3196692b9c6efe5066eaf5c3103fb6654975ab0a
Instruction ID: a55bd26b1530646296cd9267c66409f0846f052c89a9cd6467a6a3070de263b3
Opcode Fuzzy Hash: 739b2f1d32f6dd8889640f0d3196692b9c6efe5066eaf5c3103fb6654975ab0a
Instruction Fuzzy Hash: C14118312346C2BBC7F58F6A8B8876B7B95AB47314F54443CE04752560DE79A8A0CB51

Function 00322D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00322D1B
GetDC.USER32(00000000), ref: 00322D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00322D2E
ReleaseDC.USER32(00000000,00000000), ref: 00322D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00322D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00322D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00325A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00322DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00322DE1

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 9b470c3da84cb8f38aadd188da9614e5186a2a469dd94656cdcb666d515846a9
Instruction ID: 825c87954dc737a669b97e3477e43c0ef2baa7e2c1a58b56f88cfe1272a10911
Opcode Fuzzy Hash: 9b470c3da84cb8f38aadd188da9614e5186a2a469dd94656cdcb666d515846a9
Instruction Fuzzy Hash: B2318072211224BFEB224F54DC8AFEB3FADEF09715F044055FE089A291C6759C51C7A4

Function 002F5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 002F5637
_memcmp.LIBVCRUNTIME ref: 002F5659
_memcmp.LIBVCRUNTIME ref: 002F5671
_memcmp.LIBVCRUNTIME ref: 002F5684
_memcmp.LIBVCRUNTIME ref: 002F569E
_memcmp.LIBVCRUNTIME ref: 002F56B1
_memcmp.LIBVCRUNTIME ref: 002F56C9
_memcmp.LIBVCRUNTIME ref: 002F56E4

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ee0b8e34df1c5493416dd70b9ee47561a7b682e086a044d1cf71f03ea63af485
Instruction ID: 0ec3f5b089592ce58f74fca0acbbc033a5da887835ba58017a1cabce7f4c8c65
Opcode Fuzzy Hash: ee0b8e34df1c5493416dd70b9ee47561a7b682e086a044d1cf71f03ea63af485
Instruction Fuzzy Hash: 2E21C87167493E7B961959109E92FFAA39CAE103C4F840030FF15DA645F760ED3085A5

Function 00314FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0031502E, 00315383
Not an Object type, xrefs: 00315007

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 44fe7fa48e06751a0e8167b027cf4adebab0ed901309cad87281e1bed4f6bc03
Instruction ID: a5f59a422534df5343cf2f3fbcdd7d7129594bf6be55e6fde2f89766b5839a66
Opcode Fuzzy Hash: 44fe7fa48e06751a0e8167b027cf4adebab0ed901309cad87281e1bed4f6bc03
Instruction Fuzzy Hash: E5D19E75A0060AEFDF1ACF98C880BEEB7B5BF8C344F158469E915AB280D770D985CB50

Function 002D1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002D17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002D15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002D17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002D1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002D17FB,?,002D17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002D16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002D17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002D16FB

Part of subcall function 002C3820: RtlAllocateHeap.NTDLL(00000000,?,00361444,?,002AFDF5,?,?,0029A976,00000010,00361440,002913FC,?,002913C6,?,00291129), ref: 002C3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002D17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002D1777
__freea.LIBCMT ref: 002D17A2
__freea.LIBCMT ref: 002D17AE

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 33656726a12dbe5dee8a7689c96f15b184485d97ba2c8fbf6388976e2b000b6a
Instruction ID: d199321df2dadea96553a85bb9c009edb2482aaff7e6cc2283fd570932c28ca0
Opcode Fuzzy Hash: 33656726a12dbe5dee8a7689c96f15b184485d97ba2c8fbf6388976e2b000b6a
Instruction Fuzzy Hash: B691D871E30206BADB208E64DC41AEEBBB9AF45310F54465AE805E7791D739DC70CBA0

Function 00314523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00314648
VariantInit.OLEAUT32(?), ref: 00314749
VariantClear.OLEAUT32(?), ref: 00314753
VariantClear.OLEAUT32(?), ref: 003147B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 003145D8, 00314706, 003147BE
Incorrect Object type in FOR..IN loop, xrefs: 0031472C

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 860e0206417fca00a7ff634d39e2e072a2920a4bdbeb78756fbd67699f1bfedd
Instruction ID: 9a1e43d4c1e3fea6f27326945b28809e05db4e2e4992cfe1f584274d2c301958
Opcode Fuzzy Hash: 860e0206417fca00a7ff634d39e2e072a2920a4bdbeb78756fbd67699f1bfedd
Instruction Fuzzy Hash: 9491AF71A00215ABDF2ACFA4DC44FEEBBB8EF4A714F108559F515AB280D7709985CFA0

Function 00301187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0030125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00301284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003012A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003012D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0030135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003013C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00301430

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: b1b1727038bf6d5c1bfdd1edaafaf982b5104ba6e9d42b1f3ba9e17cb93d7be9
Instruction ID: bb0d3b93dd81e441a0f3c95930c4f938b2e6ea9521bb8b16f6cfac78ee30db0a
Opcode Fuzzy Hash: b1b1727038bf6d5c1bfdd1edaafaf982b5104ba6e9d42b1f3ba9e17cb93d7be9
Instruction Fuzzy Hash: 7891F275A012089FEB12DF99C8A4BBEB7B9FF45314F114429E900EB2E1D774E941CB90

Function 002A948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6694972c1e295db094caf6c9d418338a5e2c1994d4bf5456005204c5a5df6974
Instruction ID: 27c77f4831cca6b7e2ee9f2c8c366ebdf7d94c125e9d118de99ad88f1ebde766
Opcode Fuzzy Hash: 6694972c1e295db094caf6c9d418338a5e2c1994d4bf5456005204c5a5df6974
Instruction Fuzzy Hash: 6F915871D5020AEFCB11CFAACC85AEEBBB8FF49320F548049E515B7251D774A992CB60

Function 00313947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0031396B
CharUpperBuffW.USER32(?,?), ref: 00313A7A
_wcslen.LIBCMT ref: 00313A8A
VariantClear.OLEAUT32(?), ref: 00313C1F

Part of subcall function 00300CDF: VariantInit.OLEAUT32(00000000), ref: 00300D1F
Part of subcall function 00300CDF: VariantCopy.OLEAUT32(?,?), ref: 00300D28
Part of subcall function 00300CDF: VariantClear.OLEAUT32(?), ref: 00300D34

Strings

AUTOIT.ERROR, xrefs: 00313A80, 00313A85
Incorrect Parameter format, xrefs: 003139A6, 00313BA1

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: ae060af1f4bd74faad49e37de354c174418940f7145877de78a0ff260e9d1e91
Instruction ID: 62bc1c71e0f8298cec5a8d9a045856497517a23cae873fb43a7fa7120e0e9c89
Opcode Fuzzy Hash: ae060af1f4bd74faad49e37de354c174418940f7145877de78a0ff260e9d1e91
Instruction Fuzzy Hash: 269136756183059FCB05DF28C4809AAB7E4BF89314F14896DF89A9B351DB30EE85CF92

Function 00314BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 002F000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,002EFF41,80070057,?,?,?,002F035E), ref: 002F002B
Part of subcall function 002F000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002EFF41,80070057,?,?), ref: 002F0046
Part of subcall function 002F000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002EFF41,80070057,?,?), ref: 002F0054
Part of subcall function 002F000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002EFF41,80070057,?), ref: 002F0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00314C51
_wcslen.LIBCMT ref: 00314D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00314DCF
CoTaskMemFree.OLE32(?), ref: 00314DDA

Strings

NULL Pointer assignment, xrefs: 00314E23, 00314E52

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: d9b19fded72b48afa1484347950ffdb81b6092206564edb12ab98749fa728c52
Instruction ID: 842fc328f4c37bd35d84ae5c463697973a9c6a90669cbd5dcf6b57802f81f387
Opcode Fuzzy Hash: d9b19fded72b48afa1484347950ffdb81b6092206564edb12ab98749fa728c52
Instruction Fuzzy Hash: 48913771D0021DAFDF15DFA4D891EEEB7B9BF08314F10816AE915A7251EB309A94CFA0

Function 003220FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00322183
GetMenuItemCount.USER32(00000000), ref: 003221B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003221DD
_wcslen.LIBCMT ref: 00322213
GetMenuItemID.USER32(?,?), ref: 0032224D
GetSubMenu.USER32(?,?), ref: 0032225B

Part of subcall function 002F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 002F3A57
Part of subcall function 002F3A3D: GetCurrentThreadId.KERNEL32 ref: 002F3A5E
Part of subcall function 002F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002F25B3), ref: 002F3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003222E3

Part of subcall function 002FE97B: Sleep.KERNEL32 ref: 002FE9F3

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 00fd8d5f7382683104767e27adb46f51bd143a68ec85b009ef890e1c5ddace3a
Instruction ID: 7551cf0ec7519a0164466845a976c68621380998cc9acb3943a175cdc61daf6a
Opcode Fuzzy Hash: 00fd8d5f7382683104767e27adb46f51bd143a68ec85b009ef890e1c5ddace3a
Instruction Fuzzy Hash: 3571AD35A10215EFCB12EFA5D881AAEB7F5EF48310F118859E816EB351DB35EE018F90

Function 00327E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01765808), ref: 00327F37
IsWindowEnabled.USER32(01765808), ref: 00327F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0032801E
SendMessageW.USER32(01765808,000000B0,?,?), ref: 00328051
IsDlgButtonChecked.USER32(?,?), ref: 00328089
GetWindowLongW.USER32(01765808,000000EC), ref: 003280AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003280C3

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: de90c2ad649d666cc8b6642946efa0ec1fe0dbe07a569d42d5531a1655989bdc
Instruction ID: 87e4983987acf104eb0ffaed0f08e6a9908b628aa709d3353648a2fc5121be9a
Opcode Fuzzy Hash: de90c2ad649d666cc8b6642946efa0ec1fe0dbe07a569d42d5531a1655989bdc
Instruction Fuzzy Hash: 7F71BE3460D224BFEB229F64ED84FAABBB9FF09300F154059E945972A1CB31A855CB60

Function 002FAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 002FAEF9
GetKeyboardState.USER32(?), ref: 002FAF0E
SetKeyboardState.USER32(?), ref: 002FAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 002FAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 002FAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 002FAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 002FB020

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e732b9cb240f8782f3583a95d0f2ba6c89872c8972c67eede384d1078e99f3b1
Instruction ID: 23395203677c37e7a5edf1782c0f666adabe0b6d998da1015d3e6232cd4316aa
Opcode Fuzzy Hash: e732b9cb240f8782f3583a95d0f2ba6c89872c8972c67eede384d1078e99f3b1
Instruction Fuzzy Hash: 515115E09243DA3DFB334634CC45BBAFE996B06344F0885ADE2D9498C2C7D9A8E4D751

Function 002FACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 002FAD19
GetKeyboardState.USER32(?), ref: 002FAD2E
SetKeyboardState.USER32(?), ref: 002FAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002FADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002FADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002FAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002FAE38

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 982750152fc6227313479eba5335fcb3065a761c34a1f350e6e054f1f4106ccb
Instruction ID: d124d337dc46a6865df5ff8f56f9272504a97dfa8dac7ddfed167e4ec7775cfe
Opcode Fuzzy Hash: 982750152fc6227313479eba5335fcb3065a761c34a1f350e6e054f1f4106ccb
Instruction Fuzzy Hash: C551F7E09247DA3DFB374734CC55B7AFE986B05380F0884A8E2D9468C2C394ECA8D752

Function 002C542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(002D3CD6,?,?,?,?,?,?,?,?,002C5BA3,?,?,002D3CD6,?,?), ref: 002C5470
__fassign.LIBCMT ref: 002C54EB
__fassign.LIBCMT ref: 002C5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,002D3CD6,00000005,00000000,00000000), ref: 002C552C
WriteFile.KERNEL32(?,002D3CD6,00000000,002C5BA3,00000000,?,?,?,?,?,?,?,?,?,002C5BA3,?), ref: 002C554B
WriteFile.KERNEL32(?,?,00000001,002C5BA3,00000000,?,?,?,?,?,?,?,?,?,002C5BA3,?), ref: 002C5584

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 971a220f18e11154a9ce39621304ba7adacf368685071a6cbd8b999a47d7edb5
Instruction ID: f802ed6813f572f21082421f683384faba72c36434ddb867f51cf77748522162
Opcode Fuzzy Hash: 971a220f18e11154a9ce39621304ba7adacf368685071a6cbd8b999a47d7edb5
Instruction Fuzzy Hash: 7151C170A10609AFDB21CFA8D841FEEBBF9EF08300F14461EE555E7291D670EA91CB60

Function 003110B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0031304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0031307A
Part of subcall function 0031304E: _wcslen.LIBCMT ref: 0031309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00311112
WSAGetLastError.WSOCK32 ref: 00311121
WSAGetLastError.WSOCK32 ref: 003111C9
closesocket.WSOCK32(00000000), ref: 003111F9

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 4cec190635840fe5e8f36d55e879b451723f82380c669b9e2fc9180f6f76ac7a
Instruction ID: 5c51b7d1d9331d938fb2e541e2d8aa079d53ce9c9c8e851374b2e437aca3e9b2
Opcode Fuzzy Hash: 4cec190635840fe5e8f36d55e879b451723f82380c669b9e2fc9180f6f76ac7a
Instruction Fuzzy Hash: 4141D431610204AFDB269F14C885BEEB7E9EF49324F158069FE199B291D770ED81CBE1

Function 002FCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002FDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002FCF22,?), ref: 002FDDFD

Part of subcall function 002FDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002FCF22,?), ref: 002FDE16

lstrcmpiW.KERNEL32(?,?), ref: 002FCF45
MoveFileW.KERNEL32(?,?), ref: 002FCF7F
_wcslen.LIBCMT ref: 002FD005
_wcslen.LIBCMT ref: 002FD01B
SHFileOperationW.SHELL32(?), ref: 002FD061

Strings

\*.*, xrefs: 002FCFF3

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 7916e011c398378d47cbc6bf35b363770f34006582f93ada1464002734b7bc08
Instruction ID: 93272cbbee94256ad29f91afda66f2ef96fae2c36941eb772deaaac9502b8a26
Opcode Fuzzy Hash: 7916e011c398378d47cbc6bf35b363770f34006582f93ada1464002734b7bc08
Instruction Fuzzy Hash: 5B41387195521D5EDF12EFA4C981AEEF7B9AF083C0F1000F6E605E7151EA34AA55CF50

Function 00322DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00322E1C
GetWindowLongW.USER32(?,000000F0), ref: 00322E4F
GetWindowLongW.USER32(?,000000F0), ref: 00322E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00322EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00322EE0
GetWindowLongW.USER32(?,000000F0), ref: 00322EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00322F0B

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 188bc4d6e895bd43ec41e1d6ba65f6ad2bc14142c10c80c3032bcbe18d84e65e
Instruction ID: 1c633cda2b8bdbde974bf4f17d8a2bfd40cfcc936b3e3c5a9db43412efa14608
Opcode Fuzzy Hash: 188bc4d6e895bd43ec41e1d6ba65f6ad2bc14142c10c80c3032bcbe18d84e65e
Instruction Fuzzy Hash: 96310630614160AFDB22CF58EC84F6A77E9FB5A710F1A5164F9508F2B1CBB1A841EF41

Function 002F7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002F7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002F778F
SysAllocString.OLEAUT32(00000000), ref: 002F7792
SysAllocString.OLEAUT32(?), ref: 002F77B0
SysFreeString.OLEAUT32(?), ref: 002F77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002F77DE
SysAllocString.OLEAUT32(?), ref: 002F77EC

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bcfb16bd73aa3ce965e4dc000b7fe71648ae8a8511ceb1244c86a068a2f9363e
Instruction ID: 02d907fab73563a1ea7c04b4e1fe75ae576c6d73df67ec3c935f45da1fd3104f
Opcode Fuzzy Hash: bcfb16bd73aa3ce965e4dc000b7fe71648ae8a8511ceb1244c86a068a2f9363e
Instruction Fuzzy Hash: 8721A37662421DAFDB11EFA9DC84CBBB3ACEB093A4B108039FA04DB150D670DC418BA0

Function 002F77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002F7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002F7868
SysAllocString.OLEAUT32(00000000), ref: 002F786B
SysAllocString.OLEAUT32 ref: 002F788C
SysFreeString.OLEAUT32 ref: 002F7895
StringFromGUID2.OLE32(?,?,00000028), ref: 002F78AF
SysAllocString.OLEAUT32(?), ref: 002F78BD

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: dd43fe27d39e738c51b63ccd61946a1142ba9ac5f400a09418435a9e6dedc2ec
Instruction ID: d5ab9cc57be67f709e331f2245d0d35ab3c17dc2202f261d8796474127f8873b
Opcode Fuzzy Hash: dd43fe27d39e738c51b63ccd61946a1142ba9ac5f400a09418435a9e6dedc2ec
Instruction Fuzzy Hash: 1621A731614109AFDB11AFA8DC8CDBBB7ECEB097A0B108135FA15CB1A1D674DC51DB64

Function 003004D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003004F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0030052E

Strings

nul, xrefs: 00300567

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ca5d8a22115998563e3af7187727e419da548b35772a174ca7fd45dc32890345
Instruction ID: c3047a22fc6157e1366890653e7448652336ff244fbda65c60431eda4560c9ac
Opcode Fuzzy Hash: ca5d8a22115998563e3af7187727e419da548b35772a174ca7fd45dc32890345
Instruction Fuzzy Hash: 4D219C75505305EFDF268F29DC15B9A7BB8AF46724F204A29F8A1E72E0D7709941CF20

Function 003005A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003005C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00300601

Strings

nul, xrefs: 00300639

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: bc3854222f1b85e81cd737549d0c3aaa3c6c0d849916dd42ae103b98f3f8663e
Instruction ID: 82d8e619b979a8902529a00843f577b85732731731abb27eb555c00ede1f112d
Opcode Fuzzy Hash: bc3854222f1b85e81cd737549d0c3aaa3c6c0d849916dd42ae103b98f3f8663e
Instruction Fuzzy Hash: 3421B0755013099BDB268F68DC14B9E77E9FF85730F200A19F8A1E72E0DBB19961CB20

Function 003240AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0029600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0029604C
Part of subcall function 0029600E: GetStockObject.GDI32(00000011), ref: 00296060
Part of subcall function 0029600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0029606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00324112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0032411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0032412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00324139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00324145

Strings

Msctls_Progress32, xrefs: 003240E3

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 294811abc290072d6ee2c1101f2a7c978da64e2fe200b559998bf36cc5a530d8
Instruction ID: 07aff34ff71cf15c228051bbe4f4d91e82cf4c745e0096629ee28f2e7947d6db
Opcode Fuzzy Hash: 294811abc290072d6ee2c1101f2a7c978da64e2fe200b559998bf36cc5a530d8
Instruction Fuzzy Hash: 711186B11502297EEF119F64DC85EE77F5DEF08798F014111FA18A6190C7729C61DBA4

Function 002CD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002CD7A3: _free.LIBCMT ref: 002CD7CC

_free.LIBCMT ref: 002CD82D

Part of subcall function 002C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002CD7D1,00000000,00000000,00000000,00000000,?,002CD7F8,00000000,00000007,00000000,?,002CDBF5,00000000), ref: 002C29DE
Part of subcall function 002C29C8: GetLastError.KERNEL32(00000000,?,002CD7D1,00000000,00000000,00000000,00000000,?,002CD7F8,00000000,00000007,00000000,?,002CDBF5,00000000,00000000), ref: 002C29F0

_free.LIBCMT ref: 002CD838
_free.LIBCMT ref: 002CD843
_free.LIBCMT ref: 002CD897
_free.LIBCMT ref: 002CD8A2
_free.LIBCMT ref: 002CD8AD
_free.LIBCMT ref: 002CD8B8

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: e9a6c6b2981a6e22873a192672acc236c1f082b64ba062f932cf20d3f667cb09
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: B91121715A1B04EAD521BFB0CC47FCBBBDCAF04700F405A3DB29DA6892DA75B5294E50

Function 002FDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 002FDA74
LoadStringW.USER32(00000000), ref: 002FDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002FDA91
LoadStringW.USER32(00000000), ref: 002FDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 002FDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 002FDAB9

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 88c3330853c0a6708c0830da7cbd3aa51279d662126b123bf6c36eec78973aef
Instruction ID: aebd791138025229da00b1b3c537872a7a2a1bc21309d6551d77f5d8ffeacfdf
Opcode Fuzzy Hash: 88c3330853c0a6708c0830da7cbd3aa51279d662126b123bf6c36eec78973aef
Instruction Fuzzy Hash: 510162F65102087FE7129BA49D89EFB726CEB08741F4014A6B746E2041E6749E854F74

Function 0030096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0175E308,0175E308), ref: 0030097B
EnterCriticalSection.KERNEL32(0175E2E8,00000000), ref: 0030098D
TerminateThread.KERNEL32(?,000001F6), ref: 0030099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 003009A9
CloseHandle.KERNEL32(?), ref: 003009B8
InterlockedExchange.KERNEL32(0175E308,000001F6), ref: 003009C8
LeaveCriticalSection.KERNEL32(0175E2E8), ref: 003009CF

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 04b729a79cca42aece6cdd2e8eb847231593a066f9584c93192ace2946c5a634
Instruction ID: 176df4f36e0c394b0662c95e105a6170a9f2e036559d71247ecd0d14f7ca6bff
Opcode Fuzzy Hash: 04b729a79cca42aece6cdd2e8eb847231593a066f9584c93192ace2946c5a634
Instruction Fuzzy Hash: 8DF01D31452A02EBDB665B94EE89BDA7A39BF01702F502419F201508A0CB749466CF90

Function 00311C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00311DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00311DE1
WSAGetLastError.WSOCK32 ref: 00311DF2
htons.WSOCK32(?,?,?,?,?), ref: 00311EDB
inet_ntoa.WSOCK32(?), ref: 00311E8C

Part of subcall function 002F39E8: _strlen.LIBCMT ref: 002F39F2

Part of subcall function 00313224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0030EC0C), ref: 00313240

_strlen.LIBCMT ref: 00311F35

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 50ebd154e62b2959086c5b8e240281fd52bbd219fa068c2d503b4eaba039aaa7
Instruction ID: 49a6a0c28f564fed838e5d6f3c3fa3cc14456ee0b5c89b6e77646ea39e3574bd
Opcode Fuzzy Hash: 50ebd154e62b2959086c5b8e240281fd52bbd219fa068c2d503b4eaba039aaa7
Instruction Fuzzy Hash: 1EB10331204300AFC729DF24C885EAA7BE5AF89318F55864CF5565F2E2DB71ED82CB91

Function 00295D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00295D30
GetWindowRect.USER32(?,?), ref: 00295D71
ScreenToClient.USER32(?,?), ref: 00295D99
GetClientRect.USER32(?,?), ref: 00295ED7
GetWindowRect.USER32(?,?), ref: 00295EF8

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 2e002cbb85f4d8240d2a3b1eb8adee5a579b7f35fd7907beb4bbb84a370c421c
Instruction ID: 0e5553ddd919788e7149c2a3c18981f01793b307f5d5db41a3163c8ea1c66351
Opcode Fuzzy Hash: 2e002cbb85f4d8240d2a3b1eb8adee5a579b7f35fd7907beb4bbb84a370c421c
Instruction Fuzzy Hash: A0B16834A20A4ADBDF10DFA9C4807EEB7F1FF48310F14941AE8A9D7250DB30AA61DB50

Function 002C01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002C00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002C00D6
__allrem.LIBCMT ref: 002C00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002C010B
__allrem.LIBCMT ref: 002C0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002C0140

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: d02db9b338c783545f78d10989a9d1cc74139ecf89c54c519c28d950fb578edc
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: E881F871620706DBE7209F68CC82FAAB3E8EF41764F24423EF555D66C1E7B0D9208B50

Function 002C61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002B82D9,002B82D9,?,?,?,002C644F,00000001,00000001,8BE85006), ref: 002C6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002C644F,00000001,00000001,8BE85006,?,?,?), ref: 002C62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002C63D8
__freea.LIBCMT ref: 002C63E5

Part of subcall function 002C3820: RtlAllocateHeap.NTDLL(00000000,?,00361444,?,002AFDF5,?,?,0029A976,00000010,00361440,002913FC,?,002913C6,?,00291129), ref: 002C3852

__freea.LIBCMT ref: 002C63EE
__freea.LIBCMT ref: 002C6413

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 90d59fced4a7c1b8d96a42c0a013751a006a76fb887e29c49109529986eeeb60
Instruction ID: 2863611a434513c721942698233ae3175da6f92e2b1fae99c8e0cd3924b53573
Opcode Fuzzy Hash: 90d59fced4a7c1b8d96a42c0a013751a006a76fb887e29c49109529986eeeb60
Instruction Fuzzy Hash: 8051BF72620256ABEB268FA4CC89FAF77A9EB44B50F14476DFC05D7181DB34DC60CA60

Function 0031BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

Part of subcall function 0031C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0031B6AE,?,?), ref: 0031C9B5
Part of subcall function 0031C998: _wcslen.LIBCMT ref: 0031C9F1
Part of subcall function 0031C998: _wcslen.LIBCMT ref: 0031CA68
Part of subcall function 0031C998: _wcslen.LIBCMT ref: 0031CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0031BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0031BD25
RegCloseKey.ADVAPI32(00000000), ref: 0031BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0031BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0031BDF3
RegCloseKey.ADVAPI32(?), ref: 0031BDFF

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 730f3ba092654294b7b3868727ddb4fd4e5b86b5a628f432237c7732427c6fe9
Instruction ID: 4a53e3e66f6e7d0a99dfbbdda6de75fef573f0b088875cbce55250bf004790d3
Opcode Fuzzy Hash: 730f3ba092654294b7b3868727ddb4fd4e5b86b5a628f432237c7732427c6fe9
Instruction Fuzzy Hash: 0C818F30218241EFD719DF24C895E6ABBE9FF88308F15855CF4554B2A2DB31ED85CB92

Function 002EF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 002EF7B9
SysAllocString.OLEAUT32(00000001), ref: 002EF860
VariantCopy.OLEAUT32(002EFA64,00000000), ref: 002EF889
VariantClear.OLEAUT32(002EFA64), ref: 002EF8AD
VariantCopy.OLEAUT32(002EFA64,00000000), ref: 002EF8B1
VariantClear.OLEAUT32(?), ref: 002EF8BB

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 00723624a5d46959d4cce37d2fed08019ca406dfad9fb82cbec1b957e91bfea6
Instruction ID: 97eded8aaad7d84cd4001a47bf98cbf162c421688706e3524c59608d919953fb
Opcode Fuzzy Hash: 00723624a5d46959d4cce37d2fed08019ca406dfad9fb82cbec1b957e91bfea6
Instruction Fuzzy Hash: CA510831570340BBDFA1AF66D995729B3A8EF45310FA0946BE805DF292DB708C60CB96

Function 0030910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00297620: _wcslen.LIBCMT ref: 00297625

Part of subcall function 00296B57: _wcslen.LIBCMT ref: 00296B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 003094E5
_wcslen.LIBCMT ref: 00309506
_wcslen.LIBCMT ref: 0030952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00309585

Strings

X, xrefs: 00309412

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 5c00ed64e2d5f1c976ada3ec5f787f2a1d648edab35e12111bb5db7c3d7c8ad9
Instruction ID: 21ac2d5910b483f05ee76bdf25d5b8654ea61bb941e74339e1543ad53dfef329
Opcode Fuzzy Hash: 5c00ed64e2d5f1c976ada3ec5f787f2a1d648edab35e12111bb5db7c3d7c8ad9
Instruction Fuzzy Hash: C6E1AF316193008FCB25DF25C891B6AB7E4BF85314F05896EF8999B2A2DB30DD45CF92

Function 002A920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 002A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002A9BB2

BeginPaint.USER32(?,?,?), ref: 002A9241
GetWindowRect.USER32(?,?), ref: 002A92A5
ScreenToClient.USER32(?,?), ref: 002A92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002A92D3
EndPaint.USER32(?,?,?,?,?), ref: 002A9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002E71EA

Part of subcall function 002A9339: BeginPath.GDI32(00000000), ref: 002A9357

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: fb9f0ecd0097361905ed56418ef1a00a2d62c262ac93ed4635878a4eacda7756
Instruction ID: 7677285535d1a0e686f4469e7c0b0502af55075e33a14393994b58272e8a8526
Opcode Fuzzy Hash: fb9f0ecd0097361905ed56418ef1a00a2d62c262ac93ed4635878a4eacda7756
Instruction Fuzzy Hash: 4741B331124301AFDB21DF16CC85FAA7BF8EF46720F144269F954871A1CB719895DB61

Function 003007EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0030080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00300847
EnterCriticalSection.KERNEL32(?), ref: 00300863
LeaveCriticalSection.KERNEL32(?), ref: 003008DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003008F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00300921

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 0e73fac0ccfa3381dc7afdc93916d6c444157177894ba90e6117a5c1c4f798d5
Instruction ID: e1ff4984d7adf7cc80e2df7401fd4826a98d50c0c85d092c7b0245c5d7b8f220
Opcode Fuzzy Hash: 0e73fac0ccfa3381dc7afdc93916d6c444157177894ba90e6117a5c1c4f798d5
Instruction Fuzzy Hash: 45418F71910205EFDF169F94DD85AAA77B8FF04300F1480A9ED009A297DB34EE65DFA4

Function 003281DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,002EF3AB,00000000,?,?,00000000,?,002E682C,00000004,00000000,00000000), ref: 0032824C
EnableWindow.USER32(?,00000000), ref: 00328272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 003282D1
ShowWindow.USER32(?,00000004), ref: 003282E5
EnableWindow.USER32(?,00000001), ref: 0032830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0032832F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 2709feeceb9fc5b977037a8dd0361fcb9e20199d82aab4876ce4360d8dbda779
Instruction ID: 959d41aea73ee724c26d59fc89b46fe8780645bab10bbe551992121968d310b0
Opcode Fuzzy Hash: 2709feeceb9fc5b977037a8dd0361fcb9e20199d82aab4876ce4360d8dbda779
Instruction Fuzzy Hash: 4F418338602654EFDB23CF15E899BA47BF4BB0AB14F195169E6084B262CB71A841CF90

Function 002F4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 002F4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 002F4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 002F4CEA
_wcslen.LIBCMT ref: 002F4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 002F4D10
_wcsstr.LIBVCRUNTIME ref: 002F4D1A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 52a913e5f16f09db755ff27dccc095e9e18f192b43b2d126ca7a197be92abc86
Instruction ID: d8f98e220afa5bb338392663636548e97ea385a4e1b9318638de1178b2253951
Opcode Fuzzy Hash: 52a913e5f16f09db755ff27dccc095e9e18f192b43b2d126ca7a197be92abc86
Instruction Fuzzy Hash: 31216B31224205BBEB256F39ED09E7FBB9CDF45790F10403EF905CA192DEA0CC2186A0

Function 0030581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00293AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00293A97,?,?,00292E7F,?,?,?,00000000), ref: 00293AC2

_wcslen.LIBCMT ref: 0030587B
CoInitialize.OLE32(00000000), ref: 00305995
CoCreateInstance.OLE32(0032FCF8,00000000,00000001,0032FB68,?), ref: 003059AE
CoUninitialize.OLE32 ref: 003059CC

Strings

.lnk, xrefs: 00305876, 003058C1, 00305985

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 4da84a036cbe94899e03c867e7007e7f50b3401b3e05544b94fcf2b4f7ef4d81
Instruction ID: 169989b5c8e870d7f5f45b0cb929e68f387b122ce197066b8b4aec76733fd836
Opcode Fuzzy Hash: 4da84a036cbe94899e03c867e7007e7f50b3401b3e05544b94fcf2b4f7ef4d81
Instruction Fuzzy Hash: 22D141756086019FCB15DF28C490A2BBBE5EF89710F15885DF88A9B3A1DB31EC45CF92

Function 002F175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002F0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002F0FCA
Part of subcall function 002F0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002F0FD6
Part of subcall function 002F0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002F0FE5
Part of subcall function 002F0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002F0FEC
Part of subcall function 002F0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002F1002

GetLengthSid.ADVAPI32(?,00000000,002F1335), ref: 002F17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002F17BA
HeapAlloc.KERNEL32(00000000), ref: 002F17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002F17DA
GetProcessHeap.KERNEL32(00000000,00000000,002F1335), ref: 002F17EE
HeapFree.KERNEL32(00000000), ref: 002F17F5

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c0fbae45d865bf5fbabcdb4fcc6c8c3cb2b0d1e45e2e8b2201d8075187109b0f
Instruction ID: 34161565313884946271d7b6a7312c4688b31a72c6ea16bb843106c23e554ab9
Opcode Fuzzy Hash: c0fbae45d865bf5fbabcdb4fcc6c8c3cb2b0d1e45e2e8b2201d8075187109b0f
Instruction Fuzzy Hash: C811AC7192020AEFDB21AFA4CC4ABBFFBADEB45395F504028F5459B210C735A965CB60

Function 002F14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002F14FF
OpenProcessToken.ADVAPI32(00000000), ref: 002F1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 002F1515
CloseHandle.KERNEL32(00000004), ref: 002F1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002F154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 002F1563

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 6d74613172a989511a56e0cfa56cb2184b1d7e11940403e1724c2b7fa2293ab6
Instruction ID: fe7e489cba3ad80a5d3f06be8123ac82a5d8c90258c817bc421390334b0174e0
Opcode Fuzzy Hash: 6d74613172a989511a56e0cfa56cb2184b1d7e11940403e1724c2b7fa2293ab6
Instruction Fuzzy Hash: B411177251024EEBDB228F98DD49BEE7BADEF48744F144029FA05A2160C375CE61DB60

Function 002B3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002B3379,002B2FE5), ref: 002B3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002B339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002B33B7
SetLastError.KERNEL32(00000000,?,002B3379,002B2FE5), ref: 002B3409

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 34f8ea7e2adb249339f3f0635896dc5fad4a34d71c9769a7c50fc088fdcb078a
Instruction ID: c928ea89395452ca33dc16cb1ec3452bbe29e2cfac6e337a323968370d0387e2
Opcode Fuzzy Hash: 34f8ea7e2adb249339f3f0635896dc5fad4a34d71c9769a7c50fc088fdcb078a
Instruction Fuzzy Hash: BC012D32238312BEE626AB74BC856D71B9CD7053F9B20022DF510811F0EF614D319984

Function 002C2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002C5686,002D3CD6,?,00000000,?,002C5B6A,?,?,?,?,?,002BE6D1,?,00358A48), ref: 002C2D78
_free.LIBCMT ref: 002C2DAB
_free.LIBCMT ref: 002C2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,002BE6D1,?,00358A48,00000010,00294F4A,?,?,00000000,002D3CD6), ref: 002C2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,002BE6D1,?,00358A48,00000010,00294F4A,?,?,00000000,002D3CD6), ref: 002C2DEC
_abort.LIBCMT ref: 002C2DF2

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 636b219361c96b9ce544c5cee9ae86dffe2eaaa9748aca82675ac8ea9d5601fc
Instruction ID: 3ac263a86d16316c32b886c8eb9e78e63342c53a7de10c557fecc683bc254a41
Opcode Fuzzy Hash: 636b219361c96b9ce544c5cee9ae86dffe2eaaa9748aca82675ac8ea9d5601fc
Instruction Fuzzy Hash: 1FF0F435574F01EBC6237B34AC06F1F265DABD27A1F244B1CF825921E6EE348D2A8961

Function 00328A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 002A9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002A9693
Part of subcall function 002A9639: SelectObject.GDI32(?,00000000), ref: 002A96A2
Part of subcall function 002A9639: BeginPath.GDI32(?), ref: 002A96B9
Part of subcall function 002A9639: SelectObject.GDI32(?,00000000), ref: 002A96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00328A4E
LineTo.GDI32(?,00000003,00000000), ref: 00328A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00328A70
LineTo.GDI32(?,00000000,00000003), ref: 00328A80
EndPath.GDI32(?), ref: 00328A90
StrokePath.GDI32(?), ref: 00328AA0

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 4a41eb052424541ca64a65e69dce2bcffa062cbdacf19be384ffa9bd792a4131
Instruction ID: 248727d042bc72558e66148e9c547c9be50cfe6a1d3709e2c1b5580c845936c6
Opcode Fuzzy Hash: 4a41eb052424541ca64a65e69dce2bcffa062cbdacf19be384ffa9bd792a4131
Instruction Fuzzy Hash: FC110C76000118FFEF129F94DC48E9A7F6CEB08350F04C015FA1595161C771AD55DFA0

Function 002F51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002F5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 002F5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002F5230
ReleaseDC.USER32(00000000,00000000), ref: 002F5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 002F524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 002F5261

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 807e0222efba51b8f981425a0220ecf4754090e0a5955c39622e973d4a59c329
Instruction ID: e540b7850346d70e21953096d0a72ad9f21cda2f6d31170d2f6dddaf16577cf7
Opcode Fuzzy Hash: 807e0222efba51b8f981425a0220ecf4754090e0a5955c39622e973d4a59c329
Instruction Fuzzy Hash: 49018B75E00719BBEB219FA69C49A5EBFB8EF48751F044169FB04AB281D6709C11CFA0

Function 00291BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00291BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00291BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00291C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00291C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00291C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00291C22

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 832226074ef7d8667fcbde13c763de923341770883882257bc3afc97f90f3b28
Instruction ID: c2ed6e9933d4f9216de0c8f3fede49c1d71cba73991c369bf24b9f532a14c8c6
Opcode Fuzzy Hash: 832226074ef7d8667fcbde13c763de923341770883882257bc3afc97f90f3b28
Instruction Fuzzy Hash: D90167B0902B5ABDE3008F6A8C85B56FFA8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 002FEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002FEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002FEB46
GetWindowThreadProcessId.USER32(?,?), ref: 002FEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002FEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002FEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002FEB75

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 01ee910e75ccf94ea652e230f8e13ebad5f4b9601c81111e59c5b2f26894aa71
Instruction ID: 7d66ab7d6a3aaa0816a43461f53384bb4bf73eb8687fa541fca424c1da246faa
Opcode Fuzzy Hash: 01ee910e75ccf94ea652e230f8e13ebad5f4b9601c81111e59c5b2f26894aa71
Instruction Fuzzy Hash: 85F03A72250558BBE7325B629C0EEEF7A7CEFCAB11F00115CF601D1091D7A46A02C6B5

Function 002E7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 002E7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 002E7469
GetWindowDC.USER32(?), ref: 002E7475
GetPixel.GDI32(00000000,?,?), ref: 002E7484
ReleaseDC.USER32(?,00000000), ref: 002E7496
GetSysColor.USER32(00000005), ref: 002E74B0

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 9641a336a7fe989b625e80df80a3c618fa873c2df14b215fed666e81eca69b0a
Instruction ID: 7e7308c1da7dc36d875980f40cfbdfb90147c2a016e5e98314d3624773992c8c
Opcode Fuzzy Hash: 9641a336a7fe989b625e80df80a3c618fa873c2df14b215fed666e81eca69b0a
Instruction Fuzzy Hash: AE018B31420205EFDB225F65DC08BEE7BB9FF04311F641068F916A21A0CB711E62EB50

Function 002F1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 002F187F
UnloadUserProfile.USERENV(?,?), ref: 002F188B
CloseHandle.KERNEL32(?), ref: 002F1894
CloseHandle.KERNEL32(?), ref: 002F189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002F18A5
HeapFree.KERNEL32(00000000), ref: 002F18AC

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: e5a4aca23f66543709fec431c535b62738c4d4a13e2a0cb95c2cd9ea2422c706
Instruction ID: 344337e8a24e7a22fa6dca8aba2209379ef992c94d1e53631719bb4b664a8299
Opcode Fuzzy Hash: e5a4aca23f66543709fec431c535b62738c4d4a13e2a0cb95c2cd9ea2422c706
Instruction Fuzzy Hash: 25E0C236014501BBDA125BA5ED0D90ABB2DFF49B22B209628F22581074CB32A432DB50

Function 0029BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0029BEB3

Strings

D%6D%6, xrefs: 0029BCA5
D%6, xrefs: 0029BCA2
D%6, xrefs: 0029BE9A
D%6, xrefs: 0029BDED, 0029BD91, 0029BD1B

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%6$D%6$D%6$D%6D%6
API String ID: 1385522511-2818778696
Opcode ID: 17a179f4a29381cb35669b16c8b0465ca3d921bd54ea68de70c03ca1b5c5fd93
Instruction ID: 32c50ca23854a3df43ee3997b3e3462dcfcfd41d1a8061f6c739bd6f40b962e1
Opcode Fuzzy Hash: 17a179f4a29381cb35669b16c8b0465ca3d921bd54ea68de70c03ca1b5c5fd93
Instruction Fuzzy Hash: 65918B75A2020ACFCF19CF59D1906AAB7F1FF59300F20816AD985AB350D771ADA1CBA0

Function 00317B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 002B0242: EnterCriticalSection.KERNEL32(0036070C,00361884,?,?,002A198B,00362518,?,?,?,002912F9,00000000), ref: 002B024D
Part of subcall function 002B0242: LeaveCriticalSection.KERNEL32(0036070C,?,002A198B,00362518,?,?,?,002912F9,00000000), ref: 002B028A

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

Part of subcall function 002B00A3: __onexit.LIBCMT ref: 002B00A9

__Init_thread_footer.LIBCMT ref: 00317BFB

Part of subcall function 002B01F8: EnterCriticalSection.KERNEL32(0036070C,?,?,002A8747,00362514), ref: 002B0202
Part of subcall function 002B01F8: LeaveCriticalSection.KERNEL32(0036070C,?,002A8747,00362514), ref: 002B0235

Strings

Variable must be of type 'Object'., xrefs: 00317C3A
+T., xrefs: 00317E2E
G, xrefs: 00317C7F
5, xrefs: 00317C78

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T.$5$G$Variable must be of type 'Object'.
API String ID: 535116098-3534516491
Opcode ID: 3e3d9b5bb0581dcbd2f01db02bdc40060f034fd8a7a3e027a42e5c33e836615d
Instruction ID: 6100eddd54c63b4efd0f6a40e008a128203a2db0c76d2b46b23992d2c424a041
Opcode Fuzzy Hash: 3e3d9b5bb0581dcbd2f01db02bdc40060f034fd8a7a3e027a42e5c33e836615d
Instruction Fuzzy Hash: 66918C74A04209EFCB1AEF94D8919EDB7B5FF49300F188059F8069B292DB71AE85CB51

Function 002FC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00297620: _wcslen.LIBCMT ref: 00297625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002FC6EE
_wcslen.LIBCMT ref: 002FC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002FC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 002FC7CA

Strings

0, xrefs: 002FC6AF

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 4f694ecd59a4a168a3a31a93a2d17a5a744cc10055803de1a73d0698bb66b569
Instruction ID: 9a06a6496f2f910e4bf2066842a75c85575a84d2a91ceac20e2eee1028c7e172
Opcode Fuzzy Hash: 4f694ecd59a4a168a3a31a93a2d17a5a744cc10055803de1a73d0698bb66b569
Instruction Fuzzy Hash: 0351D37162830E9BD715AF28CA44A7BF7ECAF85390F240939F691D21D0DB60D824CF52

Function 0031AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0031AEA3

Part of subcall function 00297620: _wcslen.LIBCMT ref: 00297625

GetProcessId.KERNEL32(00000000), ref: 0031AF38
CloseHandle.KERNEL32(00000000), ref: 0031AF67

Strings

@, xrefs: 0031AE72
<, xrefs: 0031AE6B

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: e7c3ba86b44b355306039ed42fc31ca784b0ba2d713a633ee2815a941cec78c6
Instruction ID: 75df38d220e8e7d987b5e00ba416b4cd353f4af547d4fa990399a3b44cda9675
Opcode Fuzzy Hash: e7c3ba86b44b355306039ed42fc31ca784b0ba2d713a633ee2815a941cec78c6
Instruction Fuzzy Hash: 9D716771A10A14DFCF19DF64C484A9EBBF4BF08310F058499E81AAB2A2C774ED95CF91

Function 002F719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002F7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002F723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002F724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002F72CF

Strings

DllGetClassObject, xrefs: 002F7242

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 64058213bfbdfca005558e7a8902d4df5af8335a8ad708003bb8f91490d23d8e
Instruction ID: 80a8fa42bdedbb04192d60a1cf356ccc94a14ecfe26068fcc3c3d2f7339faa76
Opcode Fuzzy Hash: 64058213bfbdfca005558e7a8902d4df5af8335a8ad708003bb8f91490d23d8e
Instruction Fuzzy Hash: 13418171614208EFDB15CF54C885AAABBB9EF44790F1480BDFE059F20AD7B0D955CBA0

Function 00323D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00323E35
IsMenu.USER32(?), ref: 00323E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00323E92
DrawMenuBar.USER32 ref: 00323EA5

Strings

0, xrefs: 00323D89

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: b515da4e6eddcfa318cde4c26782de476636faff3108023d9f6df57e4d9ae35f
Instruction ID: 1780692c30f078b03e75223c7178609280bce6db2b70be4aba9159c0ff2174e0
Opcode Fuzzy Hash: b515da4e6eddcfa318cde4c26782de476636faff3108023d9f6df57e4d9ae35f
Instruction Fuzzy Hash: D4418876A10219EFDB21DF50E880AAABBB9FF49350F064029E901A7250C334EE09CF90

Function 002F1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

Part of subcall function 002F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 002F3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002F1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 002F1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 002F1EA9

Part of subcall function 00296B57: _wcslen.LIBCMT ref: 00296B6A

Strings

ListBox, xrefs: 002F1E25
ComboBox, xrefs: 002F1DF0

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 5264b4cc15250e4bee8c5bb5e527290e49c773979a7d940bad843aea9ff8258c
Instruction ID: bd60025a82582c39591b0a51054f19463cb573d7511434eadc7d147f3bc9dc11
Opcode Fuzzy Hash: 5264b4cc15250e4bee8c5bb5e527290e49c773979a7d940bad843aea9ff8258c
Instruction Fuzzy Hash: 28213771A20108BADB159FA4DC55CFFF7B8DF453A0B54412DF922A31E0DB34493A8A20

Function 00322F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00322F8D
LoadLibraryW.KERNEL32(?), ref: 00322F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00322FA9
DestroyWindow.USER32(?), ref: 00322FB1

Strings

SysAnimate32, xrefs: 00322F68

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0ab58fee131eae07db428b1fd2ef18d952fe30c2b3fc7e7802cc0752314b5a4b
Instruction ID: 25976fad07644b7ca075c9f8bb347e3b12986e945af7fddc492bff24327643c3
Opcode Fuzzy Hash: 0ab58fee131eae07db428b1fd2ef18d952fe30c2b3fc7e7802cc0752314b5a4b
Instruction Fuzzy Hash: D821DC72200225BBEF228F64ED80EBB77BDEB58364F120218FA10D60A0C771DC519760

Function 002B4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,002B4D1E,002C28E9,?,002B4CBE,002C28E9,003588B8,0000000C,002B4E15,002C28E9,00000002), ref: 002B4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002B4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,002B4D1E,002C28E9,?,002B4CBE,002C28E9,003588B8,0000000C,002B4E15,002C28E9,00000002,00000000), ref: 002B4DC3

Strings

CorExitProcess, xrefs: 002B4D98
mscoree.dll, xrefs: 002B4D86

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 56ab1101c50e5bc7e23ff37a3a80d33ff308a0cfdd28bd6d184e64702765038e
Instruction ID: 8f759530d2eac16660b6ccba4ee25619099f0a561f744bc5af0399dc5138b62d
Opcode Fuzzy Hash: 56ab1101c50e5bc7e23ff37a3a80d33ff308a0cfdd28bd6d184e64702765038e
Instruction Fuzzy Hash: 9FF06834560309BBDB169F90DC89BDDBFB9EF44751F000158F905A2261CB305D51CBD0

Function 002ED3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 002ED3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 002ED3BF
FreeLibrary.KERNEL32(00000000), ref: 002ED3E5

Strings

GetSystemWow64DirectoryW, xrefs: 002ED3B9
X64, xrefs: 002ED2A8

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 67a39c4d82dc00c05c546ad1e98e9e201de7b4410bceccb2da29dfa2b14c3a4c
Instruction ID: f43afd69deceaf1753c7377a764156999e73f617a070c9de297dafbcf44b5a2e
Opcode Fuzzy Hash: 67a39c4d82dc00c05c546ad1e98e9e201de7b4410bceccb2da29dfa2b14c3a4c
Instruction Fuzzy Hash: D9F0A3344B56A29BD7731B128C549AE77245F11701FD494D9FD43E1026CF60CC70CAD2

Function 00294E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00294EDD,?,00361418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00294E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00294EAE
FreeLibrary.KERNEL32(00000000,?,?,00294EDD,?,00361418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00294EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00294EA8
kernel32.dll, xrefs: 00294E94

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0f4e1112faff954397a15ed22b325b3f07be6d7c218601a72e4aa48c7fe41d58
Instruction ID: bac001d894653d9812423080bb8827e6108b5cd0f91c82077ca39254acc66e2e
Opcode Fuzzy Hash: 0f4e1112faff954397a15ed22b325b3f07be6d7c218601a72e4aa48c7fe41d58
Instruction Fuzzy Hash: 81E08635A215235B96332B256C19E5FA558AF81B63B051119FC01D2110DB60DD1380E0

Function 00294E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,002D3CDE,?,00361418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00294E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00294E74
FreeLibrary.KERNEL32(00000000,?,?,002D3CDE,?,00361418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00294E87

Strings

kernel32.dll, xrefs: 00294E5B
Wow64RevertWow64FsRedirection, xrefs: 00294E6E

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 7f8fce7f12322e9abaae7aceda3db3b767a2fca41e1b974dd3ca5225ffdbc6f3
Instruction ID: 9f9dce8f2559e43629a3ddb5e632e0fbecc3dd36709e7e4f502f6e07ab5e1112
Opcode Fuzzy Hash: 7f8fce7f12322e9abaae7aceda3db3b767a2fca41e1b974dd3ca5225ffdbc6f3
Instruction Fuzzy Hash: A9D0C232932A32574A332F247C09DCF6A1CAF85B513051518FC01A2210CF20CD23C1D0

Function 00302947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00302C05
DeleteFileW.KERNEL32(?), ref: 00302C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00302C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00302CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00302CC0

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: d36b83eb0aeb5fe2b32f4bf82cda4474858033da46498a9c1149e7c18f565d73
Instruction ID: d6ec88673d2a4feac69264dc862743e38f7bff1116fd63d20f7dd677f485a599
Opcode Fuzzy Hash: d36b83eb0aeb5fe2b32f4bf82cda4474858033da46498a9c1149e7c18f565d73
Instruction Fuzzy Hash: 5EB16071E11129ABDF22DFA4CC99EDFB77DEF09350F1040A6F909E6181EA309A548F61

Function 0031A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0031A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0031A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0031A468
CloseHandle.KERNEL32(?), ref: 0031A63D

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 44ac512f4a493d261fdcbff1d7b3cae81d59fd82e5ea8000622b4cd51a9711bb
Instruction ID: 5a1dfa1d1baf35522b3d80287525688619367794a9cfce86968df59edf07cd66
Opcode Fuzzy Hash: 44ac512f4a493d261fdcbff1d7b3cae81d59fd82e5ea8000622b4cd51a9711bb
Instruction Fuzzy Hash: 46A1C0716147009FD725DF24C886F2AB7E5AF88714F14881DF99A9B392DBB0EC418F82

Function 002CBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00333700), ref: 002CBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0036121C,000000FF,00000000,0000003F,00000000,?,?), ref: 002CBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00361270,000000FF,?,0000003F,00000000,?), ref: 002CBC36
_free.LIBCMT ref: 002CBB7F

Part of subcall function 002C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002CD7D1,00000000,00000000,00000000,00000000,?,002CD7F8,00000000,00000007,00000000,?,002CDBF5,00000000), ref: 002C29DE
Part of subcall function 002C29C8: GetLastError.KERNEL32(00000000,?,002CD7D1,00000000,00000000,00000000,00000000,?,002CD7F8,00000000,00000007,00000000,?,002CDBF5,00000000,00000000), ref: 002C29F0

_free.LIBCMT ref: 002CBD4B

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 2a2abb9bb2edf7a08063a63c598379cb3a483a57a8772548bec58fcea98d459a
Instruction ID: 34bda791d5526742b31a10e6dfd1539989e0ab23128d05d8353d08179a0a1163
Opcode Fuzzy Hash: 2a2abb9bb2edf7a08063a63c598379cb3a483a57a8772548bec58fcea98d459a
Instruction Fuzzy Hash: 8051D571920209AFCB12EF659C82EAEBBBCEF40350F14476EE514D71A1EB709E618F50

Function 002FE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002FDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002FCF22,?), ref: 002FDDFD

Part of subcall function 002FDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002FCF22,?), ref: 002FDE16

Part of subcall function 002FE199: GetFileAttributesW.KERNEL32(?,002FCF95), ref: 002FE19A

lstrcmpiW.KERNEL32(?,?), ref: 002FE473
MoveFileW.KERNEL32(?,?), ref: 002FE4AC
_wcslen.LIBCMT ref: 002FE5EB
_wcslen.LIBCMT ref: 002FE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 002FE650

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: a357bdab099f661f4e897366a5874f83b2d589525ce1719f1ecf13ab17f6b242
Instruction ID: c5980aa4affea6f26c3cca944cc036300a03e88c1470b46bf453a7fa349c0890
Opcode Fuzzy Hash: a357bdab099f661f4e897366a5874f83b2d589525ce1719f1ecf13ab17f6b242
Instruction Fuzzy Hash: AB5164B24183495BCB25EB94DC819EFB3DCAF84390F00492EF689D3151EF74A598CB66

Function 0031B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

Part of subcall function 0031C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0031B6AE,?,?), ref: 0031C9B5
Part of subcall function 0031C998: _wcslen.LIBCMT ref: 0031C9F1
Part of subcall function 0031C998: _wcslen.LIBCMT ref: 0031CA68
Part of subcall function 0031C998: _wcslen.LIBCMT ref: 0031CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0031BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0031BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0031BB63
RegCloseKey.ADVAPI32(?,?), ref: 0031BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0031BBB3

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: e8693b01cad2fa96cdbe56efe8a1429996605249c4346dc2540560e429c037a8
Instruction ID: 3c2fddfce7e468e34b43089d99c4e0eb616402a31147de596fd55fe6092aef16
Opcode Fuzzy Hash: e8693b01cad2fa96cdbe56efe8a1429996605249c4346dc2540560e429c037a8
Instruction Fuzzy Hash: 2B61B231118241EFD719DF14C490E6ABBE9FF88308F15855CF4994B2A2CB31ED85CB92

Function 002F8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002F8BCD
VariantClear.OLEAUT32 ref: 002F8C3E
VariantClear.OLEAUT32 ref: 002F8C9D
VariantClear.OLEAUT32(?), ref: 002F8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002F8D3B

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 4566d56f98e2b22d9e623116f3680136b610217a6d67b832d52dfb41d51cdc05
Instruction ID: 985a19a066991dfde60cee13f4492e8e5972cb94590e46727a8233c6aaf2d08a
Opcode Fuzzy Hash: 4566d56f98e2b22d9e623116f3680136b610217a6d67b832d52dfb41d51cdc05
Instruction Fuzzy Hash: AB516AB5A10619EFCB14CF68C884AAAB7F8FF89350F158569E905DB354E730E921CF90

Function 00308AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00308BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00308BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00308C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00308C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00308C5F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 3172a799fb867d56f99904ec9e96b2d90d56de3b0dc9b1ae52000abb1a98eb1e
Instruction ID: 0bace40f09ed71e8584f54827dd3858d275abea8ba4d2e9e6023d396d67d083e
Opcode Fuzzy Hash: 3172a799fb867d56f99904ec9e96b2d90d56de3b0dc9b1ae52000abb1a98eb1e
Instruction Fuzzy Hash: F6513635A10214AFDF15DF64C880A6ABBF5BF49314F098458E849AB3A2DB35ED51CF90

Function 00318EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00318F40
GetProcAddress.KERNEL32(00000000,?), ref: 00318FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00318FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00319032
FreeLibrary.KERNEL32(00000000), ref: 00319052

Part of subcall function 002AF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00301043,?,7529E610), ref: 002AF6E6
Part of subcall function 002AF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,002EFA64,00000000,00000000,?,?,00301043,?,7529E610,?,002EFA64), ref: 002AF70D

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: d671ac0ac291c3b5bacfef93e3927fcbf3fb08b257bf81b78678b670eedfc42e
Instruction ID: b47fa12a472e52200754511f2f8bca0b69ab78663da07f11b8853cc5b35035c8
Opcode Fuzzy Hash: d671ac0ac291c3b5bacfef93e3927fcbf3fb08b257bf81b78678b670eedfc42e
Instruction Fuzzy Hash: 1A514934604205DFCB16DF68C4949ADBBB1FF4D324B058099E8069B362DB31ED86CF90

Function 00326B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00326C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00326C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00326C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0030AB79,00000000,00000000), ref: 00326C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00326CC7

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 51c533729a2f93812719b4719f6861007e16c6328e714cc209ddfc350c1bffd5
Instruction ID: aba5731c21535decc42b74e2b41e78280c8b916c8f1c615c8a64c6d60798d311
Opcode Fuzzy Hash: 51c533729a2f93812719b4719f6861007e16c6328e714cc209ddfc350c1bffd5
Instruction Fuzzy Hash: F141E835604134AFD726EF28DC56FA97BA9EF09360F160268F895A72E0C371ED41CA90

Function 002C2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002C20C3
_free.LIBCMT ref: 002C20E3

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 16da8f8eabec549dc32d0a01a8aacd6ce091af0063915011ed28e15403ec4753
Instruction ID: 44970fcc8c26523d36fa5e18fed4041e52c9116628b50b956dc74d865c1450ee
Opcode Fuzzy Hash: 16da8f8eabec549dc32d0a01a8aacd6ce091af0063915011ed28e15403ec4753
Instruction Fuzzy Hash: 3741CF32A20200DFCB24DF78C981F5DB7A5EF99314F1546ADE615EB392DA31AD15CB80

Function 002A912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002A9141
ScreenToClient.USER32(00000000,?), ref: 002A915E
GetAsyncKeyState.USER32(00000001), ref: 002A9183
GetAsyncKeyState.USER32(00000002), ref: 002A919D

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: e39f0742515c95facceb6d121e8f0fc06108e1377d30ba4ffc7c1a2a5d89c255
Instruction ID: 13c31c892e7c0cb00f64f5de3c57ca929ebbd056c93fbe9b383e0f5e1e1ef947
Opcode Fuzzy Hash: e39f0742515c95facceb6d121e8f0fc06108e1377d30ba4ffc7c1a2a5d89c255
Instruction Fuzzy Hash: 7141603191865BFBDF159F6AC844BEEB774FF06320F204219E429A7290CB7459A0DF51

Function 00303874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003038CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00303922
TranslateMessage.USER32(?), ref: 0030394B
DispatchMessageW.USER32(?), ref: 00303955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00303966

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 04d58683d7a89f462c4135e6564aacd0a8829c50799bb0ab194313d6daf790e8
Instruction ID: 1a8a3cd8314eeb084f40dbb8622316e6406a172008d65689b942b4b2b9ef6774
Opcode Fuzzy Hash: 04d58683d7a89f462c4135e6564aacd0a8829c50799bb0ab194313d6daf790e8
Instruction Fuzzy Hash: 0931D3709163419EEB37CB349868BB63BACEB06304F19856DE462C31E0E3F49A85CB51

Function 0030CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0030C21E,00000000), ref: 0030CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0030CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0030C21E,00000000), ref: 0030CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0030C21E,00000000), ref: 0030CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0030C21E,00000000), ref: 0030CFF2

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 53266692e8361004e05890457ba0a490d226d1d65a3502d101147548286ec7eb
Instruction ID: 4781bb71320efca8a2e6bc91fae8bd1b09ca6f46b69a668ed947828e21d382cd
Opcode Fuzzy Hash: 53266692e8361004e05890457ba0a490d226d1d65a3502d101147548286ec7eb
Instruction Fuzzy Hash: AC319A71621206EFDB22CFA5C994AAFBBFDEF00310B10552EF506D2181DB30AE41DB61

Function 002F1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002F1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002F19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002F19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002F19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002F19E2

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a0731a00495543ad445b9ebcd4e226b80f3819782ff7f1a84e9b87dae0ebbda4
Instruction ID: 2468e48bae5049fbc1e76a76632d9ac278d8f4b78a105e85ec6971b160e024c7
Opcode Fuzzy Hash: a0731a00495543ad445b9ebcd4e226b80f3819782ff7f1a84e9b87dae0ebbda4
Instruction Fuzzy Hash: F431F67191021DEFCB14CFA8CD59AEEBBB5EB04314F404229FA21A72D0C3B09D64CB90

Function 00325706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00325745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0032579D
_wcslen.LIBCMT ref: 003257AF
_wcslen.LIBCMT ref: 003257BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00325816

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: f9296be0f29d8d19649a33504ff75102a52cad02a64483879a5ee74aeb585da4
Instruction ID: b3bb1e68905612c7bc7c9b4e1231c08d333c23855c13b4b5c2e5f5641fb5635f
Opcode Fuzzy Hash: f9296be0f29d8d19649a33504ff75102a52cad02a64483879a5ee74aeb585da4
Instruction Fuzzy Hash: 3121B631904628DADB229F65EC84AEDB7BCFF04720F108216F929EB180D770CA85CF50

Function 00310930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00310951
GetForegroundWindow.USER32 ref: 00310968
GetDC.USER32(00000000), ref: 003109A4
GetPixel.GDI32(00000000,?,00000003), ref: 003109B0
ReleaseDC.USER32(00000000,00000003), ref: 003109E8

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 6719348b22cbc52b4e70528012357e7bd268abc8fe475d9054e2e239a9a7f29d
Instruction ID: 8217853af895ab53585ce02ba613da3e8a3c0a05ad406414dd10f4101e2245f4
Opcode Fuzzy Hash: 6719348b22cbc52b4e70528012357e7bd268abc8fe475d9054e2e239a9a7f29d
Instruction Fuzzy Hash: E521A135610204AFD715EF65D894AAEBBF9EF48700F14802CE84A9B762CB70AC44CB90

Function 002CCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 002CCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002CCDE9

Part of subcall function 002C3820: RtlAllocateHeap.NTDLL(00000000,?,00361444,?,002AFDF5,?,?,0029A976,00000010,00361440,002913FC,?,002913C6,?,00291129), ref: 002C3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 002CCE0F
_free.LIBCMT ref: 002CCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002CCE31

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 474cc663c8abb2cde2fcc56dfcfa53b623f98f4a61aee51bf36aa9e44085cc67
Instruction ID: 7b0c69fa6abf14af364ce156dd376f5f0f22bbeff38de1ed28b40d05d7b3c184
Opcode Fuzzy Hash: 474cc663c8abb2cde2fcc56dfcfa53b623f98f4a61aee51bf36aa9e44085cc67
Instruction Fuzzy Hash: B301D8726216157F23225A766C48E7F696DDEC7BA1325032DF909C7201DA618D2281F0

Function 002A9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002A9693
SelectObject.GDI32(?,00000000), ref: 002A96A2
BeginPath.GDI32(?), ref: 002A96B9
SelectObject.GDI32(?,00000000), ref: 002A96E2

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5059c4c41908334ee274485a8f6d4e496d6012fc02df03bbee5edac89e7998d5
Instruction ID: 0a1501db6720eac4553dcae9bd3e065a2d5cca80afef62d95e15208b823d7ff5
Opcode Fuzzy Hash: 5059c4c41908334ee274485a8f6d4e496d6012fc02df03bbee5edac89e7998d5
Instruction Fuzzy Hash: 49217F31822306EBEB129F66DC197A93BACBF01715F18821AF410A61A0D7B098A1CFD4

Function 002F5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 002F5726
_memcmp.LIBVCRUNTIME ref: 002F5744
_memcmp.LIBVCRUNTIME ref: 002F5757
_memcmp.LIBVCRUNTIME ref: 002F576F
_memcmp.LIBVCRUNTIME ref: 002F5787

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e11812c2717bd62bf88944221602a88dcee92141856bbd0eebd70051ef83077b
Instruction ID: bf0d5b7b700e4850942664013c70d7c08e3d951f7fec3ae15022c1976e454741
Opcode Fuzzy Hash: e11812c2717bd62bf88944221602a88dcee92141856bbd0eebd70051ef83077b
Instruction Fuzzy Hash: B60192726A5A3EBE96086511AD92EFBE39C9B213D4B404030FF059A241F660ED3086A0

Function 002C2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,002BF2DE,002C3863,00361444,?,002AFDF5,?,?,0029A976,00000010,00361440,002913FC,?,002913C6), ref: 002C2DFD
_free.LIBCMT ref: 002C2E32
_free.LIBCMT ref: 002C2E59
SetLastError.KERNEL32(00000000,00291129), ref: 002C2E66
SetLastError.KERNEL32(00000000,00291129), ref: 002C2E6F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 431292a4f2eaf6ff1311c59c8a0a7c1dff08186764443b4e3313c69fd9809ac4
Instruction ID: 2fce689fd5606a43f2438ba99a8dc90adc914d5c07209f472d1c2008cfcb174c
Opcode Fuzzy Hash: 431292a4f2eaf6ff1311c59c8a0a7c1dff08186764443b4e3313c69fd9809ac4
Instruction Fuzzy Hash: F201F936135A01EBC6136B746C45F2F255DABC1375B24472CF915B2193EE749C2D4420

Function 002F000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,002EFF41,80070057,?,?,?,002F035E), ref: 002F002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002EFF41,80070057,?,?), ref: 002F0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002EFF41,80070057,?,?), ref: 002F0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002EFF41,80070057,?), ref: 002F0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002EFF41,80070057,?,?), ref: 002F0070

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1948748962bc47fba481b4d1c4d57ec0bf0e034d70e8f0475703f0445a616524
Instruction ID: c970814244ef6537cf1173ff4ae26ac5c85755ebbb516ae20ff0741d1fc1d373
Opcode Fuzzy Hash: 1948748962bc47fba481b4d1c4d57ec0bf0e034d70e8f0475703f0445a616524
Instruction Fuzzy Hash: C401DF72620218BFDB214F68DC84FBEBAADEF44391F10802CFA05D2211DB70DD408BA0

Function 002FE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 002FE997
QueryPerformanceFrequency.KERNEL32(?), ref: 002FE9A5
Sleep.KERNEL32(00000000), ref: 002FE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 002FE9B7
Sleep.KERNEL32 ref: 002FE9F3

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b7cdcb40aa5111f495dcb27d71ed22836fa9f957995e11ab8b7c7d243036183e
Instruction ID: f4c1e3e9bab14dd4c48b80cdc06438dd75e2b25ca4e204e7daee972574b9f253
Opcode Fuzzy Hash: b7cdcb40aa5111f495dcb27d71ed22836fa9f957995e11ab8b7c7d243036183e
Instruction Fuzzy Hash: F0015B31C21A2DDBDF119FE4DC49AEDFB78BB09701F01056AE602B2260CB709565CBA2

Function 002F10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002F1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,002F0B9B,?,?,?), ref: 002F1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002F0B9B,?,?,?), ref: 002F112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002F0B9B,?,?,?), ref: 002F1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002F114D

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 9bb2bd0d69563a4b8638e8805efb3086ad3d9db2ba1e4c61862b9564dcc57b0e
Instruction ID: 25f3d6beb17b1023389c5037433fd8c6107e00d408f908b1cd81c5048901125a
Opcode Fuzzy Hash: 9bb2bd0d69563a4b8638e8805efb3086ad3d9db2ba1e4c61862b9564dcc57b0e
Instruction Fuzzy Hash: 05016D79110205BFDB224F64DC49A6B3B6EEF853A0F100428FA45C3350DB31DC218A60

Function 002F0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002F0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002F0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002F0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002F0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002F1002

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4c1c0c1f31c05d3282d78dab9cf67da2a4f49106bbf75d49b4000dccc0fa3dcd
Instruction ID: cf1322cf06ec42aaec98ada01658b3b7f3f3dd3d5b400b403c33ed2e13de3ba5
Opcode Fuzzy Hash: 4c1c0c1f31c05d3282d78dab9cf67da2a4f49106bbf75d49b4000dccc0fa3dcd
Instruction Fuzzy Hash: BFF04F36110305EBD7224FA49C4AF5A3B6DEF89761F504428FA45C7251CA70DC618A60

Function 002F1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002F102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002F1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002F1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002F104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002F1062

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7597544aeb76b54f89d2d4747a7ee8706e722f4db4b0c3d00fdd05d614c8dbcf
Instruction ID: 372c99c8d040d2a24f1f489cbe0d1d8e0b71f1c4da42a6caa6f283b1ecc54dab
Opcode Fuzzy Hash: 7597544aeb76b54f89d2d4747a7ee8706e722f4db4b0c3d00fdd05d614c8dbcf
Instruction Fuzzy Hash: 99F06235110315FBD7225FA4EC49F5A3B6DEF89761F504428FE45C7250CE70D8618A60

Function 0030030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0030017D,?,003032FC,?,00000001,002D2592,?), ref: 00300324
CloseHandle.KERNEL32(?,?,?,?,0030017D,?,003032FC,?,00000001,002D2592,?), ref: 00300331
CloseHandle.KERNEL32(?,?,?,?,0030017D,?,003032FC,?,00000001,002D2592,?), ref: 0030033E
CloseHandle.KERNEL32(?,?,?,?,0030017D,?,003032FC,?,00000001,002D2592,?), ref: 0030034B
CloseHandle.KERNEL32(?,?,?,?,0030017D,?,003032FC,?,00000001,002D2592,?), ref: 00300358
CloseHandle.KERNEL32(?,?,?,?,0030017D,?,003032FC,?,00000001,002D2592,?), ref: 00300365

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: bd5167707f5f59edfcc94d590a1fc30b93f4431424a6319128bb9dcad67b5557
Instruction ID: cf4c181561046800eca47fe03e8aff4ba1a76a13c5cff690d13f2e0c41e12038
Opcode Fuzzy Hash: bd5167707f5f59edfcc94d590a1fc30b93f4431424a6319128bb9dcad67b5557
Instruction Fuzzy Hash: 2F01E276801B019FC7369F66D890506F7F9BF503157168A3FD19252970C370A944CF80

Function 002CD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002CD752

Part of subcall function 002C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002CD7D1,00000000,00000000,00000000,00000000,?,002CD7F8,00000000,00000007,00000000,?,002CDBF5,00000000), ref: 002C29DE
Part of subcall function 002C29C8: GetLastError.KERNEL32(00000000,?,002CD7D1,00000000,00000000,00000000,00000000,?,002CD7F8,00000000,00000007,00000000,?,002CDBF5,00000000,00000000), ref: 002C29F0

_free.LIBCMT ref: 002CD764
_free.LIBCMT ref: 002CD776
_free.LIBCMT ref: 002CD788
_free.LIBCMT ref: 002CD79A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 995ef0dfbf44ff7e592c3008ff9e9cd1df235c2978d258f0e109a86c0ea4ebaa
Instruction ID: d8bda2196dfc37389267db842b137816f2a426411948c3c3907a72430ef808c4
Opcode Fuzzy Hash: 995ef0dfbf44ff7e592c3008ff9e9cd1df235c2978d258f0e109a86c0ea4ebaa
Instruction Fuzzy Hash: 2DF04F32560705EB8622EF64F9C5E16B7DDBB04311BA52A1DF048E7511CB30FC948A60

Function 002F5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 002F5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 002F5C6F
MessageBeep.USER32(00000000), ref: 002F5C87
KillTimer.USER32(?,0000040A), ref: 002F5CA3
EndDialog.USER32(?,00000001), ref: 002F5CBD

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: fa48b269107b79b2f859382ab58198a1910c272aaacb441c16d30f208a0727ba
Instruction ID: a9c36f6ced16f92245017589be82bb4913ffe727003765c382d3b3a5bb51912c
Opcode Fuzzy Hash: fa48b269107b79b2f859382ab58198a1910c272aaacb441c16d30f208a0727ba
Instruction Fuzzy Hash: 28018B30520B149BEB315B10DD4EFB9B7BCBF00B45F04156EB783A14E1D7F459558A90

Function 002C22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002C22BE

Part of subcall function 002C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002CD7D1,00000000,00000000,00000000,00000000,?,002CD7F8,00000000,00000007,00000000,?,002CDBF5,00000000), ref: 002C29DE
Part of subcall function 002C29C8: GetLastError.KERNEL32(00000000,?,002CD7D1,00000000,00000000,00000000,00000000,?,002CD7F8,00000000,00000007,00000000,?,002CDBF5,00000000,00000000), ref: 002C29F0

_free.LIBCMT ref: 002C22D0
_free.LIBCMT ref: 002C22E3
_free.LIBCMT ref: 002C22F4
_free.LIBCMT ref: 002C2305

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 80e8d135ce17863de9237034756213cccb264542d43213c83ec3d2a7349d334b
Instruction ID: 78964c1317d79b8b1dab7cbcce2c4da96bf03dcff6069d9f02a75bb571c41f13
Opcode Fuzzy Hash: 80e8d135ce17863de9237034756213cccb264542d43213c83ec3d2a7349d334b
Instruction Fuzzy Hash: 77F03A74860A20DF8727AF54BC02E093B6CB718761F18AA0EF410D62B1CFB00925EFA5

Function 002A95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002A95D4
StrokeAndFillPath.GDI32(?,?,002E71F7,00000000,?,?,?), ref: 002A95F0
SelectObject.GDI32(?,00000000), ref: 002A9603
DeleteObject.GDI32 ref: 002A9616
StrokePath.GDI32(?), ref: 002A9631

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ab100e1239e60b139999a86eea72271edc9e106aea510be54c205acdbf696b0f
Instruction ID: b023abbc83f4db975fa18f864a6e955d28d257e804acbed72f66c7d1d2bb5257
Opcode Fuzzy Hash: ab100e1239e60b139999a86eea72271edc9e106aea510be54c205acdbf696b0f
Instruction Fuzzy Hash: 01F0EC31425605EBEB275F66ED1D7683BADEB02722F08C218F465550F0CBB089B6DFA4

Function 002C0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002C10F9
__freea.LIBCMT ref: 002C1117

Part of subcall function 002C1537: _free.LIBCMT ref: 002C154F

Strings

am/pm, xrefs: 002C117A
a/p, xrefs: 002C11DE

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 12ef4a9236c7e08d6ce7251e66c0501e96a53582abf120d5d02d3b3d199bf624
Instruction ID: 6b56db27fcd445cec090ea40dcf9623941cbd40ce6f8e48b90670e013865b063
Opcode Fuzzy Hash: 12ef4a9236c7e08d6ce7251e66c0501e96a53582abf120d5d02d3b3d199bf624
Instruction Fuzzy Hash: A8D1C035930246CADB249F68C857FBAB7B0EF07304F28439DE9059B652D2B59DB0CB91

Function 003161D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 002B0242: EnterCriticalSection.KERNEL32(0036070C,00361884,?,?,002A198B,00362518,?,?,?,002912F9,00000000), ref: 002B024D
Part of subcall function 002B0242: LeaveCriticalSection.KERNEL32(0036070C,?,002A198B,00362518,?,?,?,002912F9,00000000), ref: 002B028A

Part of subcall function 002B00A3: __onexit.LIBCMT ref: 002B00A9

__Init_thread_footer.LIBCMT ref: 00316238

Part of subcall function 002B01F8: EnterCriticalSection.KERNEL32(0036070C,?,?,002A8747,00362514), ref: 002B0202
Part of subcall function 002B01F8: LeaveCriticalSection.KERNEL32(0036070C,?,002A8747,00362514), ref: 002B0235

Part of subcall function 0030359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003035E4
Part of subcall function 0030359C: LoadStringW.USER32(00362390,?,00000FFF,?), ref: 0030360A

Strings

x#6, xrefs: 00316353
x#6, xrefs: 0031636F
x#6, xrefs: 0031633A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#6$x#6$x#6
API String ID: 1072379062-3747883254
Opcode ID: 8453c41522cd4eaa80a11cb3002b52915cc768ae0dc6698aa3ded886a2aa03c8
Instruction ID: 6c3fd63187292b7a2c145d67c481f84c120781d1f44e01b79dd50f11f9f52884
Opcode Fuzzy Hash: 8453c41522cd4eaa80a11cb3002b52915cc768ae0dc6698aa3ded886a2aa03c8
Instruction Fuzzy Hash: C0C18C71A00105AFCB1ADF98C891EFEB7B9EF49300F15806AE9159B291DB70ED95CB90

Function 002C5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO), xrefs: 002C5BA8, 002C5C6C

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID: JO)
API String ID: 0-3072268962
Opcode ID: d9dc24d604c4dbd1a95d9a57779abb62e66b363c691840fac5f3582f46c2e775
Instruction ID: f8c76e85dc1cacc5b7aa013a81c097d4028b5b5740134d65b0e00ae41b242de2
Opcode Fuzzy Hash: d9dc24d604c4dbd1a95d9a57779abb62e66b363c691840fac5f3582f46c2e775
Instruction Fuzzy Hash: D451C07193062A9FCB219FA4CD45FEEBFB8AF05314F14021EF404A7291D675EAA1CB61

Function 002C8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 002C8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 002C8B7A
__dosmaperr.LIBCMT ref: 002C8B81

Strings

.+, xrefs: 002C8A63

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .+
API String ID: 2434981716-85632910
Opcode ID: bec41432335da82729519d63c2d67a66b8a8530f6517e69a493e26cdd07ffb17
Instruction ID: fd14f0f41942e6b52c75df106830ad0573037452e4eaef71384d5af65ed8fd33
Opcode Fuzzy Hash: bec41432335da82729519d63c2d67a66b8a8530f6517e69a493e26cdd07ffb17
Instruction Fuzzy Hash: 2E414BB1624145AFDB259F24C881F797BA5DB85308F28C7ADE885C7152DE718C228790

Function 002F2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002FB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002F21D0,?,?,00000034,00000800,?,00000034), ref: 002FB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 002F2760

Part of subcall function 002FB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002F21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 002FB3F8

Part of subcall function 002FB32A: GetWindowThreadProcessId.USER32(?,?), ref: 002FB355
Part of subcall function 002FB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,002F2194,00000034,?,?,00001004,00000000,00000000), ref: 002FB365
Part of subcall function 002FB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,002F2194,00000034,?,?,00001004,00000000,00000000), ref: 002FB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002F27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002F281A

Strings

@, xrefs: 002F2832

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d22f6d70bb2589caa005445d899b620ff3933f87f714b90fc6ad713f9cba02fa
Instruction ID: 855289afbd73cdbf81406174fd9bae615aed054a12b07c1669c5d2f0509dc9b5
Opcode Fuzzy Hash: d22f6d70bb2589caa005445d899b620ff3933f87f714b90fc6ad713f9cba02fa
Instruction Fuzzy Hash: 12412C7291021DAEDB11DFA4CD41AEEFBB8AB05740F0040A9EA55B7181DB706E59CFA1

Function 002C172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 002C1769
_free.LIBCMT ref: 002C1834
_free.LIBCMT ref: 002C183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 002C1760, 002C1767, 002C1796, 002C17CE

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 991ed1157bc0481005ae62b3d64b8941e5e97820a063f3c1ccd78115c87c31cb
Instruction ID: defce178e91b93549bc5dacc5ab8f0a892c86c0fb434c01730bd36c99e60e9a4
Opcode Fuzzy Hash: 991ed1157bc0481005ae62b3d64b8941e5e97820a063f3c1ccd78115c87c31cb
Instruction Fuzzy Hash: 00319575A14208EFDB21DF959C82E9EBBBCEB86310F14426AE404D7212D7B04E64CB90

Function 002FC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002FC306
DeleteMenu.USER32(?,00000007,00000000), ref: 002FC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00361990,01765740), ref: 002FC395

Strings

0, xrefs: 002FC2DF

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 07c78c665a72c649d1953d223e0eed547c08dca5eaa82f8b198572842e12f095
Instruction ID: 1517379d3ad76759e75db12d9bc08e4d77b2ada8a6e6eeb1dfa3a7c126c84cc0
Opcode Fuzzy Hash: 07c78c665a72c649d1953d223e0eed547c08dca5eaa82f8b198572842e12f095
Instruction Fuzzy Hash: BB41D43121430A9FD720DF25D944F6AFBE8AF853A0F2086ADFA65972D1C730E954CB52

Function 00324416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0032CC08,00000000,?,?,?,?), ref: 003244AA
GetWindowLongW.USER32 ref: 003244C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003244D7

Strings

SysTreeView32, xrefs: 0032447C

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c83fc8b36b278ca26d53bd57e2e7b1af568d0702c9fd7b234059f5234d0f2aa2
Instruction ID: 9e98164796a53a5887f39d239f8cbd042420e6b4676769516ba252a2b5b093d6
Opcode Fuzzy Hash: c83fc8b36b278ca26d53bd57e2e7b1af568d0702c9fd7b234059f5234d0f2aa2
Instruction Fuzzy Hash: DB319A31210225ABDB229E38EC45BEA7BA9EF09324F214315F975A21E0DB70EC619B50

Function 002F6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 002F6EED
VariantCopyInd.OLEAUT32(?,?), ref: 002F6F08
VariantClear.OLEAUT32(?), ref: 002F6F12

Strings

*j/, xrefs: 002F6E8B, 002F6E90, 002F6EF8

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j/
API String ID: 2173805711-4267222096
Opcode ID: eb209f5cf02089a1858e0caebb6940c6445afd42422718185e1d7285d2b87a10
Instruction ID: 53c9e5c0bee5c77509b83866c1c276266f763792eb4c033c15a86deb2570a2fd
Opcode Fuzzy Hash: eb209f5cf02089a1858e0caebb6940c6445afd42422718185e1d7285d2b87a10
Instruction Fuzzy Hash: 8231A171624249DBCF06AF64E858DBEB775EF45340B2405A8FA034B6A1C7709932DB90

Function 0031304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0031335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00313077,?,?), ref: 00313378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0031307A
_wcslen.LIBCMT ref: 0031309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00313106

Strings

255.255.255.255, xrefs: 00313095, 0031309A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: a4646223e8853e28c4a9dda941b4a9ef67fc9eec70fdaa52efccf0d2627267ed
Instruction ID: 6a921ae446974658e6e735d3076b1c793ec90b5576d054b259f4f18e0f36be75
Opcode Fuzzy Hash: a4646223e8853e28c4a9dda941b4a9ef67fc9eec70fdaa52efccf0d2627267ed
Instruction Fuzzy Hash: 0031E9396042019FCB16DF28C885EE977E4EF1C314F258069E9168B792D771DE85CB60

Function 00323EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00323F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00323F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00323F78

Strings

SysMonthCal32, xrefs: 00323F0B

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: dc7cf9008b04b8afcd3a57b49fa0f7606b111a05141a6506a905afdbe4e66f72
Instruction ID: 08916ee768f8e68caa2bf1edaf3316ad3f5b5226fcd815699a7a12027f1b2a95
Opcode Fuzzy Hash: dc7cf9008b04b8afcd3a57b49fa0f7606b111a05141a6506a905afdbe4e66f72
Instruction Fuzzy Hash: 3D219F32610229BBDF228F50EC46FEA3B79EF48714F120214FA156B1D0D6B5AD65CB90

Function 00324653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00324705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00324713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0032471A

Strings

msctls_updown32, xrefs: 00324684

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: ea0fda9e432c1af0c9a18f2f037914c457a9dd10c559f0521a901a62e55a30de
Instruction ID: 88a888f0a6045afc8562049d11d95e643a2350ac1e98e728df5da69b9ba36cba
Opcode Fuzzy Hash: ea0fda9e432c1af0c9a18f2f037914c457a9dd10c559f0521a901a62e55a30de
Instruction Fuzzy Hash: 142160B5610218AFDB12DF68ECC1DBB37EDEF5A794B050059FA149B251CB70EC21CA60

Function 002F95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002F961D

Strings

#notrayicon, xrefs: 002F95B7
#OnAutoItStartRegister, xrefs: 002F95F3
#requireadmin, xrefs: 002F95D9

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 875ce9050971a042ddc298d07522cf338d1c09f7a4d6d46ccab7ef3d8a58395c
Instruction ID: 1943f43afe4735e2ff6e6da87298fbcae57cc6c279ba5a9f5e172da31aeecd94
Opcode Fuzzy Hash: 875ce9050971a042ddc298d07522cf338d1c09f7a4d6d46ccab7ef3d8a58395c
Instruction Fuzzy Hash: 3E21263213452666C732AA289802FF7F39C9F61380F504036FB49D7141EB919DB5C695

Function 003237B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00323840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00323850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00323876

Strings

Listbox, xrefs: 0032380F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 07129f9c194c873d487486024d57933a0dbcb1b29c0f6a3447b45db51a1c7a45
Instruction ID: 737f252e2cf788ac14d5f74c539fca9a95a360c44c5e626feb486e9ea5350cd7
Opcode Fuzzy Hash: 07129f9c194c873d487486024d57933a0dbcb1b29c0f6a3447b45db51a1c7a45
Instruction Fuzzy Hash: 1921A472610228BBEF228F54EC85FBB376EEF89750F118114F9149B190C675DC528BA0

Function 003049F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00304A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00304A5C
SetErrorMode.KERNEL32(00000000,?,?,0032CC08), ref: 00304AD0

Strings

%lu, xrefs: 00304A6F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 1a444bf302921a54d1847f3e4cd8b6cf66e81ce8a8a9876e3d2ed5ffd70d43bc
Instruction ID: 657a901fa0b109006c884f01d50ca0bd57fd8a3243a02427721513dd892944fd
Opcode Fuzzy Hash: 1a444bf302921a54d1847f3e4cd8b6cf66e81ce8a8a9876e3d2ed5ffd70d43bc
Instruction Fuzzy Hash: 4D315071A10109AFDB11DF58C985EAEB7F8EF08308F1480A9E905DB252D771EE56CF61

Function 003241EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0032424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00324264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00324271

Strings

msctls_trackbar32, xrefs: 00324226

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 2e078c4da610c1190f42940a034d74b6a8ff28803d3f70f861991605643aca30
Instruction ID: b11d7ddd4297ec7888492f2ebf688e0e2f27bcec5b4854815fc5ea77d13512bd
Opcode Fuzzy Hash: 2e078c4da610c1190f42940a034d74b6a8ff28803d3f70f861991605643aca30
Instruction Fuzzy Hash: 6F110631240318BEEF225F29EC06FAB7BACEF85B54F020514FA55E60A0D2B1DC219B20

Function 002F2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00296B57: _wcslen.LIBCMT ref: 00296B6A

Part of subcall function 002F2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 002F2DC5
Part of subcall function 002F2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 002F2DD6
Part of subcall function 002F2DA7: GetCurrentThreadId.KERNEL32 ref: 002F2DDD
Part of subcall function 002F2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 002F2DE4

GetFocus.USER32 ref: 002F2F78

Part of subcall function 002F2DEE: GetParent.USER32(00000000), ref: 002F2DF9

GetClassNameW.USER32(?,?,00000100), ref: 002F2FC3
EnumChildWindows.USER32(?,002F303B), ref: 002F2FEB

Strings

%s%d, xrefs: 002F2FFF

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: f0f8041be89bc906eb73f714761ae294e6c5a108d34c940802a7574ab0b75cd4
Instruction ID: 3b55cbdfcb46df2803579b2a521473f438e536b8264c391425bd9da7b99a5980
Opcode Fuzzy Hash: f0f8041be89bc906eb73f714761ae294e6c5a108d34c940802a7574ab0b75cd4
Instruction Fuzzy Hash: A1110671620209ABCF11BF709C95EFDB7AAAF85344F044079FE09AB152DE70991A8F70

Function 00325882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003258C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003258EE
DrawMenuBar.USER32(?), ref: 003258FD

Strings

0, xrefs: 0032588F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 502f97bc3dd9feee4f900ddc3d07dadab311035ac000124f73c26327397b335a
Instruction ID: 1648188077f08e411cb425854d4392a213ef79340db30b426c11711924167bb7
Opcode Fuzzy Hash: 502f97bc3dd9feee4f900ddc3d07dadab311035ac000124f73c26327397b335a
Instruction Fuzzy Hash: BC018032510228EFDB629F52EC44BAEBBB8FF46361F108099E849D6151DB308A94DF61

Function 002F007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e85d5bd71aefe2d1fb1a1fee8a1dd41ffdacb351ef4bbcf2b0b336a910bbd69
Instruction ID: 606760e6a6c319170177652e664f85e8196c0b38830dd32faf53b502379d861c
Opcode Fuzzy Hash: 8e85d5bd71aefe2d1fb1a1fee8a1dd41ffdacb351ef4bbcf2b0b336a910bbd69
Instruction Fuzzy Hash: FDC15A75A1020AAFDB14CF94C894ABEF7B5FF48344F1085A8EA05EB252C771ED91CB90

Function 0031342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00313459
CoUninitialize.OLE32 ref: 00313463
VariantInit.OLEAUT32(?), ref: 0031346E
VariantClear.OLEAUT32(?), ref: 0031371B

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 84ef5f1b5b17b832fde542c7b831128fab046e960bf79726c5877ac7c398680c
Instruction ID: e52b75173b33be237e846be061150bbdac3fb520142e37dca626a7fd89242ba8
Opcode Fuzzy Hash: 84ef5f1b5b17b832fde542c7b831128fab046e960bf79726c5877ac7c398680c
Instruction Fuzzy Hash: D2A147752182009FCB15DF28C485A6AB7E9FF8D710F058859F98A9B362DB30EE41CF91

Function 002F0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0032FC08,?), ref: 002F05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0032FC08,?), ref: 002F0608
CLSIDFromProgID.OLE32(?,?,00000000,0032CC40,000000FF,?,00000000,00000800,00000000,?,0032FC08,?), ref: 002F062D
_memcmp.LIBVCRUNTIME ref: 002F064E

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: a7accff152d7293f54a9460bed0cf8528af0a9dc2097e3facd41dbebd7d8ffc9
Instruction ID: 50b34fe131eb934360953afa6b0e695723d0940fb6756341e2249d7d847d09f5
Opcode Fuzzy Hash: a7accff152d7293f54a9460bed0cf8528af0a9dc2097e3facd41dbebd7d8ffc9
Instruction Fuzzy Hash: 70812A71A10109EFCB04DF94C984EEEB7B9FF89315F204168E616EB251DB71AE16CB60

Function 0031A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0031A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0031A6BA

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

Process32NextW.KERNEL32(00000000,?), ref: 0031A79C
CloseHandle.KERNEL32(00000000), ref: 0031A7AB

Part of subcall function 002ACE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,002D3303,?), ref: 002ACE8A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 0a387997ecccc612c6e4a6d7acbdc548d44832c9010cd765f4e32cf0d07b4e2f
Instruction ID: 420eef7669446391ee5328d11ee72ebcf44f232153891f7c6682f5f55e8b1cc3
Opcode Fuzzy Hash: 0a387997ecccc612c6e4a6d7acbdc548d44832c9010cd765f4e32cf0d07b4e2f
Instruction Fuzzy Hash: 76517A71518300AFD714EF24C886A6BBBE8FF89754F40491DF589972A2EB30E954CF92

Function 002D1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002D14C0

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2b909197f18374c6477dc701c3e54ba2e8108076727eb7b0b04d6f101fe80324
Instruction ID: 52a359a66677d2114457e1e5e080fdda724eb24157754e10d312c7916c5986f7
Opcode Fuzzy Hash: 2b909197f18374c6477dc701c3e54ba2e8108076727eb7b0b04d6f101fe80324
Instruction Fuzzy Hash: 65415B35630501BBDB256FB89C46BEE3AA4EF41370F14022BF818D2792E6748C715A61

Function 00326278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003262E2
ScreenToClient.USER32(?,?), ref: 00326315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00326382

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 276f9acf918acf4ac1af73e1f0dba3066d99f6acd6d929adb099a621330bb206
Instruction ID: ac62323e855c4f5af7e5b4813ec317fe79666463c238f53eb2b1a21e16875231
Opcode Fuzzy Hash: 276f9acf918acf4ac1af73e1f0dba3066d99f6acd6d929adb099a621330bb206
Instruction Fuzzy Hash: BD512A74A00219EFCF22DF68E881AAE7BB5EF45360F158159F9159B2A0D730ED41CB90

Function 00311AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00311AFD
WSAGetLastError.WSOCK32 ref: 00311B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00311B8A
WSAGetLastError.WSOCK32 ref: 00311B94

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: e4db83ecf77d4d442b42594f6d3e289a5b555e2f792ff2adfdd249bad47c9773
Instruction ID: 96d5f25d9cd63bd60f618cd38926c2b819e928402bf98deb64ecd9c964415f68
Opcode Fuzzy Hash: e4db83ecf77d4d442b42594f6d3e289a5b555e2f792ff2adfdd249bad47c9773
Instruction Fuzzy Hash: 6B41D6346102006FDB25AF24C886F6977E5AB48718F54C44CFA199F7D2D772ED81CB90

Function 002CB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841d6d4297e99612e6af564c47c06e2b104911d5f70e0c394e82b69872af464e
Instruction ID: bd30d4202b7bf0c5bc98e9414d0289e05a17b55a1cf97f8dc47fd013278ece48
Opcode Fuzzy Hash: 841d6d4297e99612e6af564c47c06e2b104911d5f70e0c394e82b69872af464e
Instruction Fuzzy Hash: 0B410A75A64304BFD7259F78CC42FAABBA9EB88710F10462EF541DB6C1D77199218B80

Function 003056D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00305783
GetLastError.KERNEL32(?,00000000), ref: 003057A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003057CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003057FA

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b8af428b79f9f9b6f09d9631ea90a5694134a8e9b6b7b398259ac54805db1ff7
Instruction ID: f39d5abb28ff2165a84d03c8b5c7f82cac883dfb02ae68561a81650ec03ef138
Opcode Fuzzy Hash: b8af428b79f9f9b6f09d9631ea90a5694134a8e9b6b7b398259ac54805db1ff7
Instruction Fuzzy Hash: EC411A39614610DFCF11DF15C554A1EBBE6AF89720B5A8888EC4AAB362CB34FD11CF91

Function 002CD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,002B6D71,00000000,00000000,002B82D9,?,002B82D9,?,00000001,002B6D71,?,00000001,002B82D9,002B82D9), ref: 002CD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002CD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 002CD9AB
__freea.LIBCMT ref: 002CD9B4

Part of subcall function 002C3820: RtlAllocateHeap.NTDLL(00000000,?,00361444,?,002AFDF5,?,?,0029A976,00000010,00361440,002913FC,?,002913C6,?,00291129), ref: 002C3852

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: b0005c7311871a4db639bfbe6aaaf23d76505a981ecc9e65a54efc1f19ee8fca
Instruction ID: 1aafa8b6f9742e78eb7d856e22cebce08b9b0f7ffa87f1d5710711c4d1edc223
Opcode Fuzzy Hash: b0005c7311871a4db639bfbe6aaaf23d76505a981ecc9e65a54efc1f19ee8fca
Instruction Fuzzy Hash: AA31BE72A2020AABDF25DF64DC81EAE7BA5EB41350F05426CFC04D7291EB35DD65CB90

Function 003252C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00325352
GetWindowLongW.USER32(?,000000F0), ref: 00325375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00325382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003253A8

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 593a1afff8855a560bc9c44be13d09aa1203d39f0db49145029e14a0ad139644
Instruction ID: f9b19e460192ace5c77708d32d059bdc79c8d12d06d24134cea1fee218204d0e
Opcode Fuzzy Hash: 593a1afff8855a560bc9c44be13d09aa1203d39f0db49145029e14a0ad139644
Instruction Fuzzy Hash: 7531C538A55A28EFEB33DE14EC05BE877A9AB05390F596101FB11961E1C7B09F409B41

Function 002FAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 002FABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 002FAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 002FAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 002FACC6

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: fc6582560f21c0f9f965501bad262924a00ce3197f47f418784d57c372e956e1
Instruction ID: 8dbd81bd573024ce0a99dfa01709312d2a51ef6d55c86661dbeb26d5c9221b94
Opcode Fuzzy Hash: fc6582560f21c0f9f965501bad262924a00ce3197f47f418784d57c372e956e1
Instruction Fuzzy Hash: 873116B0A2061D6FEB358F658C147FEFAA5AB49390F04423BE689521D0C37589A58B52

Function 00327674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0032769A
GetWindowRect.USER32(?,?), ref: 00327710
PtInRect.USER32(?,?,00328B89), ref: 00327720
MessageBeep.USER32(00000000), ref: 0032778C

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ea35e57f227de81cb46a25201ff0134ad6beeb6da2d73481c4beab385850b63e
Instruction ID: 9accc7b49c5627665ca357408c5627ec1c2c2d96526e645951229de5c1f04da0
Opcode Fuzzy Hash: ea35e57f227de81cb46a25201ff0134ad6beeb6da2d73481c4beab385850b63e
Instruction Fuzzy Hash: 41415C34605225DFCB13CF5CE894EA9BBF9BF49354F1981A8E8149B261C771E942CF90

Function 003216DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003216EB

Part of subcall function 002F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 002F3A57
Part of subcall function 002F3A3D: GetCurrentThreadId.KERNEL32 ref: 002F3A5E
Part of subcall function 002F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002F25B3), ref: 002F3A65

GetCaretPos.USER32(?), ref: 003216FF
ClientToScreen.USER32(00000000,?), ref: 0032174C
GetForegroundWindow.USER32 ref: 00321752

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 31d0efdf8b4aeeb1ff0573f4eba78c8f2ccbd7dc1a9b1a13d25a30d28ab7b92a
Instruction ID: 9cc6ab692d731d7561d5326382297c1d77b1c0c1f71ce21ec3d78690b5d15ea5
Opcode Fuzzy Hash: 31d0efdf8b4aeeb1ff0573f4eba78c8f2ccbd7dc1a9b1a13d25a30d28ab7b92a
Instruction Fuzzy Hash: 7D314171D10149AFCB11EFAAC981CAEB7FDEF88304B5080AAE415E7211E7319E45CFA0

Function 00328FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002A9BB2

GetCursorPos.USER32(?), ref: 00329001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,002E7711,?,?,?,?,?), ref: 00329016
GetCursorPos.USER32(?), ref: 0032905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,002E7711,?,?,?), ref: 00329094

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 51053c8a7df81ec280a25b4b2c994a295eb6581b12b215ec01ac50b76a3d1e1e
Instruction ID: 9271e17f741306283ca4d1fb281b4d772cc1b91f6a918ea9130f6754af83fd89
Opcode Fuzzy Hash: 51053c8a7df81ec280a25b4b2c994a295eb6581b12b215ec01ac50b76a3d1e1e
Instruction Fuzzy Hash: 8B21A035610028AFCB278F95E858FEA7BB9FF4A750F14819AF50587161C7319990DB60

Function 002FD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0032CB68), ref: 002FD2FB
GetLastError.KERNEL32 ref: 002FD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 002FD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0032CB68), ref: 002FD376

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 83b463e816770ded1b57015ec152194ada4aa1bc8a0c53277e29e01b0a525803
Instruction ID: 34b0ae178cbf52ff6b7bf8e47d26ad908596fbeb6e87b92647c20f3cc12208e6
Opcode Fuzzy Hash: 83b463e816770ded1b57015ec152194ada4aa1bc8a0c53277e29e01b0a525803
Instruction Fuzzy Hash: 1821B4705243069F8B10DF28C88187EB7E9AE55364F104A6DF699C32A1DB30D956CF93

Function 002F1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002F1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002F102A
Part of subcall function 002F1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002F1036
Part of subcall function 002F1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002F1045
Part of subcall function 002F1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002F104C
Part of subcall function 002F1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002F1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002F15BE
_memcmp.LIBVCRUNTIME ref: 002F15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002F1617
HeapFree.KERNEL32(00000000), ref: 002F161E

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 69c666e04da12adcfa7c9819611986f7eac0804c1a46ea2ddce156b5b49f4ba7
Instruction ID: b283681cd0400c51fef6700a722928d2735c72091c4cf384ce226df2cae8c193
Opcode Fuzzy Hash: 69c666e04da12adcfa7c9819611986f7eac0804c1a46ea2ddce156b5b49f4ba7
Instruction Fuzzy Hash: 60216971E20109EFDF14DFA4C945BFEB7B8EF44384F484469E541AB241E731AA25CBA0

Function 00322782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0032280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00322824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00322832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00322840

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 71df9cf73318e1f5cf6cf9eab495f82fe09106f708477aa789df7e77ef04d611
Instruction ID: 43fc4c547b1f1d84ea2dbcffaac389db78345d04b8d9f0b8424cf594e6d627bc
Opcode Fuzzy Hash: 71df9cf73318e1f5cf6cf9eab495f82fe09106f708477aa789df7e77ef04d611
Instruction Fuzzy Hash: EC21C131218121BFD7169B24DC44FAB7B99AF45324F258258F4268B6E2CB75FC42CBD0

Function 002F78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 002F8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,002F790A,?,000000FF,?,002F8754,00000000,?,0000001C,?,?), ref: 002F8D8C
Part of subcall function 002F8D7D: lstrcpyW.KERNEL32(00000000,?,?,002F790A,?,000000FF,?,002F8754,00000000,?,0000001C,?,?,00000000), ref: 002F8DB2
Part of subcall function 002F8D7D: lstrcmpiW.KERNEL32(00000000,?,002F790A,?,000000FF,?,002F8754,00000000,?,0000001C,?,?), ref: 002F8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,002F8754,00000000,?,0000001C,?,?,00000000), ref: 002F7923
lstrcpyW.KERNEL32(00000000,?,?,002F8754,00000000,?,0000001C,?,?,00000000), ref: 002F7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,002F8754,00000000,?,0000001C,?,?,00000000), ref: 002F7984

Strings

cdecl, xrefs: 002F797B

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 53f4dbd53175779568df778a6f58abf54612c648c1918766b6f101be3c3ca753
Instruction ID: 18ff4a06c260c03e292e068c49c0ab59bace0e90085a4a8ce3d735494774dab1
Opcode Fuzzy Hash: 53f4dbd53175779568df778a6f58abf54612c648c1918766b6f101be3c3ca753
Instruction Fuzzy Hash: 22112C3A210306ABDB255F34CC45D7AB7A9FF45390B40403AFA02C7264EF719821C751

Function 00327CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00327D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00327D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00327D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0030B7AD,00000000), ref: 00327D6B

Part of subcall function 002A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002A9BB2

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 925472bc06acca420a12a1550004424b5893a2e3d0746749c257ebfcce40c217
Instruction ID: 3eb19bacd552b7abf4265f27f9a2ccf59a396c8b26637cb011bb29d51e1eec36
Opcode Fuzzy Hash: 925472bc06acca420a12a1550004424b5893a2e3d0746749c257ebfcce40c217
Instruction Fuzzy Hash: AC117235515625AFCB129F29DC04AAA3BA9BF46360F268728F835D72F0D7309951CB90

Function 00325660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 003256BB
_wcslen.LIBCMT ref: 003256CD
_wcslen.LIBCMT ref: 003256D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00325816

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: f2fd83a7b93c868180b3886a4df7b628d6a40c6a72c98ec79be26c714acc185d
Instruction ID: 314b045ab9e64c1660a82387a056221fc1f1b3448b832de8ff980acafb4e377c
Opcode Fuzzy Hash: f2fd83a7b93c868180b3886a4df7b628d6a40c6a72c98ec79be26c714acc185d
Instruction Fuzzy Hash: FA11E67161462896DF22EF65EC85AFEB7ACEF11760F54802AF915D6081E770CB84CF60

Function 002C1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca091d3acbd1cb5340b08f64a6dddfc93cec229a17d00e862f75d6b0a356f839
Instruction ID: f61b8fc1133fb4eb53471c2cca4223129489985a0bd1984ba5d810f47b370d55
Opcode Fuzzy Hash: ca091d3acbd1cb5340b08f64a6dddfc93cec229a17d00e862f75d6b0a356f839
Instruction Fuzzy Hash: 70018FB2225A167EF6212A786CC2F27661CDF423B8F35132DF522511D6DBA09C3085A0

Function 002F1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 002F1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002F1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002F1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002F1A8A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: efb945560510459de620032b35c6506a4f4aa07e136393622a2a152e8b386637
Instruction ID: b6834603995c8d8c2945ee57510aea833ad48f5cda470e561da5c22566508dc2
Opcode Fuzzy Hash: efb945560510459de620032b35c6506a4f4aa07e136393622a2a152e8b386637
Instruction Fuzzy Hash: 0811393AD01219FFEB11DBA5CD85FADFB78EB08750F6000A1EA00B7294D6716E60DB94

Function 002FE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002FE1FD
MessageBoxW.USER32(?,?,?,?), ref: 002FE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002FE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002FE24D

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 751b1291f5d270318a26e44dbe34912586372117641a71660eaab102ed8f7e32
Instruction ID: bec9cc0a9c5a4a95d79ebe6cc65f74620d3bf0c3560f7944d518d957cded3b38
Opcode Fuzzy Hash: 751b1291f5d270318a26e44dbe34912586372117641a71660eaab102ed8f7e32
Instruction Fuzzy Hash: 28112B76914258BFDB139FA89C05AAE7FACAB45360F148629F915D3391E2B0DD108BA0

Function 002BD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,002BCFF9,00000000,00000004,00000000), ref: 002BD218
GetLastError.KERNEL32 ref: 002BD224
__dosmaperr.LIBCMT ref: 002BD22B
ResumeThread.KERNEL32(00000000), ref: 002BD249

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: ca37930b7892b5af185dd4cac43910aa3928a2af675c2e5d8668f91d45aa6522
Instruction ID: f2e4bca4921a3dc7c11c810bc351af207da981c0aab62cda8ce7bcd3b3028e02
Opcode Fuzzy Hash: ca37930b7892b5af185dd4cac43910aa3928a2af675c2e5d8668f91d45aa6522
Instruction Fuzzy Hash: A3012636435205BBCB215FA5DC05BEE7A6CDF813B0F204219FD24920D1EB708821CBA0

Function 00329EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 002A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002A9BB2

GetClientRect.USER32(?,?), ref: 00329F31
GetCursorPos.USER32(?), ref: 00329F3B
ScreenToClient.USER32(?,?), ref: 00329F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00329F7A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 0aa9e39e0c9195fdc086ee90efd98f96469d44c3e2b37d022bedfb1621fec10b
Instruction ID: d15a1375d3af87618f4f5a699fa6b156b99d333dff210419da5ea8850c717870
Opcode Fuzzy Hash: 0aa9e39e0c9195fdc086ee90efd98f96469d44c3e2b37d022bedfb1621fec10b
Instruction Fuzzy Hash: C3119A3290012ABBCB52DF68E985AEE77BCFF05302F000456F811E7040C330BA92CBA1

Function 0029600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0029604C
GetStockObject.GDI32(00000011), ref: 00296060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0029606A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 8a374c29ab53c0ee73995ae18e190cc90d0552ffa7c66211ec34bb15538c7e06
Instruction ID: 5ce499d4a7ae578c85d63c70e0d4277aefc0ec8dd987a70b6e3d880f33dcf246
Opcode Fuzzy Hash: 8a374c29ab53c0ee73995ae18e190cc90d0552ffa7c66211ec34bb15538c7e06
Instruction Fuzzy Hash: 7F116D72521509BFEF225FA49C98EEABBADFF183A4F040216FA1452110D7729C70DBA0

Function 002B3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 002B3B56

Part of subcall function 002B3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 002B3AD2
Part of subcall function 002B3AA3: ___AdjustPointer.LIBCMT ref: 002B3AED

_UnwindNestedFrames.LIBCMT ref: 002B3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 002B3B7C
CallCatchBlock.LIBVCRUNTIME ref: 002B3BA4

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 2ed5d70a3bee9d94358154e0b7b87e442b43c29e927a516b2375dcd42922c235
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: B2012932110149BBDF12AE95CC42EEB7B69FF48798F044014FE4856122C732E971EFA0

Function 002C3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002913C6,00000000,00000000,?,002C301A,002913C6,00000000,00000000,00000000,?,002C328B,00000006,FlsSetValue), ref: 002C30A5
GetLastError.KERNEL32(?,002C301A,002913C6,00000000,00000000,00000000,?,002C328B,00000006,FlsSetValue,00332290,FlsSetValue,00000000,00000364,?,002C2E46), ref: 002C30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,002C301A,002913C6,00000000,00000000,00000000,?,002C328B,00000006,FlsSetValue,00332290,FlsSetValue,00000000), ref: 002C30BF

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 08c16c70afd53f7a9c35f932b9dad0f3d6714dd9d687e7c39c7f66c1ab5ce248
Instruction ID: d15ca46f0d3ee3581fe04b6b23a20d4010ae1e51897d0bf621e8da2ae0e90226
Opcode Fuzzy Hash: 08c16c70afd53f7a9c35f932b9dad0f3d6714dd9d687e7c39c7f66c1ab5ce248
Instruction Fuzzy Hash: 1501B533331622ABCB328A68AC44E67779CAF05761F108B28E906D7140C721D915C6D0

Function 002F7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 002F747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 002F7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002F74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002F74CA

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: e5c00c1d73adb9e46016dac44541850b2fd8b15316377bc1881a25129e036fd5
Instruction ID: 027d0659db26bb7db7eba76fbbf9328c05ffeb292b22b3af04fb2820ef44592b
Opcode Fuzzy Hash: e5c00c1d73adb9e46016dac44541850b2fd8b15316377bc1881a25129e036fd5
Instruction Fuzzy Hash: A7118BB5225319ABE7319F14EC09BA7BBFCEB00B40F10856DE616D7191D7B0E914DBA0

Function 002FB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,002FACD3,?,00008000), ref: 002FB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,002FACD3,?,00008000), ref: 002FB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,002FACD3,?,00008000), ref: 002FB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,002FACD3,?,00008000), ref: 002FB126

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 84981775a6236729cc6995afa1ffcd650f8314b7bfd9001e4fb536583d66ac39
Instruction ID: 510397d90ec8e14449cf957cde5ca414858a40e93f3a05f45316603189e3c4e3
Opcode Fuzzy Hash: 84981775a6236729cc6995afa1ffcd650f8314b7bfd9001e4fb536583d66ac39
Instruction Fuzzy Hash: C9118B30C20A2DE7DF12AFE4E9696FEFB78FF09351F0040A9DA41B2181CB7056618B51

Function 00327E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00327E33
ScreenToClient.USER32(?,?), ref: 00327E4B
ScreenToClient.USER32(?,?), ref: 00327E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00327E8A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 9b701ba603207008191b073a12e3cbb4451f683ed8a718769b0f59496914d250
Instruction ID: e6efdfd5d80cf195d6b658111f3faf56fc318f73978d5d2919a05dfedd250657
Opcode Fuzzy Hash: 9b701ba603207008191b073a12e3cbb4451f683ed8a718769b0f59496914d250
Instruction Fuzzy Hash: 891140B9D0020AAFDB51CF98D884AEEBBF9FF08310F509066E915E2210D735AA55CF90

Function 002F2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 002F2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 002F2DD6
GetCurrentThreadId.KERNEL32 ref: 002F2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 002F2DE4

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 3abf895765a6d6e20d19c5c6a7a1b96b81e1e4835c0a734ee7e624f8cf0346ff
Instruction ID: c55c12c2fb8b318530bbc10556b264bb44ceb86567478971914ff667dee42aec
Opcode Fuzzy Hash: 3abf895765a6d6e20d19c5c6a7a1b96b81e1e4835c0a734ee7e624f8cf0346ff
Instruction Fuzzy Hash: 59E06D71121628BBE7311B629C0EEFBBE6CEB43BA1F441129B206D10809AA48846C6B0

Function 00328863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 002A9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002A9693
Part of subcall function 002A9639: SelectObject.GDI32(?,00000000), ref: 002A96A2
Part of subcall function 002A9639: BeginPath.GDI32(?), ref: 002A96B9
Part of subcall function 002A9639: SelectObject.GDI32(?,00000000), ref: 002A96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00328887
LineTo.GDI32(?,?,?), ref: 00328894
EndPath.GDI32(?), ref: 003288A4
StrokePath.GDI32(?), ref: 003288B2

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: cb765318cdbd6c3ce29f8b2e9c01d0f8c3bac24c56f2c84da43cd81fdf8564b4
Instruction ID: 05c04d2c769fd81e37e580c960e8ac1d48ac8926c55b6ed6e2384d6645320db3
Opcode Fuzzy Hash: cb765318cdbd6c3ce29f8b2e9c01d0f8c3bac24c56f2c84da43cd81fdf8564b4
Instruction Fuzzy Hash: 09F03A36052668BAEB235F94AC0AFCE3A5DAF06310F048004FA11650E1C7B55562CFE5

Function 002A98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002A98CC
SetTextColor.GDI32(?,?), ref: 002A98D6
SetBkMode.GDI32(?,00000001), ref: 002A98E9
GetStockObject.GDI32(00000005), ref: 002A98F1

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 042b0bde77494260ee74674bb29c5539b64bc095326fc2900a9b6ad7e34c93c5
Instruction ID: e7a8ca37517b0e07031fd9adbe2d1a27def15c7c264c3d73f9e9b62ee258810f
Opcode Fuzzy Hash: 042b0bde77494260ee74674bb29c5539b64bc095326fc2900a9b6ad7e34c93c5
Instruction Fuzzy Hash: 7AE0E531250680AADB320F35AC09BDC3F24AB02332F04821DF6F5540E1C37156619B10

Function 002F162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 002F1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002F11D9), ref: 002F163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002F11D9), ref: 002F1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002F11D9), ref: 002F164F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 2b5057bb81ba0750c76b6c8d55ff00191215d447610a2914eec61aaa97f68e44
Instruction ID: 1755e3e5e3c02d436c177d6333a6c69faa21a4af594d32301cf2719ab0c6a437
Opcode Fuzzy Hash: 2b5057bb81ba0750c76b6c8d55ff00191215d447610a2914eec61aaa97f68e44
Instruction Fuzzy Hash: CFE08631611211DBD7301FA09D0DB5A7B7CBF447D1F14981CF345CA080D6348452C754

Function 002ED858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002ED858
GetDC.USER32(00000000), ref: 002ED862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002ED882
ReleaseDC.USER32(?), ref: 002ED8A3

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 74605c23cf20c4ed775c22cf9dec14afa976faa94212af3192a7865cc0a978de
Instruction ID: 2f8a8b3f2a1f000d32807fa578aaab54e1d45140b9ff13be9b745c904475dd0f
Opcode Fuzzy Hash: 74605c23cf20c4ed775c22cf9dec14afa976faa94212af3192a7865cc0a978de
Instruction Fuzzy Hash: EAE01AB1820204DFCF529FA0D80866DBBB9FB08710F249009F806E7250CB788912EF40

Function 002ED86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002ED86C
GetDC.USER32(00000000), ref: 002ED876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002ED882
ReleaseDC.USER32(?), ref: 002ED8A3

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: da3567ecbe045f195d97bb7debb2c3972da80224b411609df8977c7d55aa41df
Instruction ID: 0852cc39f00e6b38b44a7ab7ef980458dced499875ece5ebcc0fcf4bc8d32d5c
Opcode Fuzzy Hash: da3567ecbe045f195d97bb7debb2c3972da80224b411609df8977c7d55aa41df
Instruction Fuzzy Hash: 97E09A75C20204DFCF629FA0D80866DBBB9FB08711F149449F94AE7650DB785916DF50

Function 00304D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00297620: _wcslen.LIBCMT ref: 00297625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00304ED4

Strings

*, xrefs: 00304E10
LPT, xrefs: 00304DFB

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 3fc88c76db4639eebcb9cef6cd39fd18282eb83c029b6b8ec7bca628322b5dde
Instruction ID: 5906be55545b1b6b9de274f9a7bc11f440e035db87c0fd59567bad9187f1c41e
Opcode Fuzzy Hash: 3fc88c76db4639eebcb9cef6cd39fd18282eb83c029b6b8ec7bca628322b5dde
Instruction Fuzzy Hash: C591A1B5A012059FCB15DF58C494EAABBF5BF44304F198099E90A9F7A2C731EE85CF90

Function 002BE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002BE30D

Strings

pow, xrefs: 002BE2E5, 002BE302

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 77fab96b34dddb15bbd929b9f9910104ae534e0d5c8be78989dc56375560ddec
Instruction ID: e9a1f0b9fef3e7df854f8e1a636564233a0c6dc613b4a1aed30614ffa2ea094d
Opcode Fuzzy Hash: 77fab96b34dddb15bbd929b9f9910104ae534e0d5c8be78989dc56375560ddec
Instruction Fuzzy Hash: 9C515D6193C10396CF167F14C941BFA3BE89F50780F358A9CE4D6822A9DB358CB19E86

Function 00317771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(002E569E,00000000,?,0032CC08,?,00000000,00000000), ref: 003178DD

Part of subcall function 00296B57: _wcslen.LIBCMT ref: 00296B6A

CharUpperBuffW.USER32(002E569E,00000000,?,0032CC08,00000000,?,00000000,00000000), ref: 0031783B

Strings

<s5, xrefs: 003177C8

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s5
API String ID: 3544283678-2156997616
Opcode ID: e9a3e9817b5547d70ef7238b548e70b03f9d90c83f7f54757656dc3bfc5291af
Instruction ID: 6067df2d6db132a4401e4bc385900d6a2e5dbcb9d2d5fd2b3ba039113dadddca
Opcode Fuzzy Hash: e9a3e9817b5547d70ef7238b548e70b03f9d90c83f7f54757656dc3bfc5291af
Instruction Fuzzy Hash: C2612376924119ABCF0AEBA4CC91DFDB378BF18700B584129F542B7091EF305A99CFA0

Function 002AE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 002AE1B1

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 8d91d30bc3cfd4ed3ff9e137fe4c0bc70ced8bfdd335f82c2d2919f544b5bd48
Instruction ID: c509ec80a7a37203c26dab1e4efece8c4b1e7a08d250615f9189a1d78c9c06b6
Opcode Fuzzy Hash: 8d91d30bc3cfd4ed3ff9e137fe4c0bc70ced8bfdd335f82c2d2919f544b5bd48
Instruction Fuzzy Hash: B1513435560286DFDF25DF29C4816BABBA8EF66310F654019EC919B2D0DA309D63CB90

Function 002AF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 002AF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 002AF2BB

Strings

@, xrefs: 002AF2AF

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 30998f1df151c29e518a08f030ad43323545a12608e8ed6546025662d56e9632
Instruction ID: 7cb98605680f7f389e40c82530c7635595e5ce07ca6e80fcad2e387c79d9edc1
Opcode Fuzzy Hash: 30998f1df151c29e518a08f030ad43323545a12608e8ed6546025662d56e9632
Instruction Fuzzy Hash: B85155724287449BD720AF10D886BAFBBF8FB85300F81884DF299411A5EB709579CB66

Function 00315745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003157E0
_wcslen.LIBCMT ref: 003157EC

Strings

CALLARGARRAY, xrefs: 003157E6, 003157EB

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 6db4d4bcbe55b35964a3c1f8adcb1f6336c3f6edfd1312ea3fe209acd82fd0d6
Instruction ID: 6cd4382894dd97d414ecda3f1df4e034647c493281e2d041bef4cf3faa72b1cc
Opcode Fuzzy Hash: 6db4d4bcbe55b35964a3c1f8adcb1f6336c3f6edfd1312ea3fe209acd82fd0d6
Instruction Fuzzy Hash: 5A41BE31A10219DFCB19DFA8C8818FEBBB5FF99320F114029E505A7291EB309D81CF90

Function 0030D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0030D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0030D13A

Strings

|, xrefs: 0030D10B

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 818c97e241304e860cf62d86deff7e901db3ce0ad17f81474cd09388dc291262
Instruction ID: 21ecb93a2737815a6926bd09fce9c20919e60563d9e1bd314fc40015d02f6501
Opcode Fuzzy Hash: 818c97e241304e860cf62d86deff7e901db3ce0ad17f81474cd09388dc291262
Instruction Fuzzy Hash: 47311871D11209ABCF15EFA4CC95EEEBFB9FF04340F000019E815A6162EB31AA56CF60

Function 0032356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00323621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0032365C

Strings

static, xrefs: 003235BC

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8df7c8286adcececac6328fd15f8302c7121efe387724121097ddbae14c3f75d
Instruction ID: 467ec9a76a5a8868c5136448a2ff0208fe63c32b07da2c5ed2dc54a52eb3b5d6
Opcode Fuzzy Hash: 8df7c8286adcececac6328fd15f8302c7121efe387724121097ddbae14c3f75d
Instruction Fuzzy Hash: 6F31B071110614AEDB21DF28EC80FFB73ADFF48720F119619F8A597280DA34AD91CB60

Function 00324537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0032461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00324634

Strings

', xrefs: 0032458E

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 06483f04487107ac905e26ec2afac4a482356655e5d64f4e5c9fe280dfe5eb5d
Instruction ID: b75a454c12abe065fdc93d5d83fce8fe2b8b490d5c10912bc41d11c7e2ce285b
Opcode Fuzzy Hash: 06483f04487107ac905e26ec2afac4a482356655e5d64f4e5c9fe280dfe5eb5d
Instruction Fuzzy Hash: A2313974A003199FDF15CFA9D990BDABBB9FF0A300F25406AE904AB341D770A941CF90

Function 003231EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0032327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00323287

Strings

Combobox, xrefs: 00323249

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 73f294ae3d6c42ab1d16c024e8dc810269eb9e43a33fde11ba832595f8396d5d
Instruction ID: 7b9fd5125c45db50f6f12c3bd2f0a8c2cdf85af8527e3229d6106ddd1e687655
Opcode Fuzzy Hash: 73f294ae3d6c42ab1d16c024e8dc810269eb9e43a33fde11ba832595f8396d5d
Instruction Fuzzy Hash: A711E271300318BFEF229F54EC84EBB3B6EEB94364F114528F918A7290D6359D518B60

Function 00323710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0029600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0029604C
Part of subcall function 0029600E: GetStockObject.GDI32(00000011), ref: 00296060
Part of subcall function 0029600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0029606A

GetWindowRect.USER32(00000000,?), ref: 0032377A
GetSysColor.USER32(00000012), ref: 00323794

Strings

static, xrefs: 00323757

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a1f96b2ceea9a6e4c149fe98df01708be2c959971891d6d5ea7dd751bc4ac814
Instruction ID: 174d61c08647c9937e85c1ff9c883fcaaa90b3574ae57ebd3b14aaa8d561b578
Opcode Fuzzy Hash: a1f96b2ceea9a6e4c149fe98df01708be2c959971891d6d5ea7dd751bc4ac814
Instruction Fuzzy Hash: E61159B2620219AFDF02DFA8DC45AEE7BB8FB08304F014514F955E2250D774E8219B50

Function 0030CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0030CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0030CDA6

Strings

<local>, xrefs: 0030CD66

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 11a3710e3260fb452aa460e663c86e53a5140269f8e9e9433368db9c499a3e5e
Instruction ID: fb1d4f717ba84318e6af7a336a1903601e914e8b695ba7d9089408f497512f21
Opcode Fuzzy Hash: 11a3710e3260fb452aa460e663c86e53a5140269f8e9e9433368db9c499a3e5e
Instruction Fuzzy Hash: B011C271226631BAD73A4B668C59EE7BEACEF127A4F00533AB109830D0E7709845D6F0

Function 00323429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 003234AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003234BA

Strings

edit, xrefs: 0032348F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 50b99c3784c02d9370445c6af9f81b279c89050c065793716fb0c101784437aa
Instruction ID: 2d08260157d50e298bbbaa3f17bdb8978384b348a4ab215a7d434d117d4b42d3
Opcode Fuzzy Hash: 50b99c3784c02d9370445c6af9f81b279c89050c065793716fb0c101784437aa
Instruction Fuzzy Hash: 9811BF71110128ABEB236E65EC44AFB376EEB05374F614364FA60931D0C779EC519B60

Function 002F6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

CharUpperBuffW.USER32(?,?,?), ref: 002F6CB6
_wcslen.LIBCMT ref: 002F6CC2

Strings

STOP, xrefs: 002F6CBC, 002F6CC1

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 03908854d5b7c99de5be479b2ae0272fdf2459915f0f720dfb1586956d9b35f6
Instruction ID: 3503dbbce84d1afc9d5230be9cf5cd0af6dcf13cf0846e690461b36095a5d17c
Opcode Fuzzy Hash: 03908854d5b7c99de5be479b2ae0272fdf2459915f0f720dfb1586956d9b35f6
Instruction Fuzzy Hash: 8401263263052B8BCB21AFFDDC888BFB3B4FB617907000539E9A293195EB31D860C650

Function 002F1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

Part of subcall function 002F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 002F3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 002F1D4C

Strings

ListBox, xrefs: 002F1D16
ComboBox, xrefs: 002F1CEB

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ded7ed926e957c6048ecd755405db4c0246b72c3e2e4608ff81c829a61016c85
Instruction ID: 747d7294ff9b807668ffddcaa1e5a96ab268666b2491daa494ae45edf1f5e11c
Opcode Fuzzy Hash: ded7ed926e957c6048ecd755405db4c0246b72c3e2e4608ff81c829a61016c85
Instruction Fuzzy Hash: 4301B971621119ABCF14EFA4CD55CFEB378FB463A0B44052EE932572D1DA3159388A60

Function 002F1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

Part of subcall function 002F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 002F3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 002F1C46

Strings

ListBox, xrefs: 002F1C10
ComboBox, xrefs: 002F1BE5

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f2ec874dde71cc24615b1ae2114c728c9803a70ebc413bd9468a6557c80a358c
Instruction ID: 0cec4c671613de1f173faf1a10844b169da281db8402803fa7c1dd19fcfe1f94
Opcode Fuzzy Hash: f2ec874dde71cc24615b1ae2114c728c9803a70ebc413bd9468a6557c80a358c
Instruction Fuzzy Hash: AF01FC7166010CA6CF04EB94CD51DFFB3A89B15380F54002FE91673281EA209E3CCAB2

Function 002F1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

Part of subcall function 002F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 002F3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 002F1CC8

Strings

ListBox, xrefs: 002F1C94
ComboBox, xrefs: 002F1C69

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7a4bdb85182475e160a6a87cf53ed24caef20958c82acb9b45741ed14e7f811f
Instruction ID: 39dc546506e2edfbab05095005fc800d9fe0f31e400949a1dad1874b02ce264d
Opcode Fuzzy Hash: 7a4bdb85182475e160a6a87cf53ed24caef20958c82acb9b45741ed14e7f811f
Instruction Fuzzy Hash: 5901A771A6011DA6CF15EB95CA11EFEB7A89B11380F54002FB91273291EA619F38CA72

Function 002AA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002AA529

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

Strings

,%6, xrefs: 002AA509
3y., xrefs: 002AA545, 002AA54D, 002AA552

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%6$3y.
API String ID: 2551934079-3341285861
Opcode ID: 234031a2736d2de104d7019ee66f745c2c4e0feb55b8aca4d087abdc648c9e79
Instruction ID: 356e80d62cb9720a04d7d2d9e6374d84f4fb76a88200eaeadb6666bfc0aee452
Opcode Fuzzy Hash: 234031a2736d2de104d7019ee66f745c2c4e0feb55b8aca4d087abdc648c9e79
Instruction Fuzzy Hash: 8F014731E206108BC916F76CD857AAE73189F07720F804029F612171C2EF509D61CE9B

Function 002F1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00299CB3: _wcslen.LIBCMT ref: 00299CBD

Part of subcall function 002F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 002F3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 002F1DD3

Strings

ListBox, xrefs: 002F1DA0
ComboBox, xrefs: 002F1D75

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 346a141792211d23f9bf94ea60bb90a8edc7119adf6fe161f92c66e19fb76d5b
Instruction ID: 70d5da9b523782a361eed519a1ab7766ca1bd563170bd33674d16e7d06c68c9f
Opcode Fuzzy Hash: 346a141792211d23f9bf94ea60bb90a8edc7119adf6fe161f92c66e19fb76d5b
Instruction Fuzzy Hash: 63F0F971A71219A6CF04EBA4CC51EFEB378AB02390F44092EF922632C1DA6059288660

Function 00328172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00363018,0036305C), ref: 003281BF
CloseHandle.KERNEL32 ref: 003281D1

Strings

\06, xrefs: 0032818A

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \06
API String ID: 3712363035-2317069740
Opcode ID: 231f9697583e7942608c3bdc18f45879a49adf567f8cf210c1f4988757858914
Instruction ID: 0755c2afad03fc1004ad9ae5a8cb06f9a14e76965c5cfae06390dc2f521c58a9
Opcode Fuzzy Hash: 231f9697583e7942608c3bdc18f45879a49adf567f8cf210c1f4988757858914
Instruction Fuzzy Hash: C6F082F5650300FEE3226B61AC45FB73A9CDF04B60F008464FB09D51A2D6B99E1887F8

Function 0031747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00317493
_wcslen.LIBCMT ref: 003174B9

Strings

3, 3, 16, 1, xrefs: 00317483

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 380dd4beebaf80684d254f27e6bae02d3e9d6e94adb51e7a45be3b159e8054e4
Instruction ID: 6be8d84f9ec343d8973da5011633b1b9f6caffa7fc18aa91bb50df197af72fb1
Opcode Fuzzy Hash: 380dd4beebaf80684d254f27e6bae02d3e9d6e94adb51e7a45be3b159e8054e4
Instruction Fuzzy Hash: 65E02B06214660109336227BACC59FF5699CFCD7E0718182BF981C2267EE948DE193A0

Function 002F0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002F0B23

Strings

AutoIt, xrefs: 002F0B17
Error allocating memory., xrefs: 002F0B1C

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 419f639a06c640cdc9905aa563d28596f883450b94c0a4135a4966d1b2d453e2
Instruction ID: e4a48c434850f0154837c90e1c1e1ad8a0894190d2fb5799a72c438a8a1a1920
Opcode Fuzzy Hash: 419f639a06c640cdc9905aa563d28596f883450b94c0a4135a4966d1b2d453e2
Instruction Fuzzy Hash: 1CE0D8312643182BD22636D47D43FCD7AC48F05B55F10042AFB48555D38FE164B04AE9

Function 002B0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 002AF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,002B0D71,?,?,?,0029100A), ref: 002AF7CE

IsDebuggerPresent.KERNEL32(?,?,?,0029100A), ref: 002B0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0029100A), ref: 002B0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002B0D7F

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: ce4434693b24b3d38bd1e7f21af98a3d24495735eb793705ddefddd6f5cb7a8c
Instruction ID: a8f70d7cb017b90d89800cc8e108b0b112875d65de55cb0093b9fc243de0b919
Opcode Fuzzy Hash: ce4434693b24b3d38bd1e7f21af98a3d24495735eb793705ddefddd6f5cb7a8c
Instruction Fuzzy Hash: F1E06D742103128FE7729FB8E8487967BF4EF00B80F00892DE482C6695DBB4E4558BA1

Function 002AE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002AE3D5

Strings

8%6, xrefs: 002AE3CA
0%6, xrefs: 002AE3B5

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%6$8%6
API String ID: 1385522511-1852730032
Opcode ID: 34cac53f7af6c2568158936b3853ab54e39dc842e291381405e425bfc81f1d0d
Instruction ID: 6e0cc41a4f2d5ece827b309408c9b02ba5887b9096a4e310b4b725f2a6025ac1
Opcode Fuzzy Hash: 34cac53f7af6c2568158936b3853ab54e39dc842e291381405e425bfc81f1d0d
Instruction Fuzzy Hash: CDE0DF31430E108BCE26AB18B894EAEB359AB07320B1381A6E30387191AFB028528A45

Function 00303017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0030302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00303044

Strings

aut, xrefs: 00303038

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 33a067690fdb515189463d1089fcaef44e1b67cc2c4d91c7905bc7d1880ce210
Instruction ID: 5dc47c6ccbfd0d41557645fb92326a935b5ec09f00c863dfc75ba4ba77c4ff2a
Opcode Fuzzy Hash: 33a067690fdb515189463d1089fcaef44e1b67cc2c4d91c7905bc7d1880ce210
Instruction Fuzzy Hash: 22D05EB2500328A7DE30A7A4AC0EFCB3A6CDB04751F4006A1BA55E20A1DFB09985CAD0

Function 002ED21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 002ED220

Strings

%.3d, xrefs: 002ED22B
X64, xrefs: 002ED2A8

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: bafccb97b8cadec937d586bd880f1ac78fdbfb7c23edd16c8653553c1c8bb5a7
Instruction ID: 290f2e290888bb802ebf5346c432cd7098da963063278d403c5cbb245e9833f0
Opcode Fuzzy Hash: bafccb97b8cadec937d586bd880f1ac78fdbfb7c23edd16c8653553c1c8bb5a7
Instruction Fuzzy Hash: AFD01271878148EACF9096E1DD458B9B37CAB09341F908452FE16A1052DA64D5286B61

Function 00322322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0032232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0032233F

Part of subcall function 002FE97B: Sleep.KERNEL32 ref: 002FE9F3

Strings

Shell_TrayWnd, xrefs: 00322325

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 18b6636857ce5594d065b329bf5cb91ec60939ad3ad95b805098166068ef7c0a
Instruction ID: e472203cbcdbccd643e6a0db67dddf9088d58c7d7e6a4b0dcacebfd6465825a2
Opcode Fuzzy Hash: 18b6636857ce5594d065b329bf5cb91ec60939ad3ad95b805098166068ef7c0a
Instruction Fuzzy Hash: 6BD022323A0300B7E676B730DC0FFCEFA089B00B00F000A1AB705AA0E0C8F0A802CA54

Function 00322356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0032236C
PostMessageW.USER32(00000000), ref: 00322373

Part of subcall function 002FE97B: Sleep.KERNEL32 ref: 002FE9F3

Strings

Shell_TrayWnd, xrefs: 00322365

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 46ac9a41c405c3757a581f41176d963e9d2a574511662c6207b4ae7ac8e6dab6
Instruction ID: b35279c98298ebf75d312ccc5c2781bf83dd586c7d3a1c2cc11b6c782583fcda
Opcode Fuzzy Hash: 46ac9a41c405c3757a581f41176d963e9d2a574511662c6207b4ae7ac8e6dab6
Instruction Fuzzy Hash: 6BD0A9323A0300BAE676A7309C0FFCAA6089B04B00F000A1AB701AA0E0C8F0A8028A58

Function 002CBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 002CBE93
GetLastError.KERNEL32 ref: 002CBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002CBEFC

Memory Dump Source

Source File: 00000000.00000002.2116468951.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.2116423440.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.000000000032C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116568352.0000000000352000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116647765.000000000035C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116680463.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: f97173c69e109235c0046077feb28958b015e3dd7704e7aff6195e96af6fdd55
Instruction ID: 904ab27e6e2a6afc910bb1612c2976f23c4bc26e33249b61ce7e4f7f4b27baf6
Opcode Fuzzy Hash: f97173c69e109235c0046077feb28958b015e3dd7704e7aff6195e96af6fdd55
Instruction Fuzzy Hash: 3B41E435620257AFDF228F64CC46FAA7BA8AF41710F14426DF959972A1DB308C25CF60

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2198257953.000001484BE34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2198257953.000001484BE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2227570889.000001484BE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250969021.000001484BEA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2203692648.00000148490C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245866854.00000148422DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2206542053.0000014847A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2203692648.00000148490C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245866854.00000148422DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2206542053.0000014847A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2205403978.0000014847ABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198257953.000001484BE34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280544482.00000148408F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2198257953.000001484BE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2227570889.000001484BE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250969021.000001484BEA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2246899692.00003D076BA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: =https://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2246899692.00003D076BA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: =https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2269383625.0000014840FEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2269383625.0000014840FEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2203692648.00000148490C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245866854.00000148422DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2206542053.0000014847A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2203692648.00000148490C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245866854.00000148422DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2206542053.0000014847A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2289143212.000001483F478000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290856035.000001483F478000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3302351669.000001F161F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2289143212.000001483F478000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290856035.000001483F478000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3302351669.000001F161F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2289143212.000001483F478000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290856035.000001483F478000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3302351669.000001F161F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2198257953.000001484BE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251139280.000001484BE91000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2227570889.000001484BE8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2205403978.0000014847ABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198257953.000001484BE34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2244359142.000001484AF60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2246899692.00003D076BA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2198257953.000001484BE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2227570889.000001484BE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250969021.000001484BEA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2244359142.000001484AF60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251722211.000001484AF60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284567577.000001484AF60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2246899692.00003D076BA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2280544482.000001484081D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2268489454.0000014841067000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280544482.00000148408D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49858 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c45f638c-8795-4389-bdc8-27ad0d39009f.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c45f638c-8795-4389-bdc8-27ad0d39009f.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre