Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562850
MD5:	ae81a1bee1fe99f08c622b98100850e4
SHA1:	dff48fe8c901e7f0ed8b4a48dc9fe47316c37309
SHA256:	fdd2d2f278842747aaad0ad6fcf485155603efa94700918a3beea0769fb434bf
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

file.exe (PID: 5868 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AE81A1BEE1FE99F08C622B98100850E4)

taskkill.exe (PID: 1464 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3808 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1412 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4732 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2912 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6412 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2552 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6960 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7204 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a72cb5cd-985a-4500-b060-a3fccf47a185} 6960 "\\.\pipe\gecko-crash-server-pipe.6960" 1ffd936e310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7920 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -parentBuildID 20230927232528 -prefsHandle 2952 -prefMapHandle 2988 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {621ec6c5-4f70-4856-bbff-2195b9a901fa} 6960 "\\.\pipe\gecko-crash-server-pipe.6960" 1ffd937a410 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7596 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4968 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 4992 -prefsLen 32993 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5c7457a-1b8b-4a7d-99d2-323e2f211b0d} 6960 "\\.\pipe\gecko-crash-server-pipe.6960" 1ffea7b9f10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 5868	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_002AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_002AEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_002AED6A

Source: C:\Users\user\Desktop\file.exe

0_2_002AEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0029AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0029AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_002C9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c253a96c-7
Source: file.exe, 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bca17719-b
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d30f7c99-f
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3ff552a9-2

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000011DC84076B7 NtQuerySystemInformation,		23_2_0000011DC84076B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000011DC842B2F2 NtQuerySystemInformation,		23_2_0000011DC842B2F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0029D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0029D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00291201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00291201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0029E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0029E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023BF40	0_2_0023BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00238060	0_2_00238060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A2046	0_2_002A2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00298298	0_2_00298298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026E4FF	0_2_0026E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026676B	0_2_0026676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002C4873	0_2_002C4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025CAA0	0_2_0025CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023CAF0	0_2_0023CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024CC39	0_2_0024CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00266DD9	0_2_00266DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024D065	0_2_0024D065
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024B119	0_2_0024B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002391C0	0_2_002391C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00251394	0_2_00251394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00251706	0_2_00251706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025781B	0_2_0025781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00237920	0_2_00237920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024997D	0_2_0024997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002519B0	0_2_002519B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00257A4A	0_2_00257A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00251C77	0_2_00251C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00257CA7	0_2_00257CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002BBE44	0_2_002BBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00269EEE	0_2_00269EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00251F32	0_2_00251F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000011DC84076B7	23_2_0000011DC84076B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000011DC842B2F2	23_2_0000011DC842B2F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000011DC842B332	23_2_0000011DC842B332
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000011DC842BA1C	23_2_0000011DC842BA1C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00239CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00250A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0024F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@66/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002A37B5 GetLastError,FormatMessageW,

0_2_002A37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002910BF AdjustTokenPrivileges,CloseHandle,		0_2_002910BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002916C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002A51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002A51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0029D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0029D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002A648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_002A648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002342A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user~1\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 00000012.00000003.1433886496.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1446146012.000001FFF4E53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1432472777.000001FFF4E47000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1370624565.000001FFF4E53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1371203349.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1407564988.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 00000012.00000003.1433886496.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1371203349.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1407564988.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 00000012.00000003.1433886496.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1371203349.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1407564988.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 00000012.00000003.1433886496.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1371203349.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1407564988.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 00000012.00000003.1370977392.000001FFF4E14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 00000012.00000003.1433886496.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1371203349.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1407564988.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 00000012.00000003.1433886496.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1371203349.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1407564988.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 00000012.00000003.1433886496.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1371203349.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1407564988.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 00000012.00000003.1433886496.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1371203349.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1407564988.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 00000012.00000003.1433886496.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1371203349.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1407564988.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a72cb5cd-985a-4500-b060-a3fccf47a185} 6960 "\\.\pipe\gecko-crash-server-pipe.6960" 1ffd936e310 socket
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -parentBuildID 20230927232528 -prefsHandle 2952 -prefMapHandle 2988 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {621ec6c5-4f70-4856-bbff-2195b9a901fa} 6960 "\\.\pipe\gecko-crash-server-pipe.6960" 1ffd937a410 rdd
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4968 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 4992 -prefsLen 32993 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5c7457a-1b8b-4a7d-99d2-323e2f211b0d} 6960 "\\.\pipe\gecko-crash-server-pipe.6960" 1ffea7b9f10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a72cb5cd-985a-4500-b060-a3fccf47a185} 6960 "\\.\pipe\gecko-crash-server-pipe.6960" 1ffd936e310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -parentBuildID 20230927232528 -prefsHandle 2952 -prefMapHandle 2988 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {621ec6c5-4f70-4856-bbff-2195b9a901fa} 6960 "\\.\pipe\gecko-crash-server-pipe.6960" 1ffd937a410 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4968 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 4992 -prefsLen 32993 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5c7457a-1b8b-4a7d-99d2-323e2f211b0d} 6960 "\\.\pipe\gecko-crash-server-pipe.6960" 1ffea7b9f10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 00000012.00000003.1332945495.000001FFF58D1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.18.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 00000012.00000003.1383028361.000001FFE6A5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 00000012.00000003.1381375387.000001FFE6A64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 00000012.00000003.1383028361.000001FFE6A5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 00000012.00000003.1383028361.000001FFE6A5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 00000012.00000003.1381375387.000001FFE6A64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.18.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 00000012.00000003.1332945495.000001FFF58D1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 00000012.00000003.1383028361.000001FFE6A5E000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002342DE

Source: gmpopenh264.dll.tmp.18.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00250A76 push ecx; ret

0_2_00250A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0024F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_002C1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95282

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 23_2_0000011DC84076B7 rdtsc

23_2_0000011DC84076B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0029DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026C2A2 FindFirstFileExW,	0_2_0026C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A68EE FindFirstFileW,FindClose,	0_2_002A68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_002A698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0029D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0029D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002A9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002A979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_002A9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_002A5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002342DE

Source: firefox.exe, 00000017.00000002.2509384484.0000011DC84B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW[
Source: firefox.exe, 00000015.00000002.2510828711.000001F82A700000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2501181041.000001F82A15A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2509228438.0000022ADD600000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2503191136.0000022ADD23A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000015.00000002.2509747761.000001F82A61C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000017.00000002.2509384484.0000011DC84B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000015.00000002.2510828711.000001F82A700000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2509384484.0000011DC84B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000017.00000002.2500100201.0000011DC7B6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0QK

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 23_2_0000011DC84076B7 rdtsc

23_2_0000011DC84076B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002AEAA2 BlockInput,

0_2_002AEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00262622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00262622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00254CE8 mov eax, dword ptr fs:[00000030h]

0_2_00254CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00290B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00290B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00262622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00262622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0025083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002509D5 SetUnhandledExceptionFilter,	0_2_002509D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00250C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00250C21

Source: C:\Users\user\Desktop\file.exe

0_2_00291201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00272BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00272BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0029B226 SendInput,keybd_event,

0_2_0029B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002B22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002B22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "c:\program files\mozilla firefox\firefox.exe" -contentproc --channel=2304 -parentbuildid 20230927232528 -prefshandle 2240 -prefmaphandle 2224 -prefslen 25302 -prefmapsize 237879 -win32klockeddown -appdir "c:\program files\mozilla firefox\browser" - {a72cb5cd-985a-4500-b060-a3fccf47a185} 6960 "\\.\pipe\gecko-crash-server-pipe.6960" 1ffd936e310 socket
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "c:\program files\mozilla firefox\firefox.exe" -contentproc --channel=3664 -parentbuildid 20230927232528 -prefshandle 2952 -prefmaphandle 2988 -prefslen 26317 -prefmapsize 237879 -appdir "c:\program files\mozilla firefox\browser" - {621ec6c5-4f70-4856-bbff-2195b9a901fa} 6960 "\\.\pipe\gecko-crash-server-pipe.6960" 1ffd937a410 rdd
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "c:\program files\mozilla firefox\firefox.exe" -contentproc --channel=4968 -parentbuildid 20230927232528 -sandboxingkind 0 -prefshandle 4996 -prefmaphandle 4992 -prefslen 32993 -prefmapsize 237879 -win32klockeddown -appdir "c:\program files\mozilla firefox\browser" - {e5c7457a-1b8b-4a7d-99d2-323e2f211b0d} 6960 "\\.\pipe\gecko-crash-server-pipe.6960" 1ffea7b9f10 utility

Source: C:\Users\user\Desktop\file.exe

0_2_00290B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00291663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00291663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00250698 cpuid

0_2_00250698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002A8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_002A8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0028D27A GetUserNameW,

0_2_0028D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0026B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0026B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002342DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5868, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5868, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_002B1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_002B1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	26%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
twitter.com	104.244.42.1	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.193.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
dualstack.reddit.map.fastly.net	151.101.129.140	true	false	high
youtube-ui.l.google.com	142.250.181.142	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://youtube.comZ	firefox.exe, 00000012.00000003.1427291488.00001A50E7C03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678942	firefox.exe, 00000012.00000003.1323972292.000001FFF4573000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000019.00000002.2504825737.0000022ADD5C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 00000012.00000003.1370378668.000001FFF4F7C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 00000012.00000003.1452753444.000001FFF4666000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1446947294.000001FFF4662000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1323645883.000001FFF455A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.18.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 00000012.00000003.1396631562.000001FFF1133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1387626305.000001FFF1133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1310185691.000001FFF1138000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000019.00000002.2504825737.0000022ADD58F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 00000012.00000003.1410896588.000001FFEC662000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 00000012.00000003.1454283398.000001FFF1730000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 00000012.00000003.1451990068.000001FFF5425000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/notes/javascript-escapes#single	firefox.exe, 00000012.00000003.1396160589.000001FFF558C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 00000012.00000003.1417103123.000001FFEAC31000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000012.00000003.1371465194.000001FFF15F6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 00000012.00000003.1433886496.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1371203349.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1407564988.000001FFF4BC8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 00000012.00000003.1454722448.000001FFF14A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1409086795.000001FFF14A5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000012.00000003.1284104859.000001FFE9021000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1284393748.000001FFE9060000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1284518431.000001FFE907F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1283983313.000001FFE8E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1284245196.000001FFE9040000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 00000012.00000003.1416162247.000001FFEBBF3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/0	firefox.exe, 00000012.00000003.1427857521.000035F12BE03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 00000012.00000003.1284104859.000001FFE9021000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1284393748.000001FFE9060000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1283983313.000001FFE8E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1284245196.000001FFE9040000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 00000012.00000003.1413727521.000001FFEB6A9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 00000012.00000003.1371465194.000001FFF15F6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 00000012.00000003.1410896588.000001FFEC662000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	firefox.exe, 00000012.00000003.1370977392.000001FFF4E34000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 00000012.00000003.1371203349.000001FFF4B42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ok.ru/	firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 00000012.00000003.1409086795.000001FFF14A5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 00000012.00000003.1417103123.000001FFEAC31000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 00000012.00000003.1417103123.000001FFEAC7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1436775186.000001FFEAC73000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 00000012.00000003.1313916356.000001FFE96FB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 00000012.00000003.1439976816.000001FFE517D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 00000012.00000003.1409086795.000001FFF14A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2502999390.0000011DC7E0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2504825737.0000022ADD50C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 00000012.00000003.1323582710.000001FFF457F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1324032955.000001FFF4584000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1323615534.000001FFF4586000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1323972292.000001FFF4573000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 00000012.00000003.1372532173.000001FFECCAD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 00000012.00000003.1454283398.000001FFF1730000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 00000012.00000003.1407564988.000001FFF4B42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1433886496.000001FFF4B42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1371203349.000001FFF4B42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000019.00000002.2504825737.0000022ADD5C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 00000012.00000003.1323582710.000001FFF457F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1324032955.000001FFF4584000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1323972292.000001FFF4573000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 00000012.00000003.1379120020.000001FFE99B5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 00000012.00000003.1446800319.000001FFF4696000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://amazon.com	firefox.exe, 00000012.00000003.1427291488.00001A50E7C03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.18.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 00000012.00000003.1417103123.000001FFEACE7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000015.00000002.2505554241.000001F82A5CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2502999390.0000011DC7EE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2509543540.0000022ADD703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.18.dr	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 00000012.00000003.1417103123.000001FFEAC7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1436775186.000001FFEAC73000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000019.00000002.2504825737.0000022ADD513000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1454283398.000001FFF1730000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/Z	firefox.exe, 00000012.00000003.1427291488.00001A50E7C03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 00000012.00000003.1417103123.000001FFEAC31000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000015.00000002.2505554241.000001F82A572000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 00000012.00000003.1323972292.000001FFF4573000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000012.00000003.1400537881.000001FFEA596000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1372298973.000001FFECCDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1387626305.000001FFF1119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1372048202.000001FFF126A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1379769060.000001FFE9974000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1386698321.000001FFEA938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1448947608.000001FFEA83F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1425383798.000001FFEA87C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1409737548.000001FFEC74B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1400537881.000001FFEA598000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1411202626.000001FFEC618000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1386698321.000001FFEA935000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1381649581.000001FFE99B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1432232471.000001FFEA8D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1413727521.000001FFEB6A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1395994920.000001FFEA5B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1396631562.000001FFF1119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1293288793.000001FFE94E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1293288793.000001FFE94FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1385293439.000001FFECAEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1403998220.000001FFEA4CF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 00000012.00000003.1416162247.000001FFEBBF3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 00000012.00000003.1416162247.000001FFEBBF3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.18.dr	false	high
https://www.zhihu.com/	firefox.exe, 00000012.00000003.1371785498.000001FFF12C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1454977311.000001FFF12C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 00000012.00000003.1313916356.000001FFE96FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1371957423.000001FFF1285000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 00000012.00000003.1313916356.000001FFE96FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1371957423.000001FFF1285000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 00000012.00000003.1396631562.000001FFF1133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1387626305.000001FFF1133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1310185691.000001FFF1138000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 00000012.00000003.1454722448.000001FFF14A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1409086795.000001FFF14A5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 00000012.00000003.1454722448.000001FFF14A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1409086795.000001FFF14A5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 00000012.00000003.1368946797.000001FFF5430000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 00000012.00000003.1286188326.000001FFE7519000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1286544675.000001FFE7533000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1285414341.000001FFE7533000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 00000012.00000003.1323972292.000001FFF4573000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/	firefox.exe, 00000012.00000003.1396160589.000001FFF558C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000015.00000002.2504561792.000001F82A360000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2507720766.0000011DC8370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2504230039.0000022ADD360000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000012.00000003.1435460534.000001FFF1095000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 00000012.00000003.1324090148.000001FFF4595000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1323582710.000001FFF457F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1324032955.000001FFF4584000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1323615534.000001FFF4586000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1323972292.000001FFF4573000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 00000012.00000003.1286188326.000001FFE7519000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1286544675.000001FFE7533000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1439976816.000001FFE517D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1285414341.000001FFE7533000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 00000012.00000003.1407564988.000001FFF4B42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1433886496.000001FFF4B42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1371203349.000001FFF4B42000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562850
Start date and time:	2024-11-26 06:46:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@66/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.27.142.243, 34.209.229.249, 52.32.237.164, 172.217.17.46, 172.217.17.42, 23.200.87.12, 23.200.86.251, 172.217.17.74
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, time.windows.com, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:47:13	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	Finish_Agreement_DocuSign.pdf	Get hash	malicious	Unknown	Browse	151.101.66.137
	http://www.btc1yby.blogspot.rs/	Get hash	malicious	GRQ Scam	Browse	151.101.66.208
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	kkEzK284oT.exe	Get hash	malicious	HTMLPhisher	Browse	151.101.2.132
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_73a49bae-d051-417a-a326-ad04d4bcf16a.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.1765138437010165
Encrypted:	false
SSDEEP:	192:OMvMX8eRcbhbVbTbfbRbObtbyEl7nsrKJA6unSrDtTkd/S9F:OFFcNhnzFSJMrZ1nSrDhkd/cF
MD5:	F2FC94825CC7AFD0B54053F66597D162
SHA1:	DF6DF56E066A300E37A42E063A5E08A508FF187E
SHA-256:	9BA6376DD98039517706067DBFBDB519B4B277DB23439CB628BAF174969F932E
SHA-512:	F8947F4B44B389D3AB7D59A6C12D362DCB08B48CAFC956B1BF886AADDF9BCE0F670BAE7B80DA96F112DE66EDC3411C1A05DF67AB2552D3B3259E1C4535A75B1A
Malicious:	false
Preview:	{"type":"uninstall","id":"73a49bae-d051-417a-a326-ad04d4bcf16a","creationDate":"2024-11-26T07:39:27.082Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_73a49bae-d051-417a-a326-ad04d4bcf16a.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.1765138437010165
Encrypted:	false
SSDEEP:	192:OMvMX8eRcbhbVbTbfbRbObtbyEl7nsrKJA6unSrDtTkd/S9F:OFFcNhnzFSJMrZ1nSrDhkd/cF
MD5:	F2FC94825CC7AFD0B54053F66597D162
SHA1:	DF6DF56E066A300E37A42E063A5E08A508FF187E
SHA-256:	9BA6376DD98039517706067DBFBDB519B4B277DB23439CB628BAF174969F932E
SHA-512:	F8947F4B44B389D3AB7D59A6C12D362DCB08B48CAFC956B1BF886AADDF9BCE0F670BAE7B80DA96F112DE66EDC3411C1A05DF67AB2552D3B3259E1C4535A75B1A
Malicious:	false
Preview:	{"type":"uninstall","id":"73a49bae-d051-417a-a326-ad04d4bcf16a","creationDate":"2024-11-26T07:39:27.082Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.941219118814879
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLxql8P:8S+Oc+UAOdwiOdKeQjDL4l8P
MD5:	109FA2AE353DB93CEE19E404A1D7ACBA
SHA1:	3162001E2716A91764D5ED5B9044496689F4EF16
SHA-256:	E2D3203ED57B9CF3C4B18B85ADB48BDD1B519EA7B4E8DB72374E49BD5EDAF691
SHA-512:	822229C5E95D11853CE6F56DA5DFA66791A0EB5384267E4AF4CB5F7EEEB336F1F8FDC51FA0AD2E84D603A400867A73041745A597AF8308298B47C89FBAD3E821
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.941219118814879
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLxql8P:8S+Oc+UAOdwiOdKeQjDL4l8P
MD5:	109FA2AE353DB93CEE19E404A1D7ACBA
SHA1:	3162001E2716A91764D5ED5B9044496689F4EF16
SHA-256:	E2D3203ED57B9CF3C4B18B85ADB48BDD1B519EA7B4E8DB72374E49BD5EDAF691
SHA-512:	822229C5E95D11853CE6F56DA5DFA66791A0EB5384267E4AF4CB5F7EEEB336F1F8FDC51FA0AD2E84D603A400867A73041745A597AF8308298B47C89FBAD3E821
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07322804855540402
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiRo:DLhesh7Owd4+jiRo
MD5:	68D61DCB3C3E613D8894684E742B1C27
SHA1:	244B5B583F317C00C2AFE4959DB08C94E5091954
SHA-256:	7E7D84BD5118977DBD55E19FAF1DD1023C438D4E55E2DA58DD77BF9C7B1C47B1
SHA-512:	61E1732D735F5965CCF75A60CD58F95EB85CF042904874E976B42AFE918A37E85A5B5A0121A114DBABFA53D4E50CB9B3CEEAC7D60D41CBF01B03AABD58B27F19
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstFSj2NVPaWmAQ4l3lstFSj2NVPaWmAI1T89//alEl:GtWtQj2LPdmCl3WtQj2LPdm/89XuM
MD5:	2FAF659FE0C26FF88A1A759C0A166EF8
SHA1:	99EFB399EF0662B995DDFF4D037E30C1C52DFB24
SHA-256:	B064D5E137E327795A9B98BD1DCAFCE26856C975A26E5205A6318166A9473721
SHA-512:	048064FF92A289339611043595AAE0F8015CCEB9DEBEBA1833DE7A28B374DB3BA182CCB92572B9CF3DF0A6440F577BA4C08C05EEADFACEA741B6C63A23AAB0B6
Malicious:	false
Preview:	..-.........................hi..x.sr3s.q#....$...-.........................hi..x.sr3s.q#....$.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.039751948887492845
Encrypted:	false
SSDEEP:	3:Ol19egN/2lfPdaWXWWjKU39qwl8rEXsxdwhml8XW3R2:KvegNudYQRhtl8dMhm93w
MD5:	20555BB637A1FD1D4E52BC4B67A2E05E
SHA1:	68BE3A1BBB19507F7A56E91D7554071A6AC9B928
SHA-256:	921F5DFFFEDCDCDF1D642C5AD16F8D898D3EA15F25177CEBEE4845D7D3E6ABF6
SHA-512:	69E54A199C4A6566171BE55D660A9132DF869340BEB88F64D8AE6A21ACBA08D74F6A30B6DC1921A577DAA04EC989D605B99CDA3109DD796916355A83AE4D474C
Malicious:	false
Preview:	7....-...........x.sr3s.IF{..............x.sr3s....ih.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.477844977071652
Encrypted:	false
SSDEEP:	192:lYnSRkyYbBp6NqUCaXK6VjmNYo5RHNBw8dLnSl:LeWqUp5iFPwc0
MD5:	1C392663298480E37BB15EBA2A65760F
SHA1:	554EDE57E40864D2B83BA1A6125B945D5481C7D7
SHA-256:	28C2795CF2A0AD1E9C96070B6FB7E43792D0F444D890A736B2B5B121D9DDD81C
SHA-512:	CDF17952C09D827BD81EBADFD3C74004859541D22AF1007A2925549ADAD580C02C0B485EAD337A89D0195FDB100DE072BD45E5B988AD2FB72BA56A66F89BC1B5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732606737);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732606737);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732606737);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173260

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.477844977071652
Encrypted:	false
SSDEEP:	192:lYnSRkyYbBp6NqUCaXK6VjmNYo5RHNBw8dLnSl:LeWqUp5iFPwc0
MD5:	1C392663298480E37BB15EBA2A65760F
SHA1:	554EDE57E40864D2B83BA1A6125B945D5481C7D7
SHA-256:	28C2795CF2A0AD1E9C96070B6FB7E43792D0F444D890A736B2B5B121D9DDD81C
SHA-512:	CDF17952C09D827BD81EBADFD3C74004859541D22AF1007A2925549ADAD580C02C0B485EAD337A89D0195FDB100DE072BD45E5B988AD2FB72BA56A66F89BC1B5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732606737);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732606737);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732606737);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173260

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	6.336317943383186
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSgHLXnIgQEI/pnxQwRlscT5sKhiA3eHVVPNZTgcamhuj3pOOcUb2mm:GUpOxN0nRfT3etZTgc45edHd
MD5:	268B4FBB527A3A424FE088F162250F48
SHA1:	64B55A152BD58AE95332055293353CF853846240
SHA-256:	6100D1296EE8D33054D674CF36EBB1FED68C6E110023AABC5EA35DA5F90B5AB6
SHA-512:	4DFF067792BA1B2197AB3448DE8AC631BE1CA88B51A081866799283EE21641CDDC989C94AC17C32322A8320919BD0533D52001679AF2E710A9D51821F12006FB
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{bc3aae43-ff64-41ec-93ed-591040eff664}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732606741024,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P06933...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...11229,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	6.336317943383186
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSgHLXnIgQEI/pnxQwRlscT5sKhiA3eHVVPNZTgcamhuj3pOOcUb2mm:GUpOxN0nRfT3etZTgc45edHd
MD5:	268B4FBB527A3A424FE088F162250F48
SHA1:	64B55A152BD58AE95332055293353CF853846240
SHA-256:	6100D1296EE8D33054D674CF36EBB1FED68C6E110023AABC5EA35DA5F90B5AB6
SHA-512:	4DFF067792BA1B2197AB3448DE8AC631BE1CA88B51A081866799283EE21641CDDC989C94AC17C32322A8320919BD0533D52001679AF2E710A9D51821F12006FB
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{bc3aae43-ff64-41ec-93ed-591040eff664}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732606741024,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P06933...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...11229,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	6.336317943383186
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSgHLXnIgQEI/pnxQwRlscT5sKhiA3eHVVPNZTgcamhuj3pOOcUb2mm:GUpOxN0nRfT3etZTgc45edHd
MD5:	268B4FBB527A3A424FE088F162250F48
SHA1:	64B55A152BD58AE95332055293353CF853846240
SHA-256:	6100D1296EE8D33054D674CF36EBB1FED68C6E110023AABC5EA35DA5F90B5AB6
SHA-512:	4DFF067792BA1B2197AB3448DE8AC631BE1CA88B51A081866799283EE21641CDDC989C94AC17C32322A8320919BD0533D52001679AF2E710A9D51821F12006FB
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{bc3aae43-ff64-41ec-93ed-591040eff664}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732606741024,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P06933...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...11229,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.038002461671695
Encrypted:	false
SSDEEP:	48:YrSAY+eUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAcb5:yc++TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	2B8FB8EB26C90365D26BEB741AC35CC4
SHA1:	8C2AC2B71DA8A9ED2E5BB63CB6D27E31644EF981
SHA-256:	554CFFB55073D4531185FAB8D4118E0E6B25A1F0EB72FBC4F4F8B909DD2A9844
SHA-512:	2D8BE192BA55618DF0C1D4D103145D2B062078D52B08BF1E33365B91A57477329233CD715DA779600E52B25DF4674185311583030C45DD397E2EFB2CFBB33358
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-26T07:38:35.685Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.038002461671695
Encrypted:	false
SSDEEP:	48:YrSAY+eUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAcb5:yc++TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	2B8FB8EB26C90365D26BEB741AC35CC4
SHA1:	8C2AC2B71DA8A9ED2E5BB63CB6D27E31644EF981
SHA-256:	554CFFB55073D4531185FAB8D4118E0E6B25A1F0EB72FBC4F4F8B909DD2A9844
SHA-512:	2D8BE192BA55618DF0C1D4D103145D2B062078D52B08BF1E33365B91A57477329233CD715DA779600E52B25DF4674185311583030C45DD397E2EFB2CFBB33358
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-26T07:38:35.685Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.590323264036906
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	921'600 bytes
MD5:	ae81a1bee1fe99f08c622b98100850e4
SHA1:	dff48fe8c901e7f0ed8b4a48dc9fe47316c37309
SHA256:	fdd2d2f278842747aaad0ad6fcf485155603efa94700918a3beea0769fb434bf
SHA512:	4208633033f35c2b8cb7d56f49cef24d21932ea7fb2de1e1275b473047c7b91b660507a5499cfd5790e31473a32d636118691a2f65ba644877570647445d0f8f
SSDEEP:	24576:BqDEvCTbMWu7rQYlBQcBiT6rprG8aOjv:BTvC/MTQYxsWR7aO
TLSH:	91159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67455E9A [Tue Nov 26 05:37:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FA7BCCA07E3h
jmp 00007FA7BCCA00EFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA7BCCA02CDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA7BCCA029Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FA7BCCA2E8Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FA7BCCA2ED8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FA7BCCA2EC1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa590	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa590	0xa600	2fb147af4d14075b6b51eb6fbc60b666	False	0.36001035391566266	data	5.567909109556531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1856	data			1.0017656500802568
RT_GROUP_ICON	0xde010	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde088	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde09c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde0b0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde0c4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde1a0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 06:47:12.542032957 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 06:47:12.542056084 CET	443	49709	142.250.181.78	192.168.2.7
Nov 26, 2024 06:47:12.542308092 CET	49710	443	192.168.2.7	142.250.181.78
Nov 26, 2024 06:47:12.542335987 CET	443	49710	142.250.181.78	192.168.2.7
Nov 26, 2024 06:47:12.542958021 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 06:47:12.544054031 CET	49710	443	192.168.2.7	142.250.181.78
Nov 26, 2024 06:47:12.548129082 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 06:47:12.548144102 CET	443	49709	142.250.181.78	192.168.2.7
Nov 26, 2024 06:47:12.549901962 CET	49710	443	192.168.2.7	142.250.181.78
Nov 26, 2024 06:47:12.549926043 CET	443	49710	142.250.181.78	192.168.2.7
Nov 26, 2024 06:47:12.550143957 CET	49711	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:12.691261053 CET	80	49711	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:12.695641041 CET	49711	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:12.695928097 CET	49711	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:12.815793991 CET	80	49711	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:12.896013975 CET	49712	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:12.896063089 CET	443	49712	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:12.896173954 CET	49712	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:12.896758080 CET	49712	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:12.896770954 CET	443	49712	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:12.908531904 CET	49713	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:12.908548117 CET	443	49713	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:12.909367085 CET	49714	443	192.168.2.7	35.190.72.216
Nov 26, 2024 06:47:12.909388065 CET	443	49714	35.190.72.216	192.168.2.7
Nov 26, 2024 06:47:12.918374062 CET	49713	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:12.918622017 CET	49714	443	192.168.2.7	35.190.72.216
Nov 26, 2024 06:47:12.920003891 CET	49713	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:12.920016050 CET	443	49713	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:12.921401024 CET	49714	443	192.168.2.7	35.190.72.216
Nov 26, 2024 06:47:12.921412945 CET	443	49714	35.190.72.216	192.168.2.7
Nov 26, 2024 06:47:13.050971031 CET	49715	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:13.051021099 CET	443	49715	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:13.051362038 CET	49715	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:13.066859007 CET	49715	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:13.066869974 CET	443	49715	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:13.075090885 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 06:47:13.075131893 CET	443	49716	34.160.144.191	192.168.2.7
Nov 26, 2024 06:47:13.075320005 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 06:47:13.075424910 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 06:47:13.075439930 CET	443	49716	34.160.144.191	192.168.2.7
Nov 26, 2024 06:47:13.873879910 CET	80	49711	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:13.921196938 CET	49711	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:14.057250977 CET	49718	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:14.176738977 CET	49719	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:14.176785946 CET	443	49719	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:14.177146912 CET	80	49718	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:14.183593035 CET	443	49714	35.190.72.216	192.168.2.7
Nov 26, 2024 06:47:14.183610916 CET	443	49714	35.190.72.216	192.168.2.7
Nov 26, 2024 06:47:14.184251070 CET	49719	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:14.184329033 CET	49718	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:14.184398890 CET	49714	443	192.168.2.7	35.190.72.216
Nov 26, 2024 06:47:14.188513041 CET	49719	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:14.188541889 CET	443	49719	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:14.188762903 CET	49718	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:14.192333937 CET	49714	443	192.168.2.7	35.190.72.216
Nov 26, 2024 06:47:14.192352057 CET	443	49714	35.190.72.216	192.168.2.7
Nov 26, 2024 06:47:14.192498922 CET	49714	443	192.168.2.7	35.190.72.216
Nov 26, 2024 06:47:14.192522049 CET	443	49714	35.190.72.216	192.168.2.7
Nov 26, 2024 06:47:14.197479963 CET	49714	443	192.168.2.7	35.190.72.216
Nov 26, 2024 06:47:14.205599070 CET	443	49712	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:14.210597992 CET	49712	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:14.213563919 CET	49712	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:14.213582993 CET	443	49712	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:14.213815928 CET	443	49712	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:14.214201927 CET	49720	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:14.214308977 CET	49721	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:14.214314938 CET	443	49720	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:14.214334011 CET	443	49721	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:14.215899944 CET	49712	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:14.215993881 CET	49712	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:14.216044903 CET	443	49712	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:14.216466904 CET	49712	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:14.216511965 CET	49721	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:14.216521025 CET	49720	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:14.216536045 CET	49712	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:14.218632936 CET	49720	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:14.218672037 CET	443	49720	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:14.219944954 CET	49721	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:14.219975948 CET	443	49721	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:14.220101118 CET	49711	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:14.241003036 CET	443	49713	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:14.241036892 CET	443	49713	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:14.243732929 CET	49713	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:14.247386932 CET	49713	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:14.247395992 CET	443	49713	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:14.247467995 CET	49713	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:14.247534037 CET	443	49713	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:14.248764038 CET	49713	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:14.267420053 CET	443	49709	142.250.181.78	192.168.2.7
Nov 26, 2024 06:47:14.267940044 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 06:47:14.268094063 CET	443	49709	142.250.181.78	192.168.2.7
Nov 26, 2024 06:47:14.268752098 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 06:47:14.271886110 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 06:47:14.271898031 CET	443	49709	142.250.181.78	192.168.2.7
Nov 26, 2024 06:47:14.271975040 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 06:47:14.272056103 CET	443	49709	142.250.181.78	192.168.2.7
Nov 26, 2024 06:47:14.277030945 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 06:47:14.309155941 CET	80	49718	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:14.312278986 CET	443	49710	142.250.181.78	192.168.2.7
Nov 26, 2024 06:47:14.312979937 CET	443	49710	142.250.181.78	192.168.2.7
Nov 26, 2024 06:47:14.317473888 CET	49710	443	192.168.2.7	142.250.181.78
Nov 26, 2024 06:47:14.317498922 CET	443	49710	142.250.181.78	192.168.2.7
Nov 26, 2024 06:47:14.323736906 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:14.328602076 CET	49710	443	192.168.2.7	142.250.181.78
Nov 26, 2024 06:47:14.328613997 CET	443	49710	142.250.181.78	192.168.2.7
Nov 26, 2024 06:47:14.328685045 CET	49710	443	192.168.2.7	142.250.181.78
Nov 26, 2024 06:47:14.328845978 CET	443	49710	142.250.181.78	192.168.2.7
Nov 26, 2024 06:47:14.328984022 CET	49710	443	192.168.2.7	142.250.181.78
Nov 26, 2024 06:47:14.334454060 CET	443	49715	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:14.337707996 CET	49715	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:14.338491917 CET	443	49716	34.160.144.191	192.168.2.7
Nov 26, 2024 06:47:14.340198040 CET	80	49711	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:14.343333960 CET	443	49716	34.160.144.191	192.168.2.7
Nov 26, 2024 06:47:14.343964100 CET	49715	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:14.343981981 CET	443	49715	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:14.344053984 CET	49715	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:14.344111919 CET	443	49715	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:14.344502926 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 06:47:14.344561100 CET	49711	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:14.347079039 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 06:47:14.347085953 CET	443	49716	34.160.144.191	192.168.2.7
Nov 26, 2024 06:47:14.347414017 CET	443	49716	34.160.144.191	192.168.2.7
Nov 26, 2024 06:47:14.349109888 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 06:47:14.349163055 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 06:47:14.349275112 CET	49715	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:14.349277973 CET	443	49716	34.160.144.191	192.168.2.7
Nov 26, 2024 06:47:14.349292040 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 06:47:14.349359989 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 06:47:14.384397030 CET	49723	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:14.384428978 CET	443	49723	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:14.385104895 CET	49723	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:14.386483908 CET	49723	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:14.386497021 CET	443	49723	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:14.443695068 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:14.459129095 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:14.459513903 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:14.553400993 CET	49724	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:14.553446054 CET	443	49724	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:14.555013895 CET	49724	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:14.556612968 CET	49724	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:14.556628942 CET	443	49724	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:14.579523087 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:15.270589113 CET	80	49718	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:15.271017075 CET	49718	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:15.391329050 CET	80	49718	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:15.398489952 CET	49718	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:15.432804108 CET	443	49720	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:15.432902098 CET	49720	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:15.437498093 CET	443	49721	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:15.437585115 CET	49721	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:15.471820116 CET	49720	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:15.471880913 CET	443	49720	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:15.472002029 CET	49720	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:15.472218037 CET	443	49720	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:15.473268032 CET	49720	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:15.489895105 CET	49721	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:15.489928961 CET	443	49721	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:15.489998102 CET	49721	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:15.490338087 CET	443	49721	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:15.491909027 CET	49721	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:15.497720957 CET	443	49719	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:15.497767925 CET	443	49719	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:15.499679089 CET	49719	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:15.502156973 CET	49719	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:15.502161980 CET	443	49719	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:15.502393961 CET	443	49719	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:15.504117012 CET	49719	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:15.504192114 CET	49719	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:15.504245996 CET	443	49719	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:15.504477978 CET	49719	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:15.504489899 CET	49719	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:15.574817896 CET	49731	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:15.574831009 CET	443	49731	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:15.576208115 CET	49731	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:15.576397896 CET	49731	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:15.576409101 CET	443	49731	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:15.590976000 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:15.636025906 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:15.694439888 CET	443	49723	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:15.694521904 CET	49723	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:15.698029995 CET	49723	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:15.698035955 CET	443	49723	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:15.698101044 CET	49723	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:15.698175907 CET	443	49723	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:15.698252916 CET	49723	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:15.822014093 CET	443	49724	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:15.822103024 CET	49724	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:15.826391935 CET	49724	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:15.826391935 CET	49724	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:15.826402903 CET	443	49724	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:15.826575994 CET	443	49724	34.117.188.166	192.168.2.7
Nov 26, 2024 06:47:15.826781988 CET	49724	443	192.168.2.7	34.117.188.166
Nov 26, 2024 06:47:15.884222984 CET	49732	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:15.884257078 CET	443	49732	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:15.884613991 CET	49732	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:15.885946035 CET	49732	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:15.885957956 CET	443	49732	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:16.839809895 CET	443	49731	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:16.849205017 CET	49731	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:16.854491949 CET	49731	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:16.854515076 CET	443	49731	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:16.855423927 CET	443	49731	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:16.867726088 CET	49731	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:16.867801905 CET	49731	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:16.868102074 CET	443	49731	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:16.869816065 CET	49731	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:17.188707113 CET	443	49732	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:17.188801050 CET	49732	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:17.193473101 CET	49732	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:17.193483114 CET	443	49732	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:17.193572998 CET	49732	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:17.193630934 CET	443	49732	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:17.193687916 CET	49732	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:23.033236027 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:23.035101891 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:23.153398037 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:23.153512955 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:23.155073881 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:23.261223078 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:23.262759924 CET	49751	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:23.262795925 CET	443	49751	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:23.266053915 CET	49751	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:23.268157959 CET	49751	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:23.268173933 CET	443	49751	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:23.360130072 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:23.381253004 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:23.413189888 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:23.947526932 CET	49753	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:23.947575092 CET	443	49753	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:23.947758913 CET	49754	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:23.947801113 CET	443	49754	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:23.949395895 CET	49753	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:23.949485064 CET	49754	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:23.949542999 CET	49753	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:23.949556112 CET	443	49753	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:23.949662924 CET	49754	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:23.949676037 CET	443	49754	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:23.962464094 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:23.966120958 CET	49755	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:23.966151953 CET	443	49755	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:23.966223955 CET	49755	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:23.967559099 CET	49755	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:23.967572927 CET	443	49755	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:24.082447052 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:24.251916885 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:24.286572933 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:24.291104078 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:24.330907106 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:24.411016941 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:24.496511936 CET	443	49751	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:24.496622086 CET	49751	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:24.501641035 CET	49751	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:24.501652002 CET	443	49751	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:24.501750946 CET	49751	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:24.501853943 CET	443	49751	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:24.502363920 CET	49751	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:24.605773926 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:24.647407055 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:25.163966894 CET	443	49753	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:25.164113998 CET	49753	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:25.209997892 CET	443	49754	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:25.210078955 CET	49754	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:25.222111940 CET	49753	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:25.222147942 CET	443	49753	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:25.223172903 CET	443	49753	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:25.224353075 CET	49754	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:25.224371910 CET	443	49754	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:25.224627972 CET	443	49754	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:25.224847078 CET	443	49755	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:25.225096941 CET	49755	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:25.229161978 CET	49753	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:25.229253054 CET	49753	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:25.229434967 CET	49754	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:25.229494095 CET	49754	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:25.229583979 CET	443	49753	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:25.229665041 CET	49753	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:25.229731083 CET	443	49754	34.120.208.123	192.168.2.7
Nov 26, 2024 06:47:25.230011940 CET	49754	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:47:25.231664896 CET	49755	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:25.231669903 CET	443	49755	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:25.231729984 CET	49755	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:25.231812000 CET	443	49755	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:25.233511925 CET	49755	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:26.543087006 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:26.663006067 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:26.867261887 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:26.914715052 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:27.189902067 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:27.309859991 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:27.504765987 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:27.547862053 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:36.550851107 CET	49788	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:36.550899982 CET	443	49788	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:36.551027060 CET	49788	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:36.552535057 CET	49788	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:36.552548885 CET	443	49788	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:36.876118898 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:36.996205091 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:37.515650988 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:37.635703087 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:37.814539909 CET	443	49788	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:37.814729929 CET	49788	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:37.820945024 CET	49788	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:37.820956945 CET	443	49788	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:37.821044922 CET	49788	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:37.821279049 CET	443	49788	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:37.821365118 CET	49788	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:37.824892044 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:37.944828033 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:38.155500889 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:38.159096003 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:38.202068090 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:38.279110909 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:38.474217892 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:38.518578053 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:39.572232008 CET	49794	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:39.572278023 CET	443	49794	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:39.572520971 CET	49794	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:39.572623014 CET	49794	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:39.572632074 CET	443	49794	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:39.701961994 CET	49795	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:39.702004910 CET	443	49795	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:39.702936888 CET	49795	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:39.703114033 CET	49795	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:39.703124046 CET	443	49795	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:39.709939003 CET	49796	443	192.168.2.7	151.101.193.91
Nov 26, 2024 06:47:39.709949017 CET	443	49796	151.101.193.91	192.168.2.7
Nov 26, 2024 06:47:39.717259884 CET	49796	443	192.168.2.7	151.101.193.91
Nov 26, 2024 06:47:39.717396021 CET	49796	443	192.168.2.7	151.101.193.91
Nov 26, 2024 06:47:39.717402935 CET	443	49796	151.101.193.91	192.168.2.7
Nov 26, 2024 06:47:39.741731882 CET	49797	443	192.168.2.7	35.190.72.216
Nov 26, 2024 06:47:39.741761923 CET	443	49797	35.190.72.216	192.168.2.7
Nov 26, 2024 06:47:39.745601892 CET	49797	443	192.168.2.7	35.190.72.216
Nov 26, 2024 06:47:39.747134924 CET	49797	443	192.168.2.7	35.190.72.216
Nov 26, 2024 06:47:39.747144938 CET	443	49797	35.190.72.216	192.168.2.7
Nov 26, 2024 06:47:39.892662048 CET	49799	443	192.168.2.7	35.201.103.21
Nov 26, 2024 06:47:39.892703056 CET	443	49799	35.201.103.21	192.168.2.7
Nov 26, 2024 06:47:39.892966032 CET	49799	443	192.168.2.7	35.201.103.21
Nov 26, 2024 06:47:39.894433022 CET	49799	443	192.168.2.7	35.201.103.21
Nov 26, 2024 06:47:39.894442081 CET	443	49799	35.201.103.21	192.168.2.7
Nov 26, 2024 06:47:40.835117102 CET	443	49794	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:40.835243940 CET	49794	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:40.839428902 CET	49794	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:40.839462996 CET	443	49794	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:40.839782953 CET	443	49794	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:40.843105078 CET	49794	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:40.843250036 CET	49794	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:40.843302965 CET	443	49794	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:40.845082045 CET	49794	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:40.848311901 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:40.966605902 CET	443	49795	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:40.966703892 CET	49795	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:40.968336105 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:40.971752882 CET	49795	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:40.971777916 CET	443	49795	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:40.972166061 CET	443	49795	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:40.975364923 CET	49795	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:40.975476027 CET	49795	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:40.975661993 CET	443	49795	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:40.976149082 CET	49795	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:41.029542923 CET	443	49796	151.101.193.91	192.168.2.7
Nov 26, 2024 06:47:41.029565096 CET	443	49796	151.101.193.91	192.168.2.7
Nov 26, 2024 06:47:41.029654980 CET	49796	443	192.168.2.7	151.101.193.91
Nov 26, 2024 06:47:41.032747030 CET	49796	443	192.168.2.7	151.101.193.91
Nov 26, 2024 06:47:41.032759905 CET	443	49796	151.101.193.91	192.168.2.7
Nov 26, 2024 06:47:41.033158064 CET	443	49796	151.101.193.91	192.168.2.7
Nov 26, 2024 06:47:41.035073996 CET	49796	443	192.168.2.7	151.101.193.91
Nov 26, 2024 06:47:41.035166979 CET	49796	443	192.168.2.7	151.101.193.91
Nov 26, 2024 06:47:41.035295963 CET	443	49796	151.101.193.91	192.168.2.7
Nov 26, 2024 06:47:41.035445929 CET	49796	443	192.168.2.7	151.101.193.91
Nov 26, 2024 06:47:41.044914007 CET	49804	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:41.044961929 CET	443	49804	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:41.045293093 CET	49804	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:41.045419931 CET	49804	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:41.045432091 CET	443	49804	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:41.047514915 CET	49805	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:41.047564030 CET	443	49805	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:41.047749043 CET	49805	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:41.047749043 CET	49805	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:41.047785044 CET	443	49805	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:41.049118042 CET	49806	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:41.049130917 CET	443	49806	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:41.049390078 CET	49806	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:41.049504042 CET	49806	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:41.049515009 CET	443	49806	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:41.049570084 CET	443	49797	35.190.72.216	192.168.2.7
Nov 26, 2024 06:47:41.049968958 CET	49797	443	192.168.2.7	35.190.72.216
Nov 26, 2024 06:47:41.054325104 CET	49797	443	192.168.2.7	35.190.72.216
Nov 26, 2024 06:47:41.054349899 CET	443	49797	35.190.72.216	192.168.2.7
Nov 26, 2024 06:47:41.054415941 CET	49797	443	192.168.2.7	35.190.72.216
Nov 26, 2024 06:47:41.054549932 CET	443	49797	35.190.72.216	192.168.2.7
Nov 26, 2024 06:47:41.054997921 CET	49797	443	192.168.2.7	35.190.72.216
Nov 26, 2024 06:47:41.113003969 CET	443	49799	35.201.103.21	192.168.2.7
Nov 26, 2024 06:47:41.113086939 CET	49799	443	192.168.2.7	35.201.103.21
Nov 26, 2024 06:47:41.116662979 CET	49799	443	192.168.2.7	35.201.103.21
Nov 26, 2024 06:47:41.116672993 CET	443	49799	35.201.103.21	192.168.2.7
Nov 26, 2024 06:47:41.116758108 CET	49799	443	192.168.2.7	35.201.103.21
Nov 26, 2024 06:47:41.116858959 CET	443	49799	35.201.103.21	192.168.2.7
Nov 26, 2024 06:47:41.116960049 CET	49799	443	192.168.2.7	35.201.103.21
Nov 26, 2024 06:47:41.120974064 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:41.121038914 CET	443	49807	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:41.121117115 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:41.121203899 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:41.121217012 CET	443	49807	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:41.173810005 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:41.177436113 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:41.226542950 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:41.298343897 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:41.493083000 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:41.543085098 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:42.261111975 CET	443	49806	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:42.261233091 CET	49806	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:42.263923883 CET	49806	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:42.263945103 CET	443	49806	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:42.264326096 CET	443	49806	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:42.266546011 CET	49806	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:42.266633987 CET	49806	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:42.266743898 CET	443	49806	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:42.267214060 CET	49806	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:42.269639015 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:42.304512978 CET	443	49804	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:42.304716110 CET	49804	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:42.307106972 CET	49804	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:42.307118893 CET	443	49804	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:42.307566881 CET	443	49805	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:42.307926893 CET	443	49804	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:42.308518887 CET	49805	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:42.310513973 CET	49805	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:42.310530901 CET	443	49805	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:42.310843945 CET	443	49805	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:42.311296940 CET	49804	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:42.311404943 CET	49804	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:42.311687946 CET	443	49804	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:42.312582016 CET	49804	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:42.313596964 CET	49805	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:42.313688993 CET	49805	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:42.313744068 CET	443	49805	35.244.181.201	192.168.2.7
Nov 26, 2024 06:47:42.314234018 CET	49805	443	192.168.2.7	35.244.181.201
Nov 26, 2024 06:47:42.377616882 CET	443	49807	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:42.377706051 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:42.380740881 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:42.380752087 CET	443	49807	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:42.380961895 CET	443	49807	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:42.383240938 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:42.383346081 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:42.383374929 CET	443	49807	34.149.100.209	192.168.2.7
Nov 26, 2024 06:47:42.383522034 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 06:47:42.389648914 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:42.595531940 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:42.598839045 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:42.646313906 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:42.719005108 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:42.915736914 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:42.962915897 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:44.501960039 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:44.621944904 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:44.825968027 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:44.828753948 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:44.868377924 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:44.948725939 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:45.143630028 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:45.200499058 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:54.828319073 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:54.948335886 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:55.167015076 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:55.286955118 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:58.327461004 CET	49847	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:58.327506065 CET	443	49847	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:58.327812910 CET	49847	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:58.329102993 CET	49847	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:58.329121113 CET	443	49847	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:59.638966084 CET	443	49847	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:59.639219046 CET	49847	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:59.644879103 CET	49847	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:59.644896984 CET	443	49847	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:59.645014048 CET	49847	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:59.645093918 CET	443	49847	34.107.243.93	192.168.2.7
Nov 26, 2024 06:47:59.645829916 CET	49847	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:47:59.647881985 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:47:59.767838955 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:59.971831083 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:47:59.974529028 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:00.012419939 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:00.094502926 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:00.290194988 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:00.344547033 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:09.593162060 CET	49874	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.593216896 CET	443	49874	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:09.601547956 CET	49875	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.601597071 CET	443	49875	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:09.601918936 CET	49876	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.601994991 CET	443	49876	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:09.602041006 CET	49877	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.602068901 CET	443	49877	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:09.602179050 CET	49878	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.602199078 CET	443	49878	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:09.602298975 CET	49879	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.602309942 CET	443	49879	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:09.602864981 CET	49874	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.602885008 CET	49875	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.602886915 CET	49877	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.602904081 CET	49876	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.602904081 CET	49878	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.603070021 CET	49874	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.603070021 CET	49879	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.603082895 CET	443	49874	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:09.603224993 CET	49875	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.603245974 CET	443	49875	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:09.603296041 CET	49879	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.603310108 CET	443	49879	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:09.603374958 CET	49878	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.603408098 CET	443	49878	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:09.603430986 CET	49877	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.603445053 CET	443	49877	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:09.603494883 CET	49876	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:09.603516102 CET	443	49876	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:09.978192091 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:10.098345995 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:10.294657946 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:10.414623976 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:10.818651915 CET	443	49878	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.822921991 CET	49878	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.825944901 CET	49878	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.825973988 CET	443	49878	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.826219082 CET	443	49878	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.828071117 CET	49878	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.828188896 CET	49878	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.828213930 CET	443	49878	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.828712940 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.828775883 CET	49878	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.828788042 CET	443	49883	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.832034111 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.832226038 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.832250118 CET	443	49883	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.833086014 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:10.861107111 CET	443	49876	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.861192942 CET	49876	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.863164902 CET	443	49879	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.863229036 CET	49879	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.863898993 CET	49876	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.863910913 CET	443	49876	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.864125013 CET	443	49876	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.866166115 CET	49879	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.866177082 CET	443	49879	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.866421938 CET	443	49879	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.869158983 CET	443	49875	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.869252920 CET	49876	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.869313002 CET	443	49877	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.869369030 CET	49876	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.869378090 CET	443	49876	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.869800091 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.869839907 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.869998932 CET	49879	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.870086908 CET	49879	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.870183945 CET	443	49879	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.870245934 CET	49876	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.870256901 CET	49877	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.870259047 CET	49875	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.870297909 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.870558023 CET	49879	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.873158932 CET	49875	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.873179913 CET	443	49875	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.873570919 CET	443	49875	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.874155045 CET	443	49874	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.874188900 CET	443	49874	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.874229908 CET	49874	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.875431061 CET	49877	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.875442982 CET	443	49877	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.875746012 CET	443	49877	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.877916098 CET	49874	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.877933979 CET	443	49874	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.878030062 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.878041983 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.878295898 CET	443	49874	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.881200075 CET	49875	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.881289005 CET	49875	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.881628036 CET	443	49875	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.882061958 CET	49877	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.882160902 CET	49877	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.882445097 CET	443	49877	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.882646084 CET	49874	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.882668018 CET	49875	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.882680893 CET	49877	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.882719994 CET	49874	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.882797003 CET	443	49874	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:10.883146048 CET	49874	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:10.952992916 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:11.158952951 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:11.180825949 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:11.219508886 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:11.300971985 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:11.495718956 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:11.551738977 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:12.143136978 CET	443	49883	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:12.143218994 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:12.146714926 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:12.146723032 CET	443	49883	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:12.146955967 CET	443	49883	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:12.149600983 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:12.149739027 CET	443	49883	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:12.149749041 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:12.149755001 CET	443	49883	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:12.152724981 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:12.180474997 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:12.180556059 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:12.183864117 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:12.183870077 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:12.184072018 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:12.187083960 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:12.187220097 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:12.187230110 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:12.187233925 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:12.272658110 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:12.359337091 CET	443	49883	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:12.359411955 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:12.391335964 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 06:48:12.391408920 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 06:48:12.476941109 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:12.480463982 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:12.523022890 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:12.600495100 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:12.795532942 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:12.839488983 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:22.480869055 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:22.600883007 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:22.797302008 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:22.917984962 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:32.610569000 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:32.730739117 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:32.926963091 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:33.047028065 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:40.855669022 CET	49949	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:48:40.855701923 CET	443	49949	34.107.243.93	192.168.2.7
Nov 26, 2024 06:48:40.856064081 CET	49949	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:48:40.857708931 CET	49949	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:48:40.857722044 CET	443	49949	34.107.243.93	192.168.2.7
Nov 26, 2024 06:48:42.167573929 CET	443	49949	34.107.243.93	192.168.2.7
Nov 26, 2024 06:48:42.167782068 CET	49949	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:48:42.173031092 CET	49949	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:48:42.173044920 CET	443	49949	34.107.243.93	192.168.2.7
Nov 26, 2024 06:48:42.173165083 CET	49949	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:48:42.173304081 CET	443	49949	34.107.243.93	192.168.2.7
Nov 26, 2024 06:48:42.174032927 CET	49949	443	192.168.2.7	34.107.243.93
Nov 26, 2024 06:48:42.176003933 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:42.295942068 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:42.499927998 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:42.504264116 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:42.554133892 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:42.624347925 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:42.819119930 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:42.870568037 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:52.514612913 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:52.634646893 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:48:52.837553978 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:48:52.957487106 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:49:02.643826008 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:49:02.763853073 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:49:02.966862917 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:49:03.086945057 CET	80	49749	34.107.221.82	192.168.2.7
Nov 26, 2024 06:49:12.777374029 CET	49722	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:49:12.897690058 CET	80	49722	34.107.221.82	192.168.2.7
Nov 26, 2024 06:49:13.093859911 CET	49749	80	192.168.2.7	34.107.221.82
Nov 26, 2024 06:49:13.213855028 CET	80	49749	34.107.221.82	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 06:47:12.351576090 CET	63919	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:12.351612091 CET	56926	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:12.539938927 CET	53	63919	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:12.542872906 CET	63906	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:12.544054031 CET	57356	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:12.655059099 CET	52556	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:12.682056904 CET	53	63906	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:12.686275005 CET	62563	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:12.710339069 CET	53	57356	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:12.718456030 CET	63391	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:12.794307947 CET	53	52556	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:12.824997902 CET	53	62563	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:12.857652903 CET	53	63391	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:12.908943892 CET	63958	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:12.909774065 CET	65130	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:12.910537958 CET	56555	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:12.910811901 CET	62314	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:12.934150934 CET	58635	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:13.050008059 CET	53	63958	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:13.050021887 CET	53	56555	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:13.051281929 CET	55742	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:13.053419113 CET	53	62314	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:13.053437948 CET	53	65130	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:13.053956985 CET	61497	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:13.054474115 CET	53262	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:13.074342012 CET	53	58635	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:13.193097115 CET	53	55742	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:13.193680048 CET	53	53262	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:13.194008112 CET	49715	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:13.196064949 CET	51309	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:13.333522081 CET	53	49715	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:13.334306955 CET	62056	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:13.336251974 CET	53	51309	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:13.336821079 CET	51313	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:13.391859055 CET	53	61497	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:13.475204945 CET	53	62056	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:13.477155924 CET	53	51313	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:13.786166906 CET	57133	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:13.883251905 CET	56365	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:13.900798082 CET	59387	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:13.901288986 CET	54774	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:13.910223961 CET	61447	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:14.022568941 CET	53	56365	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:14.031112909 CET	54267	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:14.040074110 CET	53	59387	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:14.040365934 CET	53	54774	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:14.059794903 CET	54497	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:14.170502901 CET	53	54267	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:14.198824883 CET	53	54497	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:14.211941957 CET	62338	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:14.212630987 CET	65525	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:14.214454889 CET	53	64495	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:14.351799011 CET	53	62338	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:14.352279902 CET	53	65525	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:14.383806944 CET	61428	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:14.475703955 CET	65190	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:14.525288105 CET	53	61428	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:14.615780115 CET	53	65190	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:14.616494894 CET	49894	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:14.760487080 CET	53	49894	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:18.293922901 CET	49584	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:18.432991982 CET	53	49584	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:18.768742085 CET	61418	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:18.910396099 CET	53	61418	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:19.018549919 CET	57925	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:19.160645962 CET	53	57925	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:23.263942957 CET	57077	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:23.405617952 CET	53	57077	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:23.945077896 CET	61210	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:23.945348978 CET	54497	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:23.945688963 CET	49878	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:24.084986925 CET	53	61210	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:24.087145090 CET	53	49878	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:24.087470055 CET	49327	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:24.088104963 CET	54228	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:24.090918064 CET	53	54497	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:24.091563940 CET	63634	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:24.226464033 CET	53	49327	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:24.227099895 CET	53	54228	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:24.230442047 CET	53	63634	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:24.231511116 CET	54047	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:24.232012033 CET	57018	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:24.232343912 CET	51093	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:24.371824026 CET	53	54047	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:24.372497082 CET	53	51093	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:24.372509003 CET	53	57018	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:24.373567104 CET	59540	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:24.373960018 CET	52990	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:24.375757933 CET	53413	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:24.514277935 CET	53	59540	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:24.515058041 CET	53	52990	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:24.515579939 CET	53	53413	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:25.219209909 CET	56249	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:25.219284058 CET	63485	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:25.360707045 CET	53	63485	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:25.362204075 CET	62185	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:25.439129114 CET	53	56249	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:25.440504074 CET	64519	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:25.503040075 CET	53	62185	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:25.661904097 CET	53	64519	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:36.550380945 CET	58677	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:36.690670013 CET	53	58677	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:39.568914890 CET	58420	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:39.702327967 CET	64320	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:39.709054947 CET	53	58420	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:39.710676908 CET	52806	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:39.749411106 CET	56398	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:39.842145920 CET	53	64320	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:39.843116045 CET	61338	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:39.850243092 CET	53	52806	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:39.850969076 CET	62943	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:39.891441107 CET	53	56398	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:39.892895937 CET	49798	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:39.983043909 CET	53	61338	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:39.990005970 CET	53	62943	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:40.035334110 CET	53	49798	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:40.041389942 CET	54695	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:40.182051897 CET	53	54695	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:44.502294064 CET	51033	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:58.327739000 CET	51327	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:47:58.467601061 CET	53	51327	1.1.1.1	192.168.2.7
Nov 26, 2024 06:47:59.648318052 CET	52138	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:48:09.593920946 CET	63150	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:48:09.733098030 CET	53	63150	1.1.1.1	192.168.2.7
Nov 26, 2024 06:48:40.707791090 CET	60527	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:48:40.854362011 CET	53	60527	1.1.1.1	192.168.2.7
Nov 26, 2024 06:48:40.855952024 CET	61179	53	192.168.2.7	1.1.1.1
Nov 26, 2024 06:48:41.062374115 CET	53	61179	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 26, 2024 06:47:12.351576090 CET	192.168.2.7	1.1.1.1	0x222d	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.351612091 CET	192.168.2.7	1.1.1.1	0x966a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.542872906 CET	192.168.2.7	1.1.1.1	0xc13f	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.544054031 CET	192.168.2.7	1.1.1.1	0xf474	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.655059099 CET	192.168.2.7	1.1.1.1	0x3d4d	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.686275005 CET	192.168.2.7	1.1.1.1	0x1e25	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 26, 2024 06:47:12.718456030 CET	192.168.2.7	1.1.1.1	0x8a30	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 06:47:12.908943892 CET	192.168.2.7	1.1.1.1	0x5a91	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.909774065 CET	192.168.2.7	1.1.1.1	0x4d29	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.910537958 CET	192.168.2.7	1.1.1.1	0xa2b9	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.910811901 CET	192.168.2.7	1.1.1.1	0x4c3c	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.934150934 CET	192.168.2.7	1.1.1.1	0xaf1d	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:13.051281929 CET	192.168.2.7	1.1.1.1	0xaa66	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 06:47:13.053956985 CET	192.168.2.7	1.1.1.1	0x489f	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 06:47:13.054474115 CET	192.168.2.7	1.1.1.1	0xbf8d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 06:47:13.194008112 CET	192.168.2.7	1.1.1.1	0x74a9	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:13.196064949 CET	192.168.2.7	1.1.1.1	0x2dc5	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:13.334306955 CET	192.168.2.7	1.1.1.1	0xcb35	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 06:47:13.336821079 CET	192.168.2.7	1.1.1.1	0x2c95	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 06:47:13.786166906 CET	192.168.2.7	1.1.1.1	0x7bba	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:13.883251905 CET	192.168.2.7	1.1.1.1	0x7433	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:13.900798082 CET	192.168.2.7	1.1.1.1	0x8594	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:13.901288986 CET	192.168.2.7	1.1.1.1	0xf790	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:13.910223961 CET	192.168.2.7	1.1.1.1	0xe050	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.031112909 CET	192.168.2.7	1.1.1.1	0xd887	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.059794903 CET	192.168.2.7	1.1.1.1	0xc0f1	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.211941957 CET	192.168.2.7	1.1.1.1	0x5930	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.212630987 CET	192.168.2.7	1.1.1.1	0xeb08	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 06:47:14.383806944 CET	192.168.2.7	1.1.1.1	0x9b1	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 06:47:14.475703955 CET	192.168.2.7	1.1.1.1	0xb156	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.616494894 CET	192.168.2.7	1.1.1.1	0xa8db	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 06:47:18.293922901 CET	192.168.2.7	1.1.1.1	0xf6fa	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:18.768742085 CET	192.168.2.7	1.1.1.1	0xf486	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:19.018549919 CET	192.168.2.7	1.1.1.1	0x29d2	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 06:47:23.263942957 CET	192.168.2.7	1.1.1.1	0xcc5e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 06:47:23.945077896 CET	192.168.2.7	1.1.1.1	0x7dbc	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:23.945348978 CET	192.168.2.7	1.1.1.1	0x6e42	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:23.945688963 CET	192.168.2.7	1.1.1.1	0x7cb7	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.087470055 CET	192.168.2.7	1.1.1.1	0xe11d	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.088104963 CET	192.168.2.7	1.1.1.1	0x6f	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.091563940 CET	192.168.2.7	1.1.1.1	0x4225	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.231511116 CET	192.168.2.7	1.1.1.1	0x8182	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 26, 2024 06:47:24.232012033 CET	192.168.2.7	1.1.1.1	0x6cca	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 26, 2024 06:47:24.232343912 CET	192.168.2.7	1.1.1.1	0x3136	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 26, 2024 06:47:24.373567104 CET	192.168.2.7	1.1.1.1	0xfc3e	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.373960018 CET	192.168.2.7	1.1.1.1	0x8872	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.375757933 CET	192.168.2.7	1.1.1.1	0x6ea8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 06:47:25.219209909 CET	192.168.2.7	1.1.1.1	0x9bda	Standard query (0)	dualstack.reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:25.219284058 CET	192.168.2.7	1.1.1.1	0xe1a8	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:25.362204075 CET	192.168.2.7	1.1.1.1	0x67d	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 26, 2024 06:47:25.440504074 CET	192.168.2.7	1.1.1.1	0x2d13	Standard query (0)	dualstack.reddit.map.fastly.net	28	IN (0x0001)	false
Nov 26, 2024 06:47:36.550380945 CET	192.168.2.7	1.1.1.1	0xb658	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 06:47:39.568914890 CET	192.168.2.7	1.1.1.1	0xe6c7	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:39.702327967 CET	192.168.2.7	1.1.1.1	0x749b	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:39.710676908 CET	192.168.2.7	1.1.1.1	0x85a5	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:39.749411106 CET	192.168.2.7	1.1.1.1	0x1b98	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:39.843116045 CET	192.168.2.7	1.1.1.1	0x8fec	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 06:47:39.850969076 CET	192.168.2.7	1.1.1.1	0x2ca7	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 26, 2024 06:47:39.892895937 CET	192.168.2.7	1.1.1.1	0x6db	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:40.041389942 CET	192.168.2.7	1.1.1.1	0xe6cd	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 06:47:44.502294064 CET	192.168.2.7	1.1.1.1	0x57bf	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:58.327739000 CET	192.168.2.7	1.1.1.1	0x4349	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 06:47:59.648318052 CET	192.168.2.7	1.1.1.1	0x7fa2	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:48:09.593920946 CET	192.168.2.7	1.1.1.1	0xd202	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 06:48:40.707791090 CET	192.168.2.7	1.1.1.1	0x3ce7	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:48:40.855952024 CET	192.168.2.7	1.1.1.1	0x804d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 26, 2024 06:47:12.539894104 CET	1.1.1.1	192.168.2.7	0x966a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:12.539894104 CET	1.1.1.1	192.168.2.7	0x966a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.539938927 CET	1.1.1.1	192.168.2.7	0x222d	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.682056904 CET	1.1.1.1	192.168.2.7	0xc13f	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.710339069 CET	1.1.1.1	192.168.2.7	0xf474	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.790009022 CET	1.1.1.1	192.168.2.7	0xa380	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:12.790009022 CET	1.1.1.1	192.168.2.7	0xa380	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.794307947 CET	1.1.1.1	192.168.2.7	0x3d4d	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.804223061 CET	1.1.1.1	192.168.2.7	0x384d	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:12.824997902 CET	1.1.1.1	192.168.2.7	0x1e25	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 26, 2024 06:47:12.857652903 CET	1.1.1.1	192.168.2.7	0x8a30	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 26, 2024 06:47:13.050008059 CET	1.1.1.1	192.168.2.7	0x5a91	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:13.050008059 CET	1.1.1.1	192.168.2.7	0x5a91	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:13.050021887 CET	1.1.1.1	192.168.2.7	0xa2b9	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:13.053419113 CET	1.1.1.1	192.168.2.7	0x4c3c	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:13.053437948 CET	1.1.1.1	192.168.2.7	0x4d29	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:13.074342012 CET	1.1.1.1	192.168.2.7	0xaf1d	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:13.074342012 CET	1.1.1.1	192.168.2.7	0xaf1d	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:13.074342012 CET	1.1.1.1	192.168.2.7	0xaf1d	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:13.333522081 CET	1.1.1.1	192.168.2.7	0x74a9	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:13.336251974 CET	1.1.1.1	192.168.2.7	0x2dc5	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:13.477155924 CET	1.1.1.1	192.168.2.7	0x2c95	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 26, 2024 06:47:13.925998926 CET	1.1.1.1	192.168.2.7	0x7bba	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:14.022568941 CET	1.1.1.1	192.168.2.7	0x7433	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.040074110 CET	1.1.1.1	192.168.2.7	0x8594	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.040365934 CET	1.1.1.1	192.168.2.7	0xf790	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.040365934 CET	1.1.1.1	192.168.2.7	0xf790	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.049257040 CET	1.1.1.1	192.168.2.7	0xe050	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:14.049257040 CET	1.1.1.1	192.168.2.7	0xe050	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.170502901 CET	1.1.1.1	192.168.2.7	0xd887	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.174730062 CET	1.1.1.1	192.168.2.7	0x708c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:14.174730062 CET	1.1.1.1	192.168.2.7	0x708c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.182432890 CET	1.1.1.1	192.168.2.7	0xf427	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.198824883 CET	1.1.1.1	192.168.2.7	0xc0f1	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:14.198824883 CET	1.1.1.1	192.168.2.7	0xc0f1	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.351799011 CET	1.1.1.1	192.168.2.7	0x5930	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.439775944 CET	1.1.1.1	192.168.2.7	0xc4eb	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:14.615780115 CET	1.1.1.1	192.168.2.7	0xb156	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:15.882420063 CET	1.1.1.1	192.168.2.7	0x7339	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:18.432991982 CET	1.1.1.1	192.168.2.7	0xf6fa	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:18.432991982 CET	1.1.1.1	192.168.2.7	0xf6fa	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:18.432991982 CET	1.1.1.1	192.168.2.7	0xf6fa	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:18.910396099 CET	1.1.1.1	192.168.2.7	0xf486	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.084986925 CET	1.1.1.1	192.168.2.7	0x7dbc	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:24.084986925 CET	1.1.1.1	192.168.2.7	0x7dbc	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.084986925 CET	1.1.1.1	192.168.2.7	0x7dbc	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.084986925 CET	1.1.1.1	192.168.2.7	0x7dbc	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.084986925 CET	1.1.1.1	192.168.2.7	0x7dbc	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.084986925 CET	1.1.1.1	192.168.2.7	0x7dbc	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.084986925 CET	1.1.1.1	192.168.2.7	0x7dbc	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.084986925 CET	1.1.1.1	192.168.2.7	0x7dbc	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.084986925 CET	1.1.1.1	192.168.2.7	0x7dbc	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.087145090 CET	1.1.1.1	192.168.2.7	0x7cb7	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:24.087145090 CET	1.1.1.1	192.168.2.7	0x7cb7	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.090918064 CET	1.1.1.1	192.168.2.7	0x6e42	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:24.090918064 CET	1.1.1.1	192.168.2.7	0x6e42	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.226464033 CET	1.1.1.1	192.168.2.7	0xe11d	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.226464033 CET	1.1.1.1	192.168.2.7	0xe11d	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.226464033 CET	1.1.1.1	192.168.2.7	0xe11d	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.226464033 CET	1.1.1.1	192.168.2.7	0xe11d	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.226464033 CET	1.1.1.1	192.168.2.7	0xe11d	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.226464033 CET	1.1.1.1	192.168.2.7	0xe11d	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.226464033 CET	1.1.1.1	192.168.2.7	0xe11d	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.226464033 CET	1.1.1.1	192.168.2.7	0xe11d	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.226464033 CET	1.1.1.1	192.168.2.7	0xe11d	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.226464033 CET	1.1.1.1	192.168.2.7	0xe11d	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.226464033 CET	1.1.1.1	192.168.2.7	0xe11d	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.227099895 CET	1.1.1.1	192.168.2.7	0x6f	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.230442047 CET	1.1.1.1	192.168.2.7	0x4225	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.371824026 CET	1.1.1.1	192.168.2.7	0x8182	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 26, 2024 06:47:24.371824026 CET	1.1.1.1	192.168.2.7	0x8182	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 26, 2024 06:47:24.371824026 CET	1.1.1.1	192.168.2.7	0x8182	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 26, 2024 06:47:24.371824026 CET	1.1.1.1	192.168.2.7	0x8182	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 26, 2024 06:47:24.372497082 CET	1.1.1.1	192.168.2.7	0x3136	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 26, 2024 06:47:24.372509003 CET	1.1.1.1	192.168.2.7	0x6cca	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 26, 2024 06:47:24.514277935 CET	1.1.1.1	192.168.2.7	0xfc3e	No error (0)	www.reddit.com	dualstack.reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:24.514277935 CET	1.1.1.1	192.168.2.7	0xfc3e	No error (0)	dualstack.reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.514277935 CET	1.1.1.1	192.168.2.7	0xfc3e	No error (0)	dualstack.reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.514277935 CET	1.1.1.1	192.168.2.7	0xfc3e	No error (0)	dualstack.reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.514277935 CET	1.1.1.1	192.168.2.7	0xfc3e	No error (0)	dualstack.reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:24.515058041 CET	1.1.1.1	192.168.2.7	0x8872	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:25.360707045 CET	1.1.1.1	192.168.2.7	0xe1a8	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:25.439129114 CET	1.1.1.1	192.168.2.7	0x9bda	No error (0)	dualstack.reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:25.439129114 CET	1.1.1.1	192.168.2.7	0x9bda	No error (0)	dualstack.reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:25.439129114 CET	1.1.1.1	192.168.2.7	0x9bda	No error (0)	dualstack.reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:25.439129114 CET	1.1.1.1	192.168.2.7	0x9bda	No error (0)	dualstack.reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:25.661904097 CET	1.1.1.1	192.168.2.7	0x2d13	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Nov 26, 2024 06:47:25.661904097 CET	1.1.1.1	192.168.2.7	0x2d13	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Nov 26, 2024 06:47:25.661904097 CET	1.1.1.1	192.168.2.7	0x2d13	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Nov 26, 2024 06:47:25.661904097 CET	1.1.1.1	192.168.2.7	0x2d13	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Nov 26, 2024 06:47:39.700751066 CET	1.1.1.1	192.168.2.7	0x500a	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:39.700751066 CET	1.1.1.1	192.168.2.7	0x500a	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:39.709054947 CET	1.1.1.1	192.168.2.7	0xe6c7	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:39.709054947 CET	1.1.1.1	192.168.2.7	0xe6c7	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:39.709054947 CET	1.1.1.1	192.168.2.7	0xe6c7	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:39.709054947 CET	1.1.1.1	192.168.2.7	0xe6c7	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:39.842145920 CET	1.1.1.1	192.168.2.7	0x749b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:39.850243092 CET	1.1.1.1	192.168.2.7	0x85a5	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:39.850243092 CET	1.1.1.1	192.168.2.7	0x85a5	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:39.850243092 CET	1.1.1.1	192.168.2.7	0x85a5	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:39.850243092 CET	1.1.1.1	192.168.2.7	0x85a5	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:39.891441107 CET	1.1.1.1	192.168.2.7	0x1b98	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:39.891441107 CET	1.1.1.1	192.168.2.7	0x1b98	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:39.990005970 CET	1.1.1.1	192.168.2.7	0x2ca7	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 26, 2024 06:47:39.990005970 CET	1.1.1.1	192.168.2.7	0x2ca7	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 26, 2024 06:47:39.990005970 CET	1.1.1.1	192.168.2.7	0x2ca7	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 26, 2024 06:47:39.990005970 CET	1.1.1.1	192.168.2.7	0x2ca7	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 26, 2024 06:47:40.035334110 CET	1.1.1.1	192.168.2.7	0x6db	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:42.926253080 CET	1.1.1.1	192.168.2.7	0xf6f5	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:42.926253080 CET	1.1.1.1	192.168.2.7	0xf6f5	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:44.641974926 CET	1.1.1.1	192.168.2.7	0x57bf	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:44.641974926 CET	1.1.1.1	192.168.2.7	0x57bf	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:47:59.791155100 CET	1.1.1.1	192.168.2.7	0x7fa2	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 06:47:59.791155100 CET	1.1.1.1	192.168.2.7	0x7fa2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:48:40.854362011 CET	1.1.1.1	192.168.2.7	0x3ce7	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49711	34.107.221.82	80	6960	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 26, 2024 06:47:12.695928097 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 06:47:13.873879910 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 24616 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49718	34.107.221.82	80	6960	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 26, 2024 06:47:14.188762903 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 06:47:15.270589113 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 75388 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49722	34.107.221.82	80	6960	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 26, 2024 06:47:14.459513903 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 06:47:15.590976000 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 24618 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 06:47:23.035101891 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 06:47:23.360130072 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 24626 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 06:47:23.962464094 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 06:47:24.286572933 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 24627 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 06:47:26.543087006 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 06:47:26.867261887 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 24629 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 06:47:36.876118898 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 06:47:37.824892044 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 06:47:38.155500889 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 24640 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 06:47:40.848311901 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 06:47:41.173810005 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 24644 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 06:47:42.269639015 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 06:47:42.595531940 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 24645 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 06:47:44.501960039 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 06:47:44.825968027 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 24647 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 06:47:54.828319073 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 06:47:59.647881985 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 06:47:59.971831083 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 24662 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 06:48:09.978192091 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 06:48:10.833086014 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 06:48:11.158952951 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 24673 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 06:48:12.152724981 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 06:48:12.476941109 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 24675 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 06:48:22.480869055 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 06:48:32.610569000 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 06:48:42.176003933 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 06:48:42.499927998 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 24705 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 06:48:52.514612913 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 06:49:02.643826008 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 06:49:12.777374029 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49749	34.107.221.82	80	6960	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 26, 2024 06:47:23.261223078 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 06:47:24.251916885 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 60756 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 06:47:24.291104078 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 06:47:24.605773926 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 60756 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 06:47:27.189902067 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 06:47:27.504765987 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 60759 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 06:47:37.515650988 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 06:47:38.159096003 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 06:47:38.474217892 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 60770 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 06:47:41.177436113 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 06:47:41.493083000 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 60773 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 06:47:42.598839045 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 06:47:42.915736914 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 60774 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 06:47:44.828753948 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 06:47:45.143630028 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 60776 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 06:47:55.167015076 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 06:47:59.974529028 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 06:48:00.290194988 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 60792 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 06:48:10.294657946 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 06:48:11.180825949 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 06:48:11.495718956 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 60803 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 06:48:12.480463982 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 06:48:12.795532942 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 60804 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 06:48:22.797302008 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 06:48:32.926963091 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 06:48:42.504264116 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 06:48:42.819119930 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 60834 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 06:48:52.837553978 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 06:49:02.966862917 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 06:49:13.093859911 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	00:47:04
Start date:	26/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x230000
File size:	921'600 bytes
MD5 hash:	AE81A1BEE1FE99F08C622B98100850E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:47:04
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x60000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:47:04
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:47:07
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x60000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:47:07
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:47:07
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x60000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:47:07
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:47:07
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x60000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:47:07
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:47:07
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x60000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:47:07
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:47:07
Start date:	26/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	00:47:08
Start date:	26/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	00:47:08
Start date:	26/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	00:47:08
Start date:	26/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a72cb5cd-985a-4500-b060-a3fccf47a185} 6960 "\\.\pipe\gecko-crash-server-pipe.6960" 1ffd936e310 socket
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	00:47:10
Start date:	26/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -parentBuildID 20230927232528 -prefsHandle 2952 -prefMapHandle 2988 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {621ec6c5-4f70-4856-bbff-2195b9a901fa} 6960 "\\.\pipe\gecko-crash-server-pipe.6960" 1ffd937a410 rdd
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	00:47:13
Start date:	26/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4968 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 4992 -prefsLen 32993 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5c7457a-1b8b-4a7d-99d2-323e2f211b0d} 6960 "\\.\pipe\gecko-crash-server-pipe.6960" 1ffea7b9f10 utility
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.7%
Total number of Nodes:	1572
Total number of Limit Nodes:	54

Executed Functions

Function 002342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0023430D

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

GetCurrentProcess.KERNEL32(?,002CCB64,00000000,?,?), ref: 00234422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00234429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00234454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00234466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00234474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0023447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002344A0

Strings

kernel32.dll, xrefs: 0023444F
GetNativeSystemInfo, xrefs: 00234460
|O, xrefs: 002736F8

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 70c39d11938c15fb78678359f4b3e12f7e709d31a70db7bb738e19d0fd58bfc6
Instruction ID: e50e067e372e3a4f7baecdbb7eb79cfbd0403aaf9dccf186ceab770029b36f6f
Opcode Fuzzy Hash: 70c39d11938c15fb78678359f4b3e12f7e709d31a70db7bb738e19d0fd58bfc6
Instruction Fuzzy Hash: A7A1F8AEA2B2C0CFC717DB797CA15957FEC7B26300F1884EBE14593A22D2704915DB21

Function 002342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,002350AA,?,?,00000000,00000000), ref: 002342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002350AA,?,?,00000000,00000000), ref: 002342C9
LoadResource.KERNEL32(?,00000000,?,?,002350AA,?,?,00000000,00000000,?,?,?,?,?,?,00234F20), ref: 002735BE
SizeofResource.KERNEL32(?,00000000,?,?,002350AA,?,?,00000000,00000000,?,?,?,?,?,?,00234F20), ref: 002735D3
LockResource.KERNEL32(002350AA,?,?,002350AA,?,?,00000000,00000000,?,?,?,?,?,?,00234F20,?), ref: 002735E6

Strings

SCRIPT, xrefs: 002342BF

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: de345bf0b1e248f8f6ce2d1ef83355974cdf3c29982e574763c55810be475671
Instruction ID: b4168ffc7d75e81ffbc6e4c95e7859bab93dd2b56851b0eddcc15e73b45945ba
Opcode Fuzzy Hash: de345bf0b1e248f8f6ce2d1ef83355974cdf3c29982e574763c55810be475671
Instruction Fuzzy Hash: 8D1170B0210701BFD7219F65EC48F677BBDEBC6B51F24416AF81A96550DB71EC108A21

Function 00272BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00232B6B

Part of subcall function 00233A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00301418,?,00232E7F,?,?,?,00000000), ref: 00233A78

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,002F2224), ref: 00272C10
ShellExecuteW.SHELL32(00000000,?,?,002F2224), ref: 00272C17

Strings

runas, xrefs: 00272C0B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 7f9bfe6327ac7a6b1c002abdceb193a2856a71dee2bcab8bd83517f3de45f19a
Instruction ID: bf81b63965b79d386f09d1b69718f763ef7e7fd81042c7e5616870fe60db2ad4
Opcode Fuzzy Hash: 7f9bfe6327ac7a6b1c002abdceb193a2856a71dee2bcab8bd83517f3de45f19a
Instruction Fuzzy Hash: 361103B1228345AAC705FF60E855EBEB7A99B92344F04542DF186020A2CF708A6ECF52

Function 0029D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0029D501
Process32FirstW.KERNEL32(00000000,?), ref: 0029D50F
Process32NextW.KERNEL32(00000000,?), ref: 0029D52F
CloseHandle.KERNELBASE(00000000), ref: 0029D5DC

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 104a6134fa7795b41e152e6ca03b7323a248fa8f10ec6dfa42102412271d6699
Instruction ID: 2c1e22d8ca4b84cba0305e08756996edab4a3ad986f56d42fa9f094b8f6ada94
Opcode Fuzzy Hash: 104a6134fa7795b41e152e6ca03b7323a248fa8f10ec6dfa42102412271d6699
Instruction Fuzzy Hash: 7531DF711183019FD300EF64D885AAFBBE8EF99354F54082DF585821A1EBB19998CB92

Function 0029DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00275222), ref: 0029DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0029DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0029DBEE
FindClose.KERNEL32(00000000), ref: 0029DBFA

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 91b56c0a48cdea72461fac6bfc7267e185e3f344ad0f0161fece4d83a9fe0ca0
Instruction ID: 4b857214024698635eda27520f08de75322ffaae2763793cb5737fe69be63833
Opcode Fuzzy Hash: 91b56c0a48cdea72461fac6bfc7267e185e3f344ad0f0161fece4d83a9fe0ca0
Instruction Fuzzy Hash: 52F0A030820910578A206F7CEC0D8AA776C9E01334BA44703F83AC20E0EBB0596596D6

Function 00254CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(002628E9,?,00254CBE,002628E9,002F88B8,0000000C,00254E15,002628E9,00000002,00000000,?,002628E9), ref: 00254D09
TerminateProcess.KERNEL32(00000000,?,00254CBE,002628E9,002F88B8,0000000C,00254E15,002628E9,00000002,00000000,?,002628E9), ref: 00254D10
ExitProcess.KERNEL32 ref: 00254D22

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6fb049413a9cf292a268f7f5a16c06339bdf826cdb0fdcb0fcc140258f246d65
Instruction ID: 7770608be9e6c18cca4c0236e67b022e743e67a288e8b634a2a4ebfc8333a6dd
Opcode Fuzzy Hash: 6fb049413a9cf292a268f7f5a16c06339bdf826cdb0fdcb0fcc140258f246d65
Instruction Fuzzy Hash: F1E0B671411188ABCF11BF54EE0DE587B79FB45786B244058FC098B122CB76DDA6CA94

Function 0023BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#0, xrefs: 002807CE

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#0
API String ID: 3964851224-868284047
Opcode ID: 2c52d4a93b8cff3499a93f720b31475e79477e10238c5478c0b3e18f85d4986c
Instruction ID: 7fa961952d6b5a67052f9023145ad83b8b3b84a4c8bdfec6fdf6603f660cd1ad
Opcode Fuzzy Hash: 2c52d4a93b8cff3499a93f720b31475e79477e10238c5478c0b3e18f85d4986c
Instruction Fuzzy Hash: B6A26AB46283018FD754DF18C480B2AB7E1BF89304F24896DE99A9B352D771EC65CF92

Function 002BAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 002BB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002BB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002BB1D4
_wcslen.LIBCMT ref: 002BB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002BB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002BB236
_wcslen.LIBCMT ref: 002BB332

Part of subcall function 002A05A7: GetStdHandle.KERNEL32(000000F6), ref: 002A05C6

_wcslen.LIBCMT ref: 002BB34B
_wcslen.LIBCMT ref: 002BB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002BB3B6
GetLastError.KERNEL32(00000000), ref: 002BB407
CloseHandle.KERNEL32(?), ref: 002BB439
CloseHandle.KERNEL32(00000000), ref: 002BB44A
CloseHandle.KERNEL32(00000000), ref: 002BB45C
CloseHandle.KERNEL32(00000000), ref: 002BB46E
CloseHandle.KERNEL32(?), ref: 002BB4E3

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 13c0631073581b022e0124f0a724673957c10bfd1f57a94008b232595bfa8412
Instruction ID: 4aea071bdf8b19f7fbd68d2a4dc0ccc1d990d3e02710129a18478bd4ef52182e
Opcode Fuzzy Hash: 13c0631073581b022e0124f0a724673957c10bfd1f57a94008b232595bfa8412
Instruction Fuzzy Hash: DDF1BF715243419FCB25EF24C891B6EBBE4AF85350F14885DF8994B2A2CB71EC54CF52

Function 0023D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0023D807
timeGetTime.WINMM ref: 0023DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0023DB28
TranslateMessage.USER32(?), ref: 0023DB7B
DispatchMessageW.USER32(?), ref: 0023DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0023DB9F
Sleep.KERNELBASE(0000000A), ref: 0023DBB1

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 95b016dc23a679ecbb03d8b9e2fa3fa1ae4bcd4f2bf46911503fd49b8c0f29bf
Instruction ID: 7833ad564dd57b23aad311611f58cca6b235ce54b393447b374a0d033e491ae2
Opcode Fuzzy Hash: 95b016dc23a679ecbb03d8b9e2fa3fa1ae4bcd4f2bf46911503fd49b8c0f29bf
Instruction Fuzzy Hash: 734232B4629342DFD729DF24D884B6AB7E4FF46304F14855AE456872E1C7B0E868CF82

Function 00232CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00232D07
RegisterClassExW.USER32(00000030), ref: 00232D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00232D42
InitCommonControlsEx.COMCTL32(?), ref: 00232D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00232D6F
LoadIconW.USER32(000000A9), ref: 00232D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00232D94

Strings

TaskbarCreated, xrefs: 00232D37
0, xrefs: 00232CE9
+, xrefs: 00232CF0
AutoIt v3 GUI, xrefs: 00232D23

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: dfc7066f17b4347a0af77e0fa1f6f65644df75fdacbda1059094ef51bdf11f70
Instruction ID: 14b069bb9b24a5f231aa07e2723c88825d234636cdbd21722b664d455a990bf5
Opcode Fuzzy Hash: dfc7066f17b4347a0af77e0fa1f6f65644df75fdacbda1059094ef51bdf11f70
Instruction Fuzzy Hash: B821C0B5D52318EFDB01DFA4E899BDDBBB8FB08700F20811AF619A62A0D7B14544CF91

Function 0027065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0027039A: CreateFileW.KERNELBASE(00000000,00000000,?,00270704,?,?,00000000,?,00270704,00000000,0000000C), ref: 002703B7

GetLastError.KERNEL32 ref: 0027076F
__dosmaperr.LIBCMT ref: 00270776
GetFileType.KERNELBASE(00000000), ref: 00270782
GetLastError.KERNEL32 ref: 0027078C
__dosmaperr.LIBCMT ref: 00270795
CloseHandle.KERNEL32(00000000), ref: 002707B5
CloseHandle.KERNEL32(?), ref: 002708FF
GetLastError.KERNEL32 ref: 00270931
__dosmaperr.LIBCMT ref: 00270938

Strings

H, xrefs: 002708BD

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: fb59824d88a49f01bf6cdb60490996405e743e2e837ae58035af9e6268bd0b86
Instruction ID: 1bc216bce6dce233cc545c25b4a34b2b5e00ece7e7099b2701f53e24ff23292b
Opcode Fuzzy Hash: fb59824d88a49f01bf6cdb60490996405e743e2e837ae58035af9e6268bd0b86
Instruction Fuzzy Hash: C4A12932A20145CFDF19EF68D891BAD7BA4AB46320F14415DF819DB3D1DB319C2ACB91

Function 0023344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00233A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00301418,?,00232E7F,?,?,?,00000000), ref: 00233A78

Part of subcall function 00233357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00233379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0023356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0027318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002731CE
RegCloseKey.ADVAPI32(?), ref: 00273210
_wcslen.LIBCMT ref: 00273277
_wcslen.LIBCMT ref: 00273286

Strings

\, xrefs: 0027328C
\Include\, xrefs: 00233527
Software\AutoIt v3\AutoIt, xrefs: 00233560
Include, xrefs: 00273184, 002731C5

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 2a88caed1323cd2a97ba1ba45171a128de661bdf15d5f3b3c69f4e3463a97e04
Instruction ID: dd11e696218dff96a239aab75cedbef54c2289c1ceae8a1e484dfbba679c073e
Opcode Fuzzy Hash: 2a88caed1323cd2a97ba1ba45171a128de661bdf15d5f3b3c69f4e3463a97e04
Instruction Fuzzy Hash: 0671DDB14253019EC305EF25EC9A96BBBE8FF85340F50486EF589931A0EB309A58CF52

Function 00232B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00232B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00232B9D
LoadIconW.USER32(00000063), ref: 00232BB3
LoadIconW.USER32(000000A4), ref: 00232BC5
LoadIconW.USER32(000000A2), ref: 00232BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00232BEF
RegisterClassExW.USER32(?), ref: 00232C40

Part of subcall function 00232CD4: GetSysColorBrush.USER32(0000000F), ref: 00232D07
Part of subcall function 00232CD4: RegisterClassExW.USER32(00000030), ref: 00232D31
Part of subcall function 00232CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00232D42
Part of subcall function 00232CD4: InitCommonControlsEx.COMCTL32(?), ref: 00232D5F
Part of subcall function 00232CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00232D6F
Part of subcall function 00232CD4: LoadIconW.USER32(000000A9), ref: 00232D85
Part of subcall function 00232CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00232D94

Strings

0, xrefs: 00232C0F
#, xrefs: 00232C16
AutoIt v3, xrefs: 00232C2F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0db42be2a75c0828cafcc1c0d1976293402f362b17b90790cb3b68226850db54
Instruction ID: 9024c7c0346a28c9e19420803cc521e9d2c13ed41963ebaad01c952d8d43a015
Opcode Fuzzy Hash: 0db42be2a75c0828cafcc1c0d1976293402f362b17b90790cb3b68226850db54
Instruction Fuzzy Hash: E1214C78E52314ABDB129FA5EC69BA9BFF8FB08B50F14009BF504A66A0D3B10554CF90

Function 00233170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0023316A,?,?), ref: 002331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0023316A,?,?), ref: 00233204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00233227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0023316A,?,?), ref: 00233232
CreatePopupMenu.USER32 ref: 00233246
PostQuitMessage.USER32(00000000), ref: 00233267

Strings

TaskbarCreated, xrefs: 0023322D

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: ae8bc7e63a50dd9878fa5195fbad0cfc70bf4a7011d1d992f67f03f643c6854a
Instruction ID: 4403cb9a83445dc9d0927af1c6990c94eca73c306447232c9799a633f35da8b7
Opcode Fuzzy Hash: ae8bc7e63a50dd9878fa5195fbad0cfc70bf4a7011d1d992f67f03f643c6854a
Instruction Fuzzy Hash: F9416AB5630201EBDB169F789C2DB7A3A1DE705300F144126F94E862E1CBB09F759BA1

Function 00231410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00231459
CoUninitialize.COMBASE ref: 002314F8
UnregisterHotKey.USER32(?), ref: 002316DD
DestroyWindow.USER32(?), ref: 002724B9
FreeLibrary.KERNEL32(?), ref: 0027251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0027254B

Strings

close all, xrefs: 00231454

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 82995c704927b6af603583acd4f25e4abf06442e00a315344627e3514212909e
Instruction ID: d8d514b3c6e28720c1ce5e25ff3b7c8358d928d733538e516daaa77058894cf5
Opcode Fuzzy Hash: 82995c704927b6af603583acd4f25e4abf06442e00a315344627e3514212909e
Instruction Fuzzy Hash: 55D16A71721212CFCB29EF14C999B29F7A4BF45700F6482ADE94A6B251CB30AD36CF51

Function 00232C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00232C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00232CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00231CAD,?), ref: 00232CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00231CAD,?), ref: 00232CCF

Strings

edit, xrefs: 00232CAC
AutoIt v3, xrefs: 00232C89, 00232C8E, 00232C8F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 307c79f8914bac4e04239abdbe30ace79a5bb5c26a22634d41fdb1653cb16d7d
Instruction ID: 3a3633fd7f1369efc8369c8b4ae512a114d5c59072b848adc6369b5c154e2b4e
Opcode Fuzzy Hash: 307c79f8914bac4e04239abdbe30ace79a5bb5c26a22634d41fdb1653cb16d7d
Instruction Fuzzy Hash: C2F0DA79541390BBEB321717AC1CE776EBDD7C6F50F10109EF904A25A4C6B11855DAB0

Function 00233B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00233B0F,SwapMouseButtons,00000004,?), ref: 00233B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00233B0F,SwapMouseButtons,00000004,?), ref: 00233B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00233B0F,SwapMouseButtons,00000004,?), ref: 00233B83

Strings

Control Panel\Mouse, xrefs: 00233B3E

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 59b50bd3521a6f07a46b37b0f3d7cb366e31d61a5fe33aebbc8c8a8a84d97d17
Instruction ID: 2738603d6cd94e5c26e33338bd7883c8958de44562f67c17bebfeab105778fd3
Opcode Fuzzy Hash: 59b50bd3521a6f07a46b37b0f3d7cb366e31d61a5fe33aebbc8c8a8a84d97d17
Instruction Fuzzy Hash: B4112AB5520209FFDB20CFA5DC48EAEB7B9EF04748F104459E805D7210D2719F509760

Function 00233923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002733A2

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00233A04

Strings

Line: , xrefs: 002733EB

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 464dee2f87dcfc1ac8c173df5146420466d9d3c8718be6469719e2d8973a0790
Instruction ID: c437072b9d24e29a8368d1aa104a51608f97a283eb794ffccdf2b4c5e3697fb3
Opcode Fuzzy Hash: 464dee2f87dcfc1ac8c173df5146420466d9d3c8718be6469719e2d8973a0790
Instruction Fuzzy Hash: 1431D4B1429300ABC325EB20DC49BEBB7ECAB41714F10856EF599930D1DB7097A9CBC2

Function 00232DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00272C8C

Part of subcall function 00233AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00233A97,?,?,00232E7F,?,?,?,00000000), ref: 00233AC2

Part of subcall function 00232DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00232DC4

Strings

X, xrefs: 00272C5A
`e/, xrefs: 00272C85

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e/
API String ID: 779396738-446505701
Opcode ID: 7a0d56d5703a2de090ff586d50d035ccd04d87db3c22ef9a56512728b75c85da
Instruction ID: 2996f5186694c54417b423ff86d5e19163b372446a09b1c0dfaf8daf64e9fb1a
Opcode Fuzzy Hash: 7a0d56d5703a2de090ff586d50d035ccd04d87db3c22ef9a56512728b75c85da
Instruction Fuzzy Hash: 9521A8B1A2025C9FCB01EF94C849BEEBBFC9F49704F00805AE505B7241DBB4565D8FA1

Function 0024FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00250668

Part of subcall function 002532A4: RaiseException.KERNEL32(?,?,?,0025068A,?,00301444,?,?,?,?,?,?,0025068A,00231129,002F8738,00231129), ref: 00253304

__CxxThrowException@8.LIBVCRUNTIME ref: 00250685

Strings

Unknown exception, xrefs: 00250692

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 6c5a5298433f4f9c62d84125fde2ad54efad4f41718e5d1c6bf086d7181cc433
Instruction ID: 76624b5059e26973cd394191addb71f10182b26c21bd8b0710b970f46111926c
Opcode Fuzzy Hash: 6c5a5298433f4f9c62d84125fde2ad54efad4f41718e5d1c6bf086d7181cc433
Instruction Fuzzy Hash: CCF02234D2020EB3CB04BAA4DC86CAEB76C6E40341BA04531BD14C2491FFB1DA7DC988

Function 002310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00231BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00231BF4
Part of subcall function 00231BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00231BFC
Part of subcall function 00231BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00231C07
Part of subcall function 00231BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00231C12
Part of subcall function 00231BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00231C1A
Part of subcall function 00231BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00231C22

Part of subcall function 00231B4A: RegisterWindowMessageW.USER32(00000004,?,002312C4), ref: 00231BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0023136A
OleInitialize.OLE32 ref: 00231388
CloseHandle.KERNEL32(00000000,00000000), ref: 002724AB

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4188700cb8ffc3604ed64f9c1f5186d311bf7739e7ba8de37492ce622cfcfbb5
Instruction ID: 59c940786e6c7f04a5dcc381f5f84830cdefd7e446e2976bbc142a5569bd997d
Opcode Fuzzy Hash: 4188700cb8ffc3604ed64f9c1f5186d311bf7739e7ba8de37492ce622cfcfbb5
Instruction Fuzzy Hash: 5171CFB49232048FC386DF7AAC756563AE8FB8A344F54822FE44ADB2B1EB304515CF44

Function 0029C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00233923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00233A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0029C259
KillTimer.USER32(?,00000001,?,?), ref: 0029C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0029C270

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 45ac935dd89c163e95244747f4c804c03c953e3d287255e7fb07cdb72c593acc
Instruction ID: 4911f746b37e5c5ecd1c1d7b2739988e08aeae91390cefd7b92bfb9542b3935e
Opcode Fuzzy Hash: 45ac935dd89c163e95244747f4c804c03c953e3d287255e7fb07cdb72c593acc
Instruction Fuzzy Hash: 07319370914384AFEF32DF649859BE7BBECAB06308F10449AD5DE97241C7745A88CB51

Function 002686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,002685CC,?,002F8CC8,0000000C), ref: 00268704
GetLastError.KERNEL32(?,002685CC,?,002F8CC8,0000000C), ref: 0026870E
__dosmaperr.LIBCMT ref: 00268739

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: cb04a51b5ddec8b5cb27cc99b57a8e4b6494544a9ae2cc6b1cdec7b1ba897edd
Instruction ID: 29a39f30df735ecf94d566da4522bc039fd284ef6bb35b6313e74e3bccb92d59
Opcode Fuzzy Hash: cb04a51b5ddec8b5cb27cc99b57a8e4b6494544a9ae2cc6b1cdec7b1ba897edd
Instruction Fuzzy Hash: 5D018933A3527166D2356B34E849B7E674D4B82B74F380399F9088B2D2DEF0CCE18590

Function 0023DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0023DB7B
DispatchMessageW.USER32(?), ref: 0023DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0023DB9F
Sleep.KERNELBASE(0000000A), ref: 0023DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00281CC9

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 60bf3e3852e06cfe98551e5e53960f18e07f4ef4da6b51f367e89ea1c466fdb4
Instruction ID: 6e6c5a800f06bc714abcceacd2b0e3245048549da2435917260adfea3bf917ad
Opcode Fuzzy Hash: 60bf3e3852e06cfe98551e5e53960f18e07f4ef4da6b51f367e89ea1c466fdb4
Instruction Fuzzy Hash: 14F05E716553419BEB30DB60EC99FAAB3ADEB44310F104919E61A830C0DB30A469CB16

Function 00241310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002417F6

Strings

CALL, xrefs: 002417C6

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 218f9a89c7a551ddfe1c77720a63b550a19748459f923c98d69953ceb1c94294
Instruction ID: 357bf75921685a249a9a3122d38c5f313fbe8035cc36a5c15d1160f906312e59
Opcode Fuzzy Hash: 218f9a89c7a551ddfe1c77720a63b550a19748459f923c98d69953ceb1c94294
Instruction Fuzzy Hash: F8229B746282029FC718DF14C494B2ABBF5BF85314F28895DF4968B3A1D771E8A5CF82

Function 00233837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00233908

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: d9298a9f41ecf83d9d5cf13ae3472687644aa8b35b12d3e59e44a55a5e9e3e6a
Instruction ID: 97a7272d3f83be3ddcda19cab8100a36a2210a46ab55b96fb0584e24052d6d8e
Opcode Fuzzy Hash: d9298a9f41ecf83d9d5cf13ae3472687644aa8b35b12d3e59e44a55a5e9e3e6a
Instruction Fuzzy Hash: B031A2B0515301DFD721DF24D895797BBE8FB49709F00096EF99983280E7B1AA54CB92

Function 0024F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0024F661

Part of subcall function 0023D730: GetInputState.USER32 ref: 0023D807

Sleep.KERNEL32(00000000), ref: 0028F2DE

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: cb9aedd1e757a01c56031bac920c95615c2df03d53fba09dbc6b1c0cb934e354
Instruction ID: 2b3e6ed7df70703e6cb64a66a5a874affe28b0d8155abbcf9bd0bccd43be83a7
Opcode Fuzzy Hash: cb9aedd1e757a01c56031bac920c95615c2df03d53fba09dbc6b1c0cb934e354
Instruction Fuzzy Hash: B7F08C752506059FD354EF79E549F6AB7E8EF45760F00002AE85DC72A0DBB0A820CF90

Function 00234ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00234E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00234EDD,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234E9C
Part of subcall function 00234E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00234EAE
Part of subcall function 00234E90: FreeLibrary.KERNEL32(00000000,?,?,00234EDD,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234EFD

Part of subcall function 00234E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00273CDE,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234E62
Part of subcall function 00234E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00234E74
Part of subcall function 00234E59: FreeLibrary.KERNEL32(00000000,?,?,00273CDE,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234E87

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 8739a91358e83b136198d13581df7ee0c55fa84cfa4d6b9ef963b10401efc8cd
Instruction ID: 60c0a07d94279c7369ce3673ce288d4d22841fb3d90f02171323a7c5435c7601
Opcode Fuzzy Hash: 8739a91358e83b136198d13581df7ee0c55fa84cfa4d6b9ef963b10401efc8cd
Instruction Fuzzy Hash: C1110172630205AACB14FF64D802FAD77A5AF40714F24846EF446A61C1EEB4EA259F50

Function 00268402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00268440

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: c588100f21b227b156b932841d7746fb083d629e7a5fdfb82e9a095da59761fe
Instruction ID: d08ad2cf5e5c065ff78a536df3ef6790979d524ae4789a50676009cf67b1f758
Opcode Fuzzy Hash: c588100f21b227b156b932841d7746fb083d629e7a5fdfb82e9a095da59761fe
Instruction Fuzzy Hash: F711187590410AAFCB05DF58E981A9A7BF9EF48314F104199F808AB312DA31DA21CBA5

Function 00265000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00264C7D: RtlAllocateHeap.NTDLL(00000008,00231129,00000000,?,00262E29,00000001,00000364,?,?,?,0025F2DE,00263863,00301444,?,0024FDF5,?), ref: 00264CBE

_free.LIBCMT ref: 0026506C

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 4ae0f3dda07cc34eeee61dda791e8b06d92a8923919abce60fcd7e91c1d5a8ac
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 07012672214705ABE3218F65D881A5AFBE8FB89370F25051DE18483280EA70A845CAB4

Function 0025E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 820540e2f770c5d0867916c6b6c5a796574271a16c4d2c2a09f5770fc1654e66
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 9BF04432530A10DACB353E298C05B5A338D8F523B3F110716FC20921C2CBB0D92E8EAD

Function 00264C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00231129,00000000,?,00262E29,00000001,00000364,?,?,?,0025F2DE,00263863,00301444,?,0024FDF5,?), ref: 00264CBE

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 978aa34f3fd47a18c82f04e03f64de4f49452ee28695381f28534cfd64770c78
Instruction ID: 1e32860adbdd646d21a10631b9a5a1be4ea81e4221a53ef83ba9f6e97f1a39f9
Opcode Fuzzy Hash: 978aa34f3fd47a18c82f04e03f64de4f49452ee28695381f28534cfd64770c78
Instruction Fuzzy Hash: EEF0E931633225A7DB217F669C09F5A7788BF817A1B144123FC99E6390CA70D8B186E0

Function 00263820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00301444,?,0024FDF5,?,?,0023A976,00000010,00301440,002313FC,?,002313C6,?,00231129), ref: 00263852

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9cfd5f0c9ecf725e2dda02b7946fd955f96805d3d381de8a0f4d6fb44a227e07
Instruction ID: a597e7d813759c5aec99ed0e8bfa4161b905df53e362ca1058511bd04eed3c29
Opcode Fuzzy Hash: 9cfd5f0c9ecf725e2dda02b7946fd955f96805d3d381de8a0f4d6fb44a227e07
Instruction Fuzzy Hash: 22E0E53213122656E6216E679D05BDA764AAB427B1F150022BC0593891CB60DDA186E4

Function 00234F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234F6D

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5eba68cb7fc56c1a873eaf344a36a7ca8ea651b141ac2335cac7c714913c450c
Instruction ID: 01670cdd9169754fb686f65bf36256f89064573a9582951c1c51b0fbd2d31a86
Opcode Fuzzy Hash: 5eba68cb7fc56c1a873eaf344a36a7ca8ea651b141ac2335cac7c714913c450c
Instruction Fuzzy Hash: EDF030B1125752CFDB38AF65D494812B7E4FF1431972889FEE1DA82A11C771A854DF10

Function 002C2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 002C2A66

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 8eb6a1f307747260c3b2652b9d4cddceb2f905f6e516b4693c2184ffb094c6fe
Instruction ID: e236d8ee338504b503ddb660e3774e85694f308ee35708a7060b04e5d77d98c8
Opcode Fuzzy Hash: 8eb6a1f307747260c3b2652b9d4cddceb2f905f6e516b4693c2184ffb094c6fe
Instruction Fuzzy Hash: 56E04F36374116EADB14EB34EC80EFA735CEB50395B10463AED1AD2100DF3099B99AA0

Function 002330F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0023314E

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 5c2c6761d86beb38178a96f843695bc764ea46a89b71ff74092ff0b0dab0d972
Instruction ID: 05ecff47b25eef0a7b07173b38d3f98eefd50f080d745809323e0f0b2a1f1659
Opcode Fuzzy Hash: 5c2c6761d86beb38178a96f843695bc764ea46a89b71ff74092ff0b0dab0d972
Instruction Fuzzy Hash: 71F037749143149FE753DF24DC497D57BBCA701708F0040E6A58896191D7745788CF51

Function 00232DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00232DC4

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e5336c20904fee134ea6f265908ca6e552512a74f1983b700941eaab176fe896
Instruction ID: 40d79190c312b6d273181db94d9e11f812e0143d77ed3add89657b721550b7d0
Opcode Fuzzy Hash: e5336c20904fee134ea6f265908ca6e552512a74f1983b700941eaab176fe896
Instruction Fuzzy Hash: DEE0CD72A002245BC72092589C09FDA77DDDFC8790F044071FD0DE7248D970AD908A91

Function 00232B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00233837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00233908

Part of subcall function 0023D730: GetInputState.USER32 ref: 0023D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00232B6B

Part of subcall function 002330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0023314E

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 65fad7e69a44285a70c773c078f41aa0e483ed8a7c0582523f164542426d309f
Instruction ID: f3dcf703d08e0f777a1de53a1c63ccb84152f19d6cffe6d3710ec32fd47e152b
Opcode Fuzzy Hash: 65fad7e69a44285a70c773c078f41aa0e483ed8a7c0582523f164542426d309f
Instruction Fuzzy Hash: 84E026A131424402C608FB31A82256DE3598BD1311F40043EF142831A2CF2086694A11

Function 0027039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00270704,?,?,00000000,?,00270704,00000000,0000000C), ref: 002703B7

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1907d01733494086b6aaff0391acb9a8a46619a2b2ed26f5cb1d96ccb610cb7c
Instruction ID: da86b126051c30b6552ae05b6c73937df8c8e0b8b783353df18e7cbfbbf5944a
Opcode Fuzzy Hash: 1907d01733494086b6aaff0391acb9a8a46619a2b2ed26f5cb1d96ccb610cb7c
Instruction Fuzzy Hash: CFD06C3204010DBBDF028F85ED06EDA3BAAFB48714F114000FE1C56020C772E821AB90

Function 00231CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00231CBC

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0e8b6ba011513cd400f58d731549e7b8105fc8c1d2e45564c3b45e2764d21d7a
Instruction ID: 03324f204a327f10b6fd8aad5f0a4562aa5f3a20c3c83a43b3921aabe3b05332
Opcode Fuzzy Hash: 0e8b6ba011513cd400f58d731549e7b8105fc8c1d2e45564c3b45e2764d21d7a
Instruction Fuzzy Hash: 3CC0923A281304AFF3168B80BC6EF11B768E348B00F548002F60DA95E3C3A22821EB54

Non-executed Functions

Function 002C9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 002C961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002C965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 002C969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002C96C9
SendMessageW.USER32 ref: 002C96F2
GetKeyState.USER32(00000011), ref: 002C978B
GetKeyState.USER32(00000009), ref: 002C9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002C97AE
GetKeyState.USER32(00000010), ref: 002C97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002C97E9
SendMessageW.USER32 ref: 002C9810
SendMessageW.USER32(?,00001030,?,002C7E95), ref: 002C9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 002C992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002C9941
SetCapture.USER32(?), ref: 002C994A
ClientToScreen.USER32(?,?), ref: 002C99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002C99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002C99D6
ReleaseCapture.USER32 ref: 002C99E1
GetCursorPos.USER32(?), ref: 002C9A19
ScreenToClient.USER32(?,?), ref: 002C9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 002C9A80
SendMessageW.USER32 ref: 002C9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 002C9AEB
SendMessageW.USER32 ref: 002C9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002C9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 002C9B4A
GetCursorPos.USER32(?), ref: 002C9B68
ScreenToClient.USER32(?,?), ref: 002C9B75
GetParent.USER32(?), ref: 002C9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 002C9BFA
SendMessageW.USER32 ref: 002C9C2B
ClientToScreen.USER32(?,?), ref: 002C9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002C9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 002C9CDE
SendMessageW.USER32 ref: 002C9D01
ClientToScreen.USER32(?,?), ref: 002C9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002C9D82

Part of subcall function 00249944: GetWindowLongW.USER32(?,000000EB), ref: 00249952

GetWindowLongW.USER32(?,000000F0), ref: 002C9E05

Strings

p#0, xrefs: 002C9990
@GUI_DRAGID, xrefs: 002C997D
F, xrefs: 002C9D07

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#0
API String ID: 3429851547-3453007137
Opcode ID: f6634c705b998fa0b0f9b3057ec721b05eae91ae422ef48ecf9063373236498b
Instruction ID: 78e64853ec64ab1f2a50dfc1332f3494b6b9b7b8c374309017c2e0bc5edb3ed0
Opcode Fuzzy Hash: f6634c705b998fa0b0f9b3057ec721b05eae91ae422ef48ecf9063373236498b
Instruction Fuzzy Hash: B6428C74625201AFD725CF24CC58FAABBE9FF89310F20061EF599972A1D771A9A0CF41

Function 002C4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002C48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 002C4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 002C4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 002C494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 002C495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 002C497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002C49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002C49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 002C4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 002C4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 002C4A7E
IsMenu.USER32(?), ref: 002C4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002C4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002C4B20
GetWindowLongW.USER32(?,000000F0), ref: 002C4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 002C4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 002C4C82
wsprintfW.USER32 ref: 002C4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002C4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 002C4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002C4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002C4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 002C4D5A

Strings

%d/%02d/%02d, xrefs: 002C4CA8

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 29aa8de59786314a0ca7bf7ebc02f510761d225d14edf393f051ce6e0845cb21
Instruction ID: 119bbfc832a94fe9df669a9f6378a5b81d9f8720f5ea4165f19d2adea887489d
Opcode Fuzzy Hash: 29aa8de59786314a0ca7bf7ebc02f510761d225d14edf393f051ce6e0845cb21
Instruction Fuzzy Hash: D9121271620215ABEB28AF24DC59FAF7BF8EF85310F20421DF91ADA2E0D7749950CB50

Function 0024F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0024F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0028F474
IsIconic.USER32(00000000), ref: 0028F47D
ShowWindow.USER32(00000000,00000009), ref: 0028F48A
SetForegroundWindow.USER32(00000000), ref: 0028F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0028F4AA
GetCurrentThreadId.KERNEL32 ref: 0028F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0028F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0028F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0028F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0028F4DE
SetForegroundWindow.USER32(00000000), ref: 0028F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028F4F6
keybd_event.USER32(00000012,00000000), ref: 0028F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028F50B
keybd_event.USER32(00000012,00000000), ref: 0028F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028F519
keybd_event.USER32(00000012,00000000), ref: 0028F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028F528
keybd_event.USER32(00000012,00000000), ref: 0028F52D
SetForegroundWindow.USER32(00000000), ref: 0028F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0028F557

Strings

Shell_TrayWnd, xrefs: 0028F46F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a7fee4fa548417fa6950aa0c0b716925a554892a05ee85c81212d1a809415563
Instruction ID: 86c53e207399e96dcd9900aafb4a94555e86d7c864b8bf1319997fadef7c3fac
Opcode Fuzzy Hash: a7fee4fa548417fa6950aa0c0b716925a554892a05ee85c81212d1a809415563
Instruction Fuzzy Hash: 6D315EB5A50218BAEB206FB55D4EFBF7E6CEB44B50F20002AFA05F61D1C6B45910AB60

Function 00291201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0029170D
Part of subcall function 002916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0029173A
Part of subcall function 002916C3: GetLastError.KERNEL32 ref: 0029174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00291286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002912A8
CloseHandle.KERNEL32(?), ref: 002912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002912D1
GetProcessWindowStation.USER32 ref: 002912EA
SetProcessWindowStation.USER32(00000000), ref: 002912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00291310

Part of subcall function 002910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002911FC), ref: 002910D4
Part of subcall function 002910BF: CloseHandle.KERNEL32(?,?,002911FC), ref: 002910E9

Strings

, xrefs: 0029125A
Z/, xrefs: 00291392
default, xrefs: 0029130B
winsta0, xrefs: 002912CC

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z/
API String ID: 22674027-1478175429
Opcode ID: 7f9615d50ed3998dfceb5b0fb36e7d84c0a63472c87a131193400011d69aee87
Instruction ID: 49ad67f864a9d795c3779d46c258cf6ac8d7c7b37040d9874dd6b512689f97ad
Opcode Fuzzy Hash: 7f9615d50ed3998dfceb5b0fb36e7d84c0a63472c87a131193400011d69aee87
Instruction Fuzzy Hash: E681A07191020AAFEF119FA5DD49FEE7BB9EF08704F244129F915A61A0D7718974CF20

Function 00290B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00291114
Part of subcall function 002910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 00291120
Part of subcall function 002910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 0029112F
Part of subcall function 002910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 00291136
Part of subcall function 002910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0029114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00290BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00290C00
GetLengthSid.ADVAPI32(?), ref: 00290C17
GetAce.ADVAPI32(?,00000000,?), ref: 00290C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00290C6D
GetLengthSid.ADVAPI32(?), ref: 00290C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00290C8C
HeapAlloc.KERNEL32(00000000), ref: 00290C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00290CB4
CopySid.ADVAPI32(00000000), ref: 00290CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00290CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00290D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00290D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00290D45
HeapFree.KERNEL32(00000000), ref: 00290D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00290D55
HeapFree.KERNEL32(00000000), ref: 00290D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00290D65
HeapFree.KERNEL32(00000000), ref: 00290D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00290D78
HeapFree.KERNEL32(00000000), ref: 00290D7F

Part of subcall function 00291193: GetProcessHeap.KERNEL32(00000008,00290BB1,?,00000000,?,00290BB1,?), ref: 002911A1
Part of subcall function 00291193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00290BB1,?), ref: 002911A8
Part of subcall function 00291193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00290BB1,?), ref: 002911B7

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: eb4f1ba3eb3244b828278f4c01b32110dc79a9b14384b2170709e4672dbb832f
Instruction ID: bbbb05cdc4bdf331dfc4a5224d71491f55d967a4615320f393e5fe9e7dca656c
Opcode Fuzzy Hash: eb4f1ba3eb3244b828278f4c01b32110dc79a9b14384b2170709e4672dbb832f
Instruction Fuzzy Hash: 99714B7291020AAFDF10DFA5EC88FAEBBBCFF04314F144525E919A6291D771A915CBB0

Function 002AEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(002CCC08), ref: 002AEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 002AEB37
GetClipboardData.USER32(0000000D), ref: 002AEB43
CloseClipboard.USER32 ref: 002AEB4F
GlobalLock.KERNEL32(00000000), ref: 002AEB87
CloseClipboard.USER32 ref: 002AEB91
GlobalUnlock.KERNEL32(00000000), ref: 002AEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 002AEBC9
GetClipboardData.USER32(00000001), ref: 002AEBD1
GlobalLock.KERNEL32(00000000), ref: 002AEBE2
GlobalUnlock.KERNEL32(00000000), ref: 002AEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 002AEC38
GetClipboardData.USER32(0000000F), ref: 002AEC44
GlobalLock.KERNEL32(00000000), ref: 002AEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 002AEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 002AEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 002AECD2
GlobalUnlock.KERNEL32(00000000), ref: 002AECF3
CountClipboardFormats.USER32 ref: 002AED14
CloseClipboard.USER32 ref: 002AED59

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: c5276168987027d0ebabbda226ffd7e268c17687ff5c0f57125690ec2f9bef4c
Instruction ID: e18a6ec869eace3f93f18d16fba6017403fe1ab5631ef31a5167c33c3c867621
Opcode Fuzzy Hash: c5276168987027d0ebabbda226ffd7e268c17687ff5c0f57125690ec2f9bef4c
Instruction Fuzzy Hash: EF610274214302AFD700EF24D888F2AB7A8BF85714F25495DF85A872A1CF70DD56CB62

Function 002A698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002A69BE
FindClose.KERNEL32(00000000), ref: 002A6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002A6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002A6A75

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 002A6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 002A6ADF

Strings

%4d, xrefs: 002A6BB1
%03d, xrefs: 002A6DA2
%02d, xrefs: 002A6C00, 002A6C0A, 002A6C5A, 002A6CAA, 002A6CFA, 002A6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 002A6B32
%4d%02d%02d%02d%02d%02d, xrefs: 002A6B6A

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: ba528d58aa12be71bb00d2c1bec776651129c620e084998a7b7bd572cd130621
Instruction ID: 2e82e6bb9630be7b2af1bd1cf56572d4892c07bfb8c08acba05e17e2f2695bb3
Opcode Fuzzy Hash: ba528d58aa12be71bb00d2c1bec776651129c620e084998a7b7bd572cd130621
Instruction Fuzzy Hash: 87D170B2518300AFC714EFA0C985EABB7ECAF89704F04491DF589D7291EB74DA54CB62

Function 002A9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 002A9663
GetFileAttributesW.KERNEL32(?), ref: 002A96A1
SetFileAttributesW.KERNEL32(?,?), ref: 002A96BB
FindNextFileW.KERNEL32(00000000,?), ref: 002A96D3
FindClose.KERNEL32(00000000), ref: 002A96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002A96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 002A974A
SetCurrentDirectoryW.KERNEL32(002F6B7C), ref: 002A9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 002A9772
FindClose.KERNEL32(00000000), ref: 002A977F
FindClose.KERNEL32(00000000), ref: 002A978F

Strings

*.*, xrefs: 002A96F5

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 23c453b28bd58262b21ea7d6c33e6e7ef2fa4dd204f657c1e3803fb2a2ce391c
Instruction ID: affdfd18d7b36fe25a61afd83bc330e820926f7f41970157ed1758790b61d266
Opcode Fuzzy Hash: 23c453b28bd58262b21ea7d6c33e6e7ef2fa4dd204f657c1e3803fb2a2ce391c
Instruction Fuzzy Hash: 4131C57252021A6BDB14DFB5EC0CEEEB7ACDF4A361F1041A5F905E2090DF30D9948E64

Function 002A979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 002A97BE
FindNextFileW.KERNEL32(00000000,?), ref: 002A9819
FindClose.KERNEL32(00000000), ref: 002A9824
FindFirstFileW.KERNEL32(*.*,?), ref: 002A9840
SetCurrentDirectoryW.KERNEL32(?), ref: 002A9890
SetCurrentDirectoryW.KERNEL32(002F6B7C), ref: 002A98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002A98B8
FindClose.KERNEL32(00000000), ref: 002A98C5
FindClose.KERNEL32(00000000), ref: 002A98D5

Part of subcall function 0029DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0029DB00

Strings

*.*, xrefs: 002A983B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 10a6ca5879da0dae67ac0cb275be8e07be04aaa38f8635a15cff5495fba4d924
Instruction ID: 0bb773e039b748154a83fc7e27d35d5b5b0adbe7f76b77480e1a70335cb8c19a
Opcode Fuzzy Hash: 10a6ca5879da0dae67ac0cb275be8e07be04aaa38f8635a15cff5495fba4d924
Instruction Fuzzy Hash: 7B31A03152121A6FDB10EFA5EC48EEE77ACDF07320F2041A5E914A2090DF35DAA5CF64

Function 002BBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002BB6AE,?,?), ref: 002BC9B5
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BC9F1
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA68
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002BBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 002BBFA9
RegCloseKey.ADVAPI32(00000000), ref: 002BBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002BC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002BC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 002BC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 002BC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 002BC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 002BC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 002BC382
RegCloseKey.ADVAPI32(00000000), ref: 002BC38F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 70717a7c4eb14225a12a6c5c5319c1377970cac13e7d6ac4d4bbe9b0f89a1868
Instruction ID: 2ed030b23cee8b6b7adc55e75f93064c5d740a4096ca81ce823683ea3ce843a2
Opcode Fuzzy Hash: 70717a7c4eb14225a12a6c5c5319c1377970cac13e7d6ac4d4bbe9b0f89a1868
Instruction Fuzzy Hash: 5B026B71614201AFC714CF28C894E6ABBE5AF89358F58C49DF84ADB2A2D731EC52CF51

Function 002A8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 002A8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 002A8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002A8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002A8310
SetCurrentDirectoryW.KERNEL32(?), ref: 002A8324
SetCurrentDirectoryW.KERNEL32(?), ref: 002A8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002A838C
SetCurrentDirectoryW.KERNEL32(?), ref: 002A8395

Strings

*.*, xrefs: 002A839B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: e1d7bc27143b991a7cd89a8b817f55771016942dbfa587bccabf84a50a1fdcd9
Instruction ID: 1f50ba309336cbea5d94a1b3a3077a9523d80fa842acf808abc720762f7357fa
Opcode Fuzzy Hash: e1d7bc27143b991a7cd89a8b817f55771016942dbfa587bccabf84a50a1fdcd9
Instruction Fuzzy Hash: 4F618CB25243459FCB10EF60C844AAEB3E8FF89310F14495EF98997251DB31E965CF92

Function 0029D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00233AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00233A97,?,?,00232E7F,?,?,?,00000000), ref: 00233AC2

Part of subcall function 0029E199: GetFileAttributesW.KERNEL32(?,0029CF95), ref: 0029E19A

FindFirstFileW.KERNEL32(?,?), ref: 0029D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0029D1DD
MoveFileW.KERNEL32(?,?), ref: 0029D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0029D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0029D237

Part of subcall function 0029D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0029D21C,?,?), ref: 0029D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0029D253
FindClose.KERNEL32(00000000), ref: 0029D264

Strings

\*.*, xrefs: 0029D0CD, 0029D0D6, 0029D0EB

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 63a4669d6f8656339caec954181fe5b1a1bdd9f83d0e1fcffdc801025533c215
Instruction ID: ebc06ca2866ee5ec175ff4ef0cb67e4f685858c854031e0aeb9e855c0695cf2d
Opcode Fuzzy Hash: 63a4669d6f8656339caec954181fe5b1a1bdd9f83d0e1fcffdc801025533c215
Instruction Fuzzy Hash: B7617A71C1510DAACF05EFE0DA929EDB7B5AF55300F204065E806771A2EB30AF69DF61

Function 002AED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 002AED91
EmptyClipboard.USER32 ref: 002AED97
GlobalAlloc.KERNEL32(00000002,?), ref: 002AEDAC
CloseClipboard.USER32 ref: 002AEEA3

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f064d8f46af9fce36f5d7f0991c30c6cbef74faf67ea9ffd0d548326c7473040
Instruction ID: 75ece35598dbde4e5dc9917f97f7b8f2815db4928e861a6b9817fa2cebc6e40d
Opcode Fuzzy Hash: f064d8f46af9fce36f5d7f0991c30c6cbef74faf67ea9ffd0d548326c7473040
Instruction Fuzzy Hash: 7C41E1752146129FDB10CF15E888F19BBE4EF45329F25C09DE4198B662CB71EC42CF90

Function 0029E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0029170D
Part of subcall function 002916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0029173A
Part of subcall function 002916C3: GetLastError.KERNEL32 ref: 0029174A

ExitWindowsEx.USER32(?,00000000), ref: 0029E932

Strings

, xrefs: 0029E920
@, xrefs: 0029E925
, xrefs: 0029E95C
SeShutdownPrivilege, xrefs: 0029E902

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 01216effec1672aeadac11363e7f2977c797f0c4cc35dafd2641037c6a09efd4
Instruction ID: 06e0963d6a89586b90068fe471fdf5c4759b7474956f74977dfeb46f6f7ad578
Opcode Fuzzy Hash: 01216effec1672aeadac11363e7f2977c797f0c4cc35dafd2641037c6a09efd4
Instruction Fuzzy Hash: 9301F972A30212AFFF54A6B5AC8AFBF726CAB14750F260421FD03E31D2D9A15C608590

Function 002B1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002B1276
WSAGetLastError.WSOCK32 ref: 002B1283
bind.WSOCK32(00000000,?,00000010), ref: 002B12BA
WSAGetLastError.WSOCK32 ref: 002B12C5
closesocket.WSOCK32(00000000), ref: 002B12F4
listen.WSOCK32(00000000,00000005), ref: 002B1303
WSAGetLastError.WSOCK32 ref: 002B130D
closesocket.WSOCK32(00000000), ref: 002B133C

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 215b6049cde31376c00a5bfb37efb320133201be1022907e0a7cbddfe6acb23f
Instruction ID: f3f6872f5f7e64365437f93602929388e46c89fa7be8c9191c487aa84d6f5ec1
Opcode Fuzzy Hash: 215b6049cde31376c00a5bfb37efb320133201be1022907e0a7cbddfe6acb23f
Instruction Fuzzy Hash: F941D271A101119FD710DF24D498B6ABBE5BF46358F688188E8568F3D6C771EC91CBE0

Function 0026B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0026B9D4
_free.LIBCMT ref: 0026B9F8
_free.LIBCMT ref: 0026BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,002D3700), ref: 0026BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0030121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0026BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00301270,000000FF,?,0000003F,00000000,?), ref: 0026BC36
_free.LIBCMT ref: 0026BD4B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: cebc5fdb15e51c0564e21cd685076c9924b3cb25f9c5c960d4e39253c7ab6f80
Instruction ID: ba7ab67521d3916aebdb063dd78cc19e2b5e87bfaf238f068c19286d9ed770ba
Opcode Fuzzy Hash: cebc5fdb15e51c0564e21cd685076c9924b3cb25f9c5c960d4e39253c7ab6f80
Instruction Fuzzy Hash: 83C12871A24206EFCB22DF78DC51AAA7BBDEF41350F24419AE894D7251E7308EE1CB50

Function 0029D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00233AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00233A97,?,?,00232E7F,?,?,?,00000000), ref: 00233AC2

Part of subcall function 0029E199: GetFileAttributesW.KERNEL32(?,0029CF95), ref: 0029E19A

FindFirstFileW.KERNEL32(?,?), ref: 0029D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0029D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0029D481
FindClose.KERNEL32(00000000), ref: 0029D498
FindClose.KERNEL32(00000000), ref: 0029D4A1

Strings

\*.*, xrefs: 0029D3F2

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 2a17a9ca9b7c855a076472c834a102d3c92ae48509e92eeb1e6078f829026b44
Instruction ID: e2ed01cc488e238bef3dc99573ebf15a91184645f8ffae3193a02faaea7c613a
Opcode Fuzzy Hash: 2a17a9ca9b7c855a076472c834a102d3c92ae48509e92eeb1e6078f829026b44
Instruction Fuzzy Hash: B631837102C3459FC700EF64D8558AFB7E8BE92310F445A2DF4D553191EB30AA29DB63

Function 0026E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0026E645

Strings

1#INF, xrefs: 0026F852
1#SNAN, xrefs: 0026F844
1#IND, xrefs: 0026F83D
1#QNAN, xrefs: 0026F84B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a992fcb44982d8fe5aa2e7c6b9eed1ea99420e9d203dfa4c04ef7e599fed7386
Instruction ID: e674e170a261150c27d2ae2f22468654747b72a58cf796645437e55c38cbb239
Opcode Fuzzy Hash: a992fcb44982d8fe5aa2e7c6b9eed1ea99420e9d203dfa4c04ef7e599fed7386
Instruction Fuzzy Hash: F0C24971E286298FDF65CE28DD407EAB7B9EB44305F1541EAD80EE7240E774AE918F40

Function 002A648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002A64DC
CoInitialize.OLE32(00000000), ref: 002A6639
CoCreateInstance.OLE32(002CFCF8,00000000,00000001,002CFB68,?), ref: 002A6650
CoUninitialize.OLE32 ref: 002A68D4

Strings

.lnk, xrefs: 002A64BA, 002A6524, 002A65E0

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: ebbadad7714a111dea4cca7280023747e953429a8377d9b773727b862b7c8639
Instruction ID: 2c364d21d46b95f676fab79e5c117807003c4e676cd855c0bdf2dd7691826911
Opcode Fuzzy Hash: ebbadad7714a111dea4cca7280023747e953429a8377d9b773727b862b7c8639
Instruction Fuzzy Hash: 0DD179B1528201AFC314EF24C885D6BB7E8FF99304F54492DF5958B2A1EB70E919CF92

Function 002B22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002B22E8

Part of subcall function 002AE4EC: GetWindowRect.USER32(?,?), ref: 002AE504

GetDesktopWindow.USER32 ref: 002B2312
GetWindowRect.USER32(00000000), ref: 002B2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 002B2355
GetCursorPos.USER32(?), ref: 002B2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002B23DF

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: c846306e7b64d1c258ed725dbc772554aba8366dd02f4060ae3ac51685f06952
Instruction ID: ae01f4da629be9bc134a3715151f87ff15a2d5831c2aadfacd44b1d877eb35a5
Opcode Fuzzy Hash: c846306e7b64d1c258ed725dbc772554aba8366dd02f4060ae3ac51685f06952
Instruction Fuzzy Hash: 33310372504305AFDB20DF14D849F9BB7E9FF88350F100919F989A7191DB34E919CB92

Function 002A9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 002A9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 002A9C8B

Part of subcall function 002A3874: GetInputState.USER32 ref: 002A38CB
Part of subcall function 002A3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002A3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 002A9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 002A9C75

Strings

*.*, xrefs: 002A9B5D

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 3012d0127856775320231d615d68a61a9065dccf41221645b414e3c0ba889965
Instruction ID: dd32493236e69bf667dbed6f0c30e06afc820b25a0c1f1aacb1d846ac1cfd848
Opcode Fuzzy Hash: 3012d0127856775320231d615d68a61a9065dccf41221645b414e3c0ba889965
Instruction Fuzzy Hash: 0241847191460A9FCF14DFA5CC49AEEBBB5EF0A310F244156E805A3191DB709FA4CF60

Function 0024997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00249A4E
GetSysColor.USER32(0000000F), ref: 00249B23
SetBkColor.GDI32(?,00000000), ref: 00249B36

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 37c7771d2263ec42cbb9616bd168e5863fb73dbc2e087a10189e8e4317eeb827
Instruction ID: 21fe42d4ba0d7a52a99e9db27c7da722dfbcc0b2cf515dd98b3e1353f64a4fff
Opcode Fuzzy Hash: 37c7771d2263ec42cbb9616bd168e5863fb73dbc2e087a10189e8e4317eeb827
Instruction Fuzzy Hash: 9BA1387013A425AEE72DEE3C8C98E7B2A9DEB42344F244309F402C66D1CA65DDB1C772

Function 002B1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 002B307A
Part of subcall function 002B304E: _wcslen.LIBCMT ref: 002B309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 002B185D
WSAGetLastError.WSOCK32 ref: 002B1884
bind.WSOCK32(00000000,?,00000010), ref: 002B18DB
WSAGetLastError.WSOCK32 ref: 002B18E6
closesocket.WSOCK32(00000000), ref: 002B1915

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 8922e3d1a0a79e6739fed1f07435202b976c67bc361ea34fab30e5c4e670b900
Instruction ID: 70a4999886171801e2729eba3970f319d9fc5df714046e1b0e3701d2ac7a3493
Opcode Fuzzy Hash: 8922e3d1a0a79e6739fed1f07435202b976c67bc361ea34fab30e5c4e670b900
Instruction Fuzzy Hash: E451E6B5A102006FEB10AF24C896F6A77E5AB44718F54805CFA065F3D3C771AD618FA1

Function 002C1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 002C1CC0
IsWindowEnabled.USER32 ref: 002C1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 002C1CDB
IsIconic.USER32 ref: 002C1CE9
IsZoomed.USER32 ref: 002C1CF7

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c97c4a99f023e959b5778883f8204fb254609c324812b191c06e2588efceeb6d
Instruction ID: 5f7d646ef591d132da742f329bb25fee4a35fa4deea853ca1ad46e4f5cadca07
Opcode Fuzzy Hash: c97c4a99f023e959b5778883f8204fb254609c324812b191c06e2588efceeb6d
Instruction Fuzzy Hash: F821F6317502015FD3208F1AD885F267BA4EF86314F28815DF84A8B352CB71DD62CB91

Function 00238060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00275DF0
VUUU, xrefs: 002383E8
VUUU, xrefs: 002383FA
ERCP, xrefs: 0023813C
VUUU, xrefs: 0023843C

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: a23b591979b1c104768559b38596833240f4dbda02969dbf525e5585b105fce2
Instruction ID: d73feb39846bfe8a98a0dad4131386f1c02a49fdfef9244e3537e671252f4d3d
Opcode Fuzzy Hash: a23b591979b1c104768559b38596833240f4dbda02969dbf525e5585b105fce2
Instruction Fuzzy Hash: 95A274B1E2062ACBDF24CF58C8457AEB7B1BF54314F24819AE819AB345DB709DA1CF50

Function 0029D5EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0029D608
DeviceIoControl.KERNEL32(00000000,pow,?,0000000C,?,00000028,?,00000000), ref: 0029D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0029D650

Strings

pow, xrefs: 0029D63F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: pow
API String ID: 33631002-2276729525
Opcode ID: d65b42228b541342b4fdf7d0c9de030962182f38ae1d5bb77cc03fae55bce015
Instruction ID: 90576f49fcb9ba6d0c2e97bd0d94d068bacac42cdfcf838a3221d64578b09ec2
Opcode Fuzzy Hash: d65b42228b541342b4fdf7d0c9de030962182f38ae1d5bb77cc03fae55bce015
Instruction Fuzzy Hash: 64116175E05228BFDB108F95EC49FAFBFBCEB45B50F108155F908E7290D6B04A059BA1

Function 00298298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002982AA

Strings

|, xrefs: 002982DA
(, xrefs: 002982F0
tb/, xrefs: 002984F4

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb/$|
API String ID: 1659193697-4214508366
Opcode ID: 023e3926fca929c720f6d45436dc7833a79afd92261667c5b547ce268424b4fb
Instruction ID: d691ed89c79789e90fecd07298ccd0de11204dd6d3c1b894cfe151539cd91749
Opcode Fuzzy Hash: 023e3926fca929c720f6d45436dc7833a79afd92261667c5b547ce268424b4fb
Instruction Fuzzy Hash: 81324675A10606DFCB28CF59C480A6AB7F0FF48710B15C46EE99ADB3A1EB70E951CB44

Function 0029AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0029AAAC
SetKeyboardState.USER32(00000080), ref: 0029AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0029AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0029AB88

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 91d11ca946075b65e72ed9efa6bd1e509fa70c100dda7c81f6d59b987d8511e5
Instruction ID: c7b129257cd2423f7961aca3a77cd12f7630d20b332312c2adf7683381840988
Opcode Fuzzy Hash: 91d11ca946075b65e72ed9efa6bd1e509fa70c100dda7c81f6d59b987d8511e5
Instruction Fuzzy Hash: D6315D30A60309AFFF35CF68CC15BFA77A6AB64328F14421AF585521D0D77489A1C7D2

Function 002ACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 002ACE89
GetLastError.KERNEL32(?,00000000), ref: 002ACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 002ACEFE

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 95f15fda6dfa5d2654a3b16a5224ea0122b3c6d1a1ce043ca9e9a6ad7d74b7c2
Instruction ID: b711fce5705d3b91d2ef2b31f397d5245c1b7c3799d875982bb2c134f7fe1649
Opcode Fuzzy Hash: 95f15fda6dfa5d2654a3b16a5224ea0122b3c6d1a1ce043ca9e9a6ad7d74b7c2
Instruction Fuzzy Hash: BD21EDB1520306AFEB20CF65DA48BA6B7FCEB11354F20442EE646D2551EB70EE18CF94

Function 002A5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002A5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 002A5D17
FindClose.KERNEL32(?), ref: 002A5D5F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f0209813b63f2c66073eae6bdedfc46a94089340d3a78716988e2fc53bd1092c
Instruction ID: 499cdb0d9f5f2a1f4948fd7f56e72f22e944a3203228df6ab463fe00fc489e41
Opcode Fuzzy Hash: f0209813b63f2c66073eae6bdedfc46a94089340d3a78716988e2fc53bd1092c
Instruction Fuzzy Hash: F451BD74624A029FC714CF28C498E96B7E4FF4A324F14855EE95A8B3A1CB30ED24CF91

Function 00262622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0026271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00262724
UnhandledExceptionFilter.KERNEL32(?), ref: 00262731

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0a94d8ecd157604bbba69ba2e4acfe409c07e67f16e1840a3664c038e266c48c
Instruction ID: 619f81b85c34b6b3a8827551634f68a11a753cba842ee0ac78084ee797521f82
Opcode Fuzzy Hash: 0a94d8ecd157604bbba69ba2e4acfe409c07e67f16e1840a3664c038e266c48c
Instruction Fuzzy Hash: 1C31B57491121DABCB21DF64DD89BDDB7B8AF08310F5041EAE81CA7261E7309F958F45

Function 002A51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002A51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 002A5238
SetErrorMode.KERNEL32(00000000), ref: 002A52A1

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: ddd727dadfcb6d2b4aeae9f00840c13d1f58b8993fab16bc64a5fd268b2a325b
Instruction ID: 1eba98e519071b8308c8157b3ab866c757a1cceb8f0d0cf29895ad483e302711
Opcode Fuzzy Hash: ddd727dadfcb6d2b4aeae9f00840c13d1f58b8993fab16bc64a5fd268b2a325b
Instruction Fuzzy Hash: 9B314D75A10518DFDB00DF55D888EAEBBB4FF49314F188099E809AB362DB71E855CB90

Function 002916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0024FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00250668
Part of subcall function 0024FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00250685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0029170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0029173A
GetLastError.KERNEL32 ref: 0029174A

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: e6513fef209c45e5558149bdf17fd219e12c9971573e8ee34e2616c4da84a04c
Instruction ID: 602aac166740becea931c6da4a439086d8009dee311af5992c5f3aefb013f36f
Opcode Fuzzy Hash: e6513fef209c45e5558149bdf17fd219e12c9971573e8ee34e2616c4da84a04c
Instruction Fuzzy Hash: 271194B2814306AFD7189F54EC86D6AB7BDEF44714B24852EE05A57241EB70BC518A20

Function 00291663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0029168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002916A1
FreeSid.ADVAPI32(?), ref: 002916B1

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 45eebdd58f1bf0df39b916bf9c61b39b3e4d0f45b6f7cbddb324b887a9de0722
Instruction ID: bf31fa74142f50e87dfa1471c6a91fa506236127a76e1ab46bc1f90e73486b5f
Opcode Fuzzy Hash: 45eebdd58f1bf0df39b916bf9c61b39b3e4d0f45b6f7cbddb324b887a9de0722
Instruction Fuzzy Hash: C9F0F471950309FBDF00DFE49C89EAEBBBCFB08604F504565E901E2181E774AA448A54

Function 0026C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0026C36C

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: f2bfaa76557a99fa8e28b0c99ab0b22e1b5604bd58e9f46ccba5b69e95cf1d0e
Instruction ID: be41660d760e67c9cce3986fd6da5185038c821e87f3687b7e9a3427b532f970
Opcode Fuzzy Hash: f2bfaa76557a99fa8e28b0c99ab0b22e1b5604bd58e9f46ccba5b69e95cf1d0e
Instruction Fuzzy Hash: B9413872910219ABCB24EFB9DC48EBB7778EB84314F2042A9FD45C7280E6709D918B50

Function 0028D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0028D28C

Strings

X64, xrefs: 0028D2A8

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 269bf81206cb729e99d9ce307108e328dbc12d360b2c3a6aa38eea6b9eb40c20
Instruction ID: 92cb430d75858ec50a99ac4a8fad3e51410d9625bd028a1c9ebe53f541ab08e2
Opcode Fuzzy Hash: 269bf81206cb729e99d9ce307108e328dbc12d360b2c3a6aa38eea6b9eb40c20
Instruction Fuzzy Hash: 51D0C9B482511DEBCB94DB90EC88DD9B37CBB04305F100151F506A2040D7B095588F10

Function 0025CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d9e1681aff0968c5a9be5dfe73433ac498c94dbe1de01ba7bac72d101fc21f62
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: C8023C71E102199FDF14CFA9C8806ADBBF1EF48325F25816AD819E7380E730AA55CB84

Function 0023CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#0, xrefs: 0023CF7F
Variable is not of type 'Object'., xrefs: 00280C40

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#0
API String ID: 0-1997178753
Opcode ID: 3b0acec4418602975ac56db2ac5c6d8af1fee5ee980a9d9ca7dd6dcd5a37bf90
Instruction ID: 6031b7dd5228d86584d243319981a8368faec627a693fe20a769ddf37f1764f0
Opcode Fuzzy Hash: 3b0acec4418602975ac56db2ac5c6d8af1fee5ee980a9d9ca7dd6dcd5a37bf90
Instruction Fuzzy Hash: F8329DB4930219DBCF14EF94C885AEDB7B5BF05304F24406AE806BB292D775AD69CF50

Function 002A68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002A6918
FindClose.KERNEL32(00000000), ref: 002A6961

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ef3a3dcaa4422ac3243d14524877ee42757ea3b03c22e5823ea52758336aff9a
Instruction ID: 77feb69db3111c96f2c897b15e83fbf8f409a22fdcdd92c2d535e80edcfbdb93
Opcode Fuzzy Hash: ef3a3dcaa4422ac3243d14524877ee42757ea3b03c22e5823ea52758336aff9a
Instruction Fuzzy Hash: B31190756142019FC710DF29D488A16BBE5FF89328F18C699E8698F6A2CB30EC15CF91

Function 002A37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,002B4891,?,?,00000035,?), ref: 002A37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,002B4891,?,?,00000035,?), ref: 002A37F4

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 23f692595562d166157752f01a27b8c94d10dd1d2371632756ac1aef3b91cef9
Instruction ID: 9352e727f94f2b8ad2a9dc5603b3ef9457715b59fb0b4121a66f3719e77e2803
Opcode Fuzzy Hash: 23f692595562d166157752f01a27b8c94d10dd1d2371632756ac1aef3b91cef9
Instruction Fuzzy Hash: 95F055B06143282BE72057669C4CFEB7AAEEFC5760F100161F50CD2280D9A08900CAB0

Function 0029B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0029B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0029B270

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 74b7af2e36d679419a2f7e7ea9239bb396d7d4d50ba259ec2ec8791cea0511f1
Instruction ID: bbfeefa582820417dc6dbb9f0db9b71d2e358259828a6a1a766caca3895f3ccb
Opcode Fuzzy Hash: 74b7af2e36d679419a2f7e7ea9239bb396d7d4d50ba259ec2ec8791cea0511f1
Instruction Fuzzy Hash: 48F01D7181424EABDF059FA0D809BAE7BB4FF04305F10801AF955A5191C3799615DF94

Function 002910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002911FC), ref: 002910D4
CloseHandle.KERNEL32(?,?,002911FC), ref: 002910E9

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3a7bd92fe9adb36c988c7805011303343566d66e8db10a885e1ca7e26e49d812
Instruction ID: e8581e428c7ab1eaeb69f62d8272f72603a7583f6b79189269ab56824fbac866
Opcode Fuzzy Hash: 3a7bd92fe9adb36c988c7805011303343566d66e8db10a885e1ca7e26e49d812
Instruction Fuzzy Hash: 2AE04F32028601EEE7292B11FD09E7377A9EB04310B24882DF4AA804B1DB626CA0DB10

Function 0026676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00266766,?,?,00000008,?,?,0026FEFE,00000000), ref: 00266998

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b59d5ee295f4f974c6966bfc34341b7a00c926722fc5480b0152508a2c09b12e
Instruction ID: 7e5de12e24911a67279f91095a8ebf7e0ccc87f3257ba1cb1b23307f36aca147
Opcode Fuzzy Hash: b59d5ee295f4f974c6966bfc34341b7a00c926722fc5480b0152508a2c09b12e
Instruction Fuzzy Hash: F6B14B31620609DFD719CF28C48AB657BE0FF45364F298658E899CF2A2C335EDA5CB40

Function 0024B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0028851F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: aef99ea4447a3105970f8e4963da8c4d80747e7cd6e21029a6da1450b3799836
Instruction ID: 76341e93258225c8961ea712861771e81df6892f1f8dca441f0a92e7addc2ada
Opcode Fuzzy Hash: aef99ea4447a3105970f8e4963da8c4d80747e7cd6e21029a6da1450b3799836
Instruction Fuzzy Hash: 5E128075D202299BCB19DF58C8806EEB7B5FF48710F50819AE809EB291DB709E91CF90

Function 002AEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 002AEABD

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 73849cc35f4911a58579d59ce86057744b960adad6820f1650293be7a02d3257
Instruction ID: b2d35c29609fbe8172958c3738a56f93cf7979f392d0ca64f6044ddda6889b40
Opcode Fuzzy Hash: 73849cc35f4911a58579d59ce86057744b960adad6820f1650293be7a02d3257
Instruction Fuzzy Hash: 38E01A762202049FC710EF69D804E9AB7E9AF99760F11841AFD49DB361DAB0EC518B90

Function 002509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002503EE), ref: 002509DA

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 01a79e8d9da474a03df7b6aa38db0dd9d16d8e010538d736bb48ad3d02de6796
Instruction ID: f0f102ae11dfbe57f65d4c287722318d3f4554b7798acbe46c7919b379dc191a
Opcode Fuzzy Hash: 01a79e8d9da474a03df7b6aa38db0dd9d16d8e010538d736bb48ad3d02de6796
Instruction Fuzzy Hash:

Function 0025781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0025798B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 63c1561cfd9633a037bdd06207e224889a7edcfce00d257f7ddd575b68c33dfd
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 7B5158716FC6075ADB384D68A85D7BE23899B12302F180519DC82D7282C671DE3DE76E

Function 002A2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&0, xrefs: 002A2053

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: 0&0
API String ID: 0-1043173130
Opcode ID: ac24701fbc05ff0d4b4c22be5bef66eda092b28b798f0977096dac7df91d95d3
Instruction ID: 7c8fedf5474bed06edadfeb9899967d509f6fd0507c9cd0012860d6c937ec70c
Opcode Fuzzy Hash: ac24701fbc05ff0d4b4c22be5bef66eda092b28b798f0977096dac7df91d95d3
Instruction Fuzzy Hash: CC21BB326215158BD728CF79C82367F73E9A764310F15862EE4A7C37D1DE76A904CB44

Function 00266DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e95f32a89753df1096c48ac3c89608c23df4160aba7bd256f0e65b3b98cad2
Instruction ID: c883862b88dd4728620f07432f5698d9b0fd984315aa492f1d41976725e62f51
Opcode Fuzzy Hash: 37e95f32a89753df1096c48ac3c89608c23df4160aba7bd256f0e65b3b98cad2
Instruction Fuzzy Hash: 1B321321D3AF418DD7239634E826335A749AFB73C9F25D737E81AB59A5EB29C8C34100

Function 0024CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbd9032c08b1d2e03aabc46e5f30efed5472918f82c49d86f613179cf7db01a
Instruction ID: dd69b00e6e696810000c4ec2333f9bf2fcb42ae3a3cbca1e7d7af479c4f12d15
Opcode Fuzzy Hash: cfbd9032c08b1d2e03aabc46e5f30efed5472918f82c49d86f613179cf7db01a
Instruction Fuzzy Hash: D1322439A361168BCF2CEE28C4D467D77A1EB45314F38816BD55A8B2E1D330DDA1DB60

Function 00237920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3879070f2611c888156453ef54f44df4d272a3fa3ec30e97218dbe3bff7d07
Instruction ID: da8051d54ee7bb988b72ddfe63451528b4e6586376662b9afe70dfa101b22b24
Opcode Fuzzy Hash: 6b3879070f2611c888156453ef54f44df4d272a3fa3ec30e97218dbe3bff7d07
Instruction Fuzzy Hash: 5322D3B0A2461ADFDF14CF64C981AAEF3F6FF44300F108569E816A7291EB75AD64CB50

Function 002391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20762de0475432befb52c44ce43911920a23c4d7f379cdbe7ad1ee5b7dce56c4
Instruction ID: 9e7e0068be18c5a0d89a24173a4defd89120c748ed10686ed9624c743e289c9b
Opcode Fuzzy Hash: 20762de0475432befb52c44ce43911920a23c4d7f379cdbe7ad1ee5b7dce56c4
Instruction Fuzzy Hash: EC02C9B1E20106EBDF05DF54D981AAEB7B5FF48304F1181A9E81A9B290E771DA70CF91

Function 00251C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 57252c05d0d6bc15ebdd33412d1e188f47aa51952eed2330f80e22a16aba0102
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: BE9177321290A349DB294A39853567DFFF15A523A371A079EDCF2CA1C5EE30897CD624

Function 002519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 6f2f92ec24040254187199bb06eb35e51b19ee571db2b9cf20ebb8e3d32e8e82
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 5E9188722290A34ADB2E467A857413DFFE15A923A731A079ED8F2CA1C1FD34C57CD624

Function 00257A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de787b27e37bb6a04f6fd7a373cf466f66a560c117b304156af5bb4d635b3752
Instruction ID: 245572f3855b39ad865b21db0ad5fa7c354dfbae5b47a667f75e4738ae8d1546
Opcode Fuzzy Hash: de787b27e37bb6a04f6fd7a373cf466f66a560c117b304156af5bb4d635b3752
Instruction Fuzzy Hash: C76169706F830B57DA345D287895BBE2394DF4130BF14091AEC42DB281D9B19E6E871D

Function 00257CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89742a7a5f97b3a685cd2223378b60b1957c584a50c80e8df46e5e4e3e433fa7
Instruction ID: b0fc8a045f1e71d06b6d6b94304e53d2cb188ef85cb13cb95d2aea4e2a585814
Opcode Fuzzy Hash: 89742a7a5f97b3a685cd2223378b60b1957c584a50c80e8df46e5e4e3e433fa7
Instruction Fuzzy Hash: 9A617A712F870B56DA384D287856BBE23A89F42703F100959EC43DB281E7B2DD7E865D

Function 00251706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e1c4b35007b0110fea2d8a346112c8019afae46ca359a0f2df338d383308014d
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 538199325280A309EB2D463D853457EFFE15A923A371A079DD8F2CA1C1EE34C97CD624

Function 0024D065 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343f9247746acb2885f3203d884419597a962342ec505fce3ad7cfb1bb898b3c
Instruction ID: 1d7377b74fe3da2afec1c864264caf561dc6eb68167a03c96a68b8f75125b154
Opcode Fuzzy Hash: 343f9247746acb2885f3203d884419597a962342ec505fce3ad7cfb1bb898b3c
Instruction Fuzzy Hash: DC5118A284FBC1AFDB074B71886E0447F70ED6765031E4ACFC0C08F1A7E6A41959CB66

Function 002B2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002B2B30
DeleteObject.GDI32(00000000), ref: 002B2B43
DestroyWindow.USER32 ref: 002B2B52
GetDesktopWindow.USER32 ref: 002B2B6D
GetWindowRect.USER32(00000000), ref: 002B2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 002B2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 002B2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2CF8
GetClientRect.USER32(00000000,?), ref: 002B2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 002B2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2D80
GlobalLock.KERNEL32(00000000), ref: 002B2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2D98
GlobalUnlock.KERNEL32(00000000), ref: 002B2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2DA8
GlobalFree.KERNEL32(00000000), ref: 002B2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,002CFC38,00000000), ref: 002B2DDB
GlobalFree.KERNEL32(00000000), ref: 002B2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 002B2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 002B2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B303F

Strings

static, xrefs: 002B2D3A, 002B2E91
, xrefs: 002B2FC5
DISPLAY, xrefs: 002B2EA2
AutoIt v3, xrefs: 002B2CF2

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b6afecfae9c80e5202805d9a514089c884318c409570698c999644501b5e4089
Instruction ID: 295196fee4b5ccf262580922e355e13689d1828f655fc271b4b33c5485054f00
Opcode Fuzzy Hash: b6afecfae9c80e5202805d9a514089c884318c409570698c999644501b5e4089
Instruction Fuzzy Hash: E0029AB5910209EFDB14DF64DC89EAE7BB9EF48310F148158F919AB2A1CB70AD15CF60

Function 002C70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 002C712F
GetSysColorBrush.USER32(0000000F), ref: 002C7160
GetSysColor.USER32(0000000F), ref: 002C716C
SetBkColor.GDI32(?,000000FF), ref: 002C7186
SelectObject.GDI32(?,?), ref: 002C7195
InflateRect.USER32(?,000000FF,000000FF), ref: 002C71C0
GetSysColor.USER32(00000010), ref: 002C71C8
CreateSolidBrush.GDI32(00000000), ref: 002C71CF
FrameRect.USER32(?,?,00000000), ref: 002C71DE
DeleteObject.GDI32(00000000), ref: 002C71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 002C7230
FillRect.USER32(?,?,?), ref: 002C7262
GetWindowLongW.USER32(?,000000F0), ref: 002C7284

Part of subcall function 002C73E8: GetSysColor.USER32(00000012), ref: 002C7421
Part of subcall function 002C73E8: SetTextColor.GDI32(?,?), ref: 002C7425
Part of subcall function 002C73E8: GetSysColorBrush.USER32(0000000F), ref: 002C743B
Part of subcall function 002C73E8: GetSysColor.USER32(0000000F), ref: 002C7446
Part of subcall function 002C73E8: GetSysColor.USER32(00000011), ref: 002C7463
Part of subcall function 002C73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002C7471
Part of subcall function 002C73E8: SelectObject.GDI32(?,00000000), ref: 002C7482
Part of subcall function 002C73E8: SetBkColor.GDI32(?,00000000), ref: 002C748B
Part of subcall function 002C73E8: SelectObject.GDI32(?,?), ref: 002C7498
Part of subcall function 002C73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002C74B7
Part of subcall function 002C73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002C74CE
Part of subcall function 002C73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002C74DB

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 5bc7942984bfa8d6e9fd5dc9366b16b2f38f717ac45ad1931f58bf1bfd46b9bc
Instruction ID: a5a94c703aea2b5d8a11b69824a2fe5a64f59736541986936e984130bee1f327
Opcode Fuzzy Hash: 5bc7942984bfa8d6e9fd5dc9366b16b2f38f717ac45ad1931f58bf1bfd46b9bc
Instruction Fuzzy Hash: 22A19072418302AFD7019F60EC4CE5B7BA9FB89320F240B19F96AA61E1D771E954CF52

Function 00248D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00248E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00286AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00286AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00286F43

Part of subcall function 00248F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00248BE8,?,00000000,?,?,?,?,00248BBA,00000000,?), ref: 00248FC5

SendMessageW.USER32(?,00001053), ref: 00286F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00286F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00286FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00286FB7

Strings

0, xrefs: 00286DCF

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 78a37be903bb22ee1c7cb8ef53c1ff4cd133a87a37c87f268080680026f063d6
Instruction ID: 1b33837a285a0a02870528aadcf8629cea8595eb8e2790c366c6723fc8461fa2
Opcode Fuzzy Hash: 78a37be903bb22ee1c7cb8ef53c1ff4cd133a87a37c87f268080680026f063d6
Instruction Fuzzy Hash: 1112C038622202DFD72AEF14D858FAAB7E5FB44300F144469F5899B6A1CB31EC61CF91

Function 002B2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 002B273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002B286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002B28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002B28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 002B2900
GetClientRect.USER32(00000000,?), ref: 002B290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 002B2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002B2964
GetStockObject.GDI32(00000011), ref: 002B2974
SelectObject.GDI32(00000000,00000000), ref: 002B2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 002B2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002B2991
DeleteDC.GDI32(00000000), ref: 002B299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002B29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002B29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 002B2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 002B2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 002B2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 002B2A77
GetStockObject.GDI32(00000011), ref: 002B2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002B2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 002B2A97

Strings

static, xrefs: 002B294F, 002B2A71
msctls_progress32, xrefs: 002B2A13
DISPLAY, xrefs: 002B295A
AutoIt v3, xrefs: 002B28F8

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 797e68ffd3f81bce2da8caf4333b0d708827deb1c250e29d45fbf662290e6e44
Instruction ID: 141e4be3ea8d79c5db74d6639eb411d4855cd3a241fbaa90decf147b22c54582
Opcode Fuzzy Hash: 797e68ffd3f81bce2da8caf4333b0d708827deb1c250e29d45fbf662290e6e44
Instruction Fuzzy Hash: 32B16DB6A10205AFEB14DF68DC49FAFBBA9EB48710F104155FA14E7290D770AD50CFA4

Function 002A4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002A4AED
GetDriveTypeW.KERNEL32(?,002CCB68,?,\\.\,002CCC08), ref: 002A4BCA
SetErrorMode.KERNEL32(00000000,002CCB68,?,\\.\,002CCC08), ref: 002A4D36

Strings

\\.\, xrefs: 002A4B3F
SATA, xrefs: 002A4CD0
ATA, xrefs: 002A4C98
PhysicalDrive, xrefs: 002A4B76
SSA, xrefs: 002A4CA6
Fibre, xrefs: 002A4CAD
FileBackedVirtual, xrefs: 002A4CEC
ATAPI, xrefs: 002A4C91
Fixed, xrefs: 002A4C09
SCSI, xrefs: 002A4C8A
USB, xrefs: 002A4CB4
Virtual, xrefs: 002A4CE5
CDROM, xrefs: 002A4BFB
Removable, xrefs: 002A4C10, 002A4C15
RAMDisk, xrefs: 002A4BF4
MMC, xrefs: 002A4CDE
1394, xrefs: 002A4C9F
SSD, xrefs: 002A4C4A
Network, xrefs: 002A4C02
RAID, xrefs: 002A4CBB
iSCSI, xrefs: 002A4CC2
SAS, xrefs: 002A4CC9
Unknown, xrefs: 002A4BED, 002A4C83

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 3b0d52180abe2e62112d48bf2b92b560c1d98dffd8d17802084c33ae670c2e7b
Instruction ID: 136ac9044b03e446612921d5d9ee87159a1fcb121f62bc2bb6bb971efc45408b
Opcode Fuzzy Hash: 3b0d52180abe2e62112d48bf2b92b560c1d98dffd8d17802084c33ae670c2e7b
Instruction Fuzzy Hash: 3261E33063120A9BCB04EF24C985978B7B2EB87394B244527F90AAB651CFF1DD71DB51

Function 002C73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 002C7421
SetTextColor.GDI32(?,?), ref: 002C7425
GetSysColorBrush.USER32(0000000F), ref: 002C743B
GetSysColor.USER32(0000000F), ref: 002C7446
CreateSolidBrush.GDI32(?), ref: 002C744B
GetSysColor.USER32(00000011), ref: 002C7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 002C7471
SelectObject.GDI32(?,00000000), ref: 002C7482
SetBkColor.GDI32(?,00000000), ref: 002C748B
SelectObject.GDI32(?,?), ref: 002C7498
InflateRect.USER32(?,000000FF,000000FF), ref: 002C74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002C74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002C74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002C752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002C7554
InflateRect.USER32(?,000000FD,000000FD), ref: 002C7572
DrawFocusRect.USER32(?,?), ref: 002C757D
GetSysColor.USER32(00000011), ref: 002C758E
SetTextColor.GDI32(?,00000000), ref: 002C7596
DrawTextW.USER32(?,002C70F5,000000FF,?,00000000), ref: 002C75A8
SelectObject.GDI32(?,?), ref: 002C75BF
DeleteObject.GDI32(?), ref: 002C75CA
SelectObject.GDI32(?,?), ref: 002C75D0
DeleteObject.GDI32(?), ref: 002C75D5
SetTextColor.GDI32(?,?), ref: 002C75DB
SetBkColor.GDI32(?,?), ref: 002C75E5

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: f1291e825374801f5fa5623ae1fc57e28d90b12fd3da7443287fb79724212519
Instruction ID: 53c5edcc01ce933cd04161d5799cef2a5f338ceea69d18ce9014273431050c03
Opcode Fuzzy Hash: f1291e825374801f5fa5623ae1fc57e28d90b12fd3da7443287fb79724212519
Instruction Fuzzy Hash: EC617F72900219AFDF159FA4EC49EEE7FB9EB08360F244215F919BB2A1D7709950CF90

Function 002C0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002C1128
GetDesktopWindow.USER32 ref: 002C113D
GetWindowRect.USER32(00000000), ref: 002C1144
GetWindowLongW.USER32(?,000000F0), ref: 002C1199
DestroyWindow.USER32(?), ref: 002C11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002C11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002C120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002C121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 002C1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 002C1245
IsWindowVisible.USER32(00000000), ref: 002C12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002C12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002C12D0
GetWindowRect.USER32(00000000,?), ref: 002C12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 002C130E
GetMonitorInfoW.USER32(00000000,?), ref: 002C1328
CopyRect.USER32(?,?), ref: 002C133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002C13AA

Strings

(, xrefs: 002C131B
0, xrefs: 002C10D3
tooltips_class32, xrefs: 002C11E6

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 38f07bd15ae109cd8e07e95f2059b2f10c0490d98f9911bc4785fea04211d727
Instruction ID: c49b0ebcc330e1300fc119e4f739d0af3539cd26b6fb02eebcc1855521686f99
Opcode Fuzzy Hash: 38f07bd15ae109cd8e07e95f2059b2f10c0490d98f9911bc4785fea04211d727
Instruction Fuzzy Hash: 31B18971614341AFD704DF64C889F6ABBE4FF85344F108A1CF9999B2A2C771E864CB92

Function 002C0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002C02E5
_wcslen.LIBCMT ref: 002C031F
_wcslen.LIBCMT ref: 002C0389
_wcslen.LIBCMT ref: 002C03F1
_wcslen.LIBCMT ref: 002C0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002C04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002C0504

Part of subcall function 0024F9F2: _wcslen.LIBCMT ref: 0024F9FD

Part of subcall function 0029223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00292258
Part of subcall function 0029223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0029228A

Strings

GETITEMCOUNT, xrefs: 002C0316, 002C0337
GETSUBITEMCOUNT, xrefs: 002C0384, 002C039F
DESELECT, xrefs: 002C059C
SELECTCLEAR, xrefs: 002C052D
VIEWCHANGE, xrefs: 002C0675
GETSELECTED, xrefs: 002C05E1
SELECT, xrefs: 002C0548
FINDITEM, xrefs: 002C0627
ISSELECTED, xrefs: 002C04DD
SELECTINVERT, xrefs: 002C057E
SELECTALL, xrefs: 002C0515
GETSELECTEDCOUNT, xrefs: 002C0470, 002C048B
GETTEXT, xrefs: 002C03EC, 002C0407

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: f590c71d936a0fa4dabfd4162e8c1152ea6130afb60d6742a25520ac48650edc
Instruction ID: 7613522eeb351558a5588966715a1db671b50c33b4116129720165c382275a67
Opcode Fuzzy Hash: f590c71d936a0fa4dabfd4162e8c1152ea6130afb60d6742a25520ac48650edc
Instruction Fuzzy Hash: 10E1AF71228241CBCB28DF24C590E2AB3E5BFC8754F64466DF8969B2A1DB30ED65CB41

Function 00248891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00248968
GetSystemMetrics.USER32(00000007), ref: 00248970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0024899B
GetSystemMetrics.USER32(00000008), ref: 002489A3
GetSystemMetrics.USER32(00000004), ref: 002489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00248A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00248A3C
GetClientRect.USER32(00000000,000000FF), ref: 00248A5A
GetStockObject.GDI32(00000011), ref: 00248A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00248A81

Part of subcall function 0024912D: GetCursorPos.USER32(?), ref: 00249141
Part of subcall function 0024912D: ScreenToClient.USER32(00000000,?), ref: 0024915E
Part of subcall function 0024912D: GetAsyncKeyState.USER32(00000001), ref: 00249183
Part of subcall function 0024912D: GetAsyncKeyState.USER32(00000002), ref: 0024919D

SetTimer.USER32(00000000,00000000,00000028,002490FC), ref: 00248AA8

Strings

AutoIt v3 GUI, xrefs: 00248A20

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 955b24657823a0a7feb648f5bc64318bc16e02ae2f56c7b20f82e25d28fd08cb
Instruction ID: 5700cbf9ce28c771d8865edf0f6034310003fe319fc068b758d3950889e189c9
Opcode Fuzzy Hash: 955b24657823a0a7feb648f5bc64318bc16e02ae2f56c7b20f82e25d28fd08cb
Instruction Fuzzy Hash: C7B18C35A2120A9FDB14DFA8DC59FAE7BB5FB48314F104229FA19A72D0DB70A950CF50

Function 00290D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00291114
Part of subcall function 002910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 00291120
Part of subcall function 002910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 0029112F
Part of subcall function 002910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 00291136
Part of subcall function 002910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0029114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00290DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00290E29
GetLengthSid.ADVAPI32(?), ref: 00290E40
GetAce.ADVAPI32(?,00000000,?), ref: 00290E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00290E96
GetLengthSid.ADVAPI32(?), ref: 00290EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00290EB5
HeapAlloc.KERNEL32(00000000), ref: 00290EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00290EDD
CopySid.ADVAPI32(00000000), ref: 00290EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00290F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00290F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00290F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00290F6E
HeapFree.KERNEL32(00000000), ref: 00290F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00290F7E
HeapFree.KERNEL32(00000000), ref: 00290F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00290F8E
HeapFree.KERNEL32(00000000), ref: 00290F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00290FA1
HeapFree.KERNEL32(00000000), ref: 00290FA8

Part of subcall function 00291193: GetProcessHeap.KERNEL32(00000008,00290BB1,?,00000000,?,00290BB1,?), ref: 002911A1
Part of subcall function 00291193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00290BB1,?), ref: 002911A8
Part of subcall function 00291193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00290BB1,?), ref: 002911B7

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ef6eae62965710ae4da794b85272e83d921e7d1b21df22bbbb70f9ee57ed535a
Instruction ID: 06a3515a39f305e22d6e8eebcaa338144477519c51613ad29a6bdec625c52883
Opcode Fuzzy Hash: ef6eae62965710ae4da794b85272e83d921e7d1b21df22bbbb70f9ee57ed535a
Instruction Fuzzy Hash: E3714A7291020AAFDF20DFA5EC88FAEBBB8FF05310F144125F959A6191DB719A15CB60

Function 002BC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002BC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,002CCC08,00000000,?,00000000,?,?), ref: 002BC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 002BC5A4
_wcslen.LIBCMT ref: 002BC5F4
_wcslen.LIBCMT ref: 002BC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 002BC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 002BC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 002BC84D
RegCloseKey.ADVAPI32(?), ref: 002BC881
RegCloseKey.ADVAPI32(00000000), ref: 002BC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 002BC960

Strings

REG_QWORD, xrefs: 002BC8C3
REG_BINARY, xrefs: 002BC913
REG_DWORD, xrefs: 002BC804
REG_MULTI_SZ, xrefs: 002BC6F5
REG_SZ, xrefs: 002BC644
REG_EXPAND_SZ, xrefs: 002BC5CD

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 463528b7dc4c09c390fcce96aaf7bc0d61a06f0302b8c70a726a8981e531e7b3
Instruction ID: ec7d9475542d6be33f499cf9eb06c06c5f1d3993dd7d0213a7d5d14d4d31172e
Opcode Fuzzy Hash: 463528b7dc4c09c390fcce96aaf7bc0d61a06f0302b8c70a726a8981e531e7b3
Instruction Fuzzy Hash: 81128A756242019FCB24DF14C881E6AB7E5EF88754F14885DF88A9B3A2DB31ED51CF81

Function 002C091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002C09C6
_wcslen.LIBCMT ref: 002C0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002C0A54
_wcslen.LIBCMT ref: 002C0A8A
_wcslen.LIBCMT ref: 002C0B06
_wcslen.LIBCMT ref: 002C0B81

Part of subcall function 0024F9F2: _wcslen.LIBCMT ref: 0024F9FD

Part of subcall function 00292BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00292BFA

Strings

GETTOTALCOUNT, xrefs: 002C09F2, 002C0A17
GETITEMCOUNT, xrefs: 002C0C1E
EXISTS, xrefs: 002C0B7C, 002C0B97
GETSELECTED, xrefs: 002C0C4E
COLLAPSE, xrefs: 002C0B01, 002C0B1C
SELECT, xrefs: 002C0D11
EXPAND, xrefs: 002C0BF8
UNCHECK, xrefs: 002C0D3E
ISCHECKED, xrefs: 002C0CE1
CHECK, xrefs: 002C0A85, 002C0AA0
GETTEXT, xrefs: 002C0C97

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 5269fbc026f226bef5955d834b7b9205bd37039d60e941bbd1024081c4f91806
Instruction ID: 5b50a970c9f9d42b46f51aa9d1d5eacc5fc483a5e4e35ad1237d5fb0ddcf2549
Opcode Fuzzy Hash: 5269fbc026f226bef5955d834b7b9205bd37039d60e941bbd1024081c4f91806
Instruction Fuzzy Hash: 37E19971228302DFCB14DF24C490A2AB7E1FF98358F118A5DF8969B262D731ED65CB81

Function 002BC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,002BB6AE,?,?), ref: 002BC9B5
_wcslen.LIBCMT ref: 002BC9F1
_wcslen.LIBCMT ref: 002BCA68
_wcslen.LIBCMT ref: 002BCA9E
_wcslen.LIBCMT ref: 002BCAF9
_wcslen.LIBCMT ref: 002BCB2F
_wcslen.LIBCMT ref: 002BCB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 002BCA62, 002BCA67
HKCR, xrefs: 002BCB29, 002BCB2E
HKEY_CLASSES_ROOT, xrefs: 002BCAF3, 002BCAF8
HKU, xrefs: 002BCBF0
HKEY_USERS, xrefs: 002BCBDF
HKCU, xrefs: 002BCBCE
HKEY_CURRENT_CONFIG, xrefs: 002BCB79, 002BCB7E
HKCC, xrefs: 002BCBAC
HKEY_CURRENT_USER, xrefs: 002BCBBD
HKLM, xrefs: 002BCA98, 002BCA9D

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 7011ad0fc3c6ee550da5aa1a743fbba7ea442645172fef750e460a030449827a
Instruction ID: caf177b2bb26b207517d153a122379c67e480b51f3eed4308882443865239df5
Opcode Fuzzy Hash: 7011ad0fc3c6ee550da5aa1a743fbba7ea442645172fef750e460a030449827a
Instruction Fuzzy Hash: E971F43263016B8BCB20DE6CCD515FE7795ABA07D4F310129FC969B285E670CDB487A0

Function 002C833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002C835A
_wcslen.LIBCMT ref: 002C836E
_wcslen.LIBCMT ref: 002C8391
_wcslen.LIBCMT ref: 002C83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002C83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002C5BF2), ref: 002C844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002C8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002C84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002C8501
FreeLibrary.KERNEL32(?), ref: 002C850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002C851D
DestroyIcon.USER32(?,?,?,?,?,002C5BF2), ref: 002C852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002C8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002C8555

Strings

.exe, xrefs: 002C8388
.icl, xrefs: 002C8368
.dll, xrefs: 002C83AB

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: b06b0deba78b0ac13ab818652d1ffb69ace0bb1333b7c17f2c9d4401160fd3dd
Instruction ID: d371c833ba6f75a81a75a379c988fbc3f481252c57deacc18e16493927faa00c
Opcode Fuzzy Hash: b06b0deba78b0ac13ab818652d1ffb69ace0bb1333b7c17f2c9d4401160fd3dd
Instruction Fuzzy Hash: 65610471560216BEEB28DF64DC45FBE77A8FF04751F20820AF815D60D0DBB4A9A0CBA0

Function 00237778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#requireadmin, xrefs: 002377FF
#include, xrefs: 00237847
#comments-end, xrefs: 002378D9
#comments-start, xrefs: 0023785F, 002378B1
Cannot parse #include, xrefs: 00275279
#OnAutoItStartRegister, xrefs: 00237817
#pragma compile, xrefs: 002377D3
", xrefs: 00275153
Bad directive syntax error, xrefs: 0027519A
#cs, xrefs: 00237873, 002378C5
Unterminated group of comments, xrefs: 0027528C
', xrefs: 00275169
#notrayicon, xrefs: 002377E7
#ce, xrefs: 002378ED
#include-once, xrefs: 0023782F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 33ff5ca96f544418eddb98547d25b19e79cc4fc9e043fb618949c549239627ca
Instruction ID: fce2843d08e52dd2f45ce79519a77e92e9f88b6db9022bd44f104f8ecf7da53b
Opcode Fuzzy Hash: 33ff5ca96f544418eddb98547d25b19e79cc4fc9e043fb618949c549239627ca
Instruction Fuzzy Hash: 7481EAF1634615BBDF20AF60CD42FAEB7A8AF55300F044025FD09AA192EBB0D975CB91

Function 002A3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 002A3EF8
_wcslen.LIBCMT ref: 002A3F03
_wcslen.LIBCMT ref: 002A3F5A
_wcslen.LIBCMT ref: 002A3F98
GetDriveTypeW.KERNEL32(?), ref: 002A3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002A401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002A4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002A4087

Strings

type cdaudio alias cd wait, xrefs: 002A4001
open, xrefs: 002A3F54, 002A3F59
open , xrefs: 002A3FE5
closed, xrefs: 002A3F08, 002A3F2D, 002A3F46, 002A3F7E, 002A3F97
close cd wait, xrefs: 002A4072
set cd door , xrefs: 002A4028
wait, xrefs: 002A4044
close, xrefs: 002A3EFE, 002A3F18

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: edfa099b66f42c22950964b6f3654fa0e070e2a6c043013851acd860224ceb3b
Instruction ID: 7cf8d6f230f0829ee5fde1e66ef71a89b818aef0aa6b4536ae13066320e060e3
Opcode Fuzzy Hash: edfa099b66f42c22950964b6f3654fa0e070e2a6c043013851acd860224ceb3b
Instruction Fuzzy Hash: DD71F1726242029FC710EF24C88586AF7F4EF96758F10492DF995D3251EB30DE69CB91

Function 00295A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00295A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00295A40
SetWindowTextW.USER32(?,?), ref: 00295A57
GetDlgItem.USER32(?,000003EA), ref: 00295A6C
SetWindowTextW.USER32(00000000,?), ref: 00295A72
GetDlgItem.USER32(?,000003E9), ref: 00295A82
SetWindowTextW.USER32(00000000,?), ref: 00295A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00295AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00295AC3
GetWindowRect.USER32(?,?), ref: 00295ACC
_wcslen.LIBCMT ref: 00295B33
SetWindowTextW.USER32(?,?), ref: 00295B6F
GetDesktopWindow.USER32 ref: 00295B75
GetWindowRect.USER32(00000000), ref: 00295B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00295BD3
GetClientRect.USER32(?,?), ref: 00295BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00295C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00295C2F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: dceb74d20489f4e6342de30132f8fede5cc02a5d458be5a8e3571b55ce48facf
Instruction ID: e84903292e30e15231e5af6917c46bfc7412dc14261ef7e89f3d8c298dc2b040
Opcode Fuzzy Hash: dceb74d20489f4e6342de30132f8fede5cc02a5d458be5a8e3571b55ce48facf
Instruction Fuzzy Hash: 1B719F31A10B16AFDF21DFA8CE89E6EBBF5FF48704F200518E586A25A4D770E954CB50

Function 002AFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 002AFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 002AFE32
LoadCursorW.USER32(00000000,00007F00), ref: 002AFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 002AFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 002AFE53
LoadCursorW.USER32(00000000,00007F01), ref: 002AFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 002AFE69
LoadCursorW.USER32(00000000,00007F88), ref: 002AFE74
LoadCursorW.USER32(00000000,00007F80), ref: 002AFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 002AFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 002AFE95
LoadCursorW.USER32(00000000,00007F85), ref: 002AFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 002AFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 002AFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 002AFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 002AFECC
GetCursorInfo.USER32(?), ref: 002AFEDC
GetLastError.KERNEL32 ref: 002AFF1E

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 662e4d36a9df3f864402fac4a20ad399c829594f179cf55bfd756f10ec77d3f4
Instruction ID: a1c2ee4f0ec43189f69ed32dbfedbc8c25b51fcafd09f672e4dedbf11a964c5d
Opcode Fuzzy Hash: 662e4d36a9df3f864402fac4a20ad399c829594f179cf55bfd756f10ec77d3f4
Instruction Fuzzy Hash: 524161B0D0431A6FDB509FBA8C89C5EBFE8FF05354B50452AE11DE7681DB78A9018F90

Function 002930F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0029318D
_wcslen.LIBCMT ref: 002931F8

Strings

CLASS, xrefs: 00293188, 002931A5
[/, xrefs: 0029339A
NAME, xrefs: 00293335, 00293346
CLASSNN, xrefs: 002931F3, 00293204
TEXT, xrefs: 0029347C
REGEXPCLASS, xrefs: 00293255, 00293266
INSTANCE, xrefs: 00293453

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[/
API String ID: 176396367-1273981479
Opcode ID: 444bb4b80cf38a005ac2374709f29fce7703251f3c7a92361afc363d397f06cf
Instruction ID: 7ffa46d3d712460db2c97b3392d9e1512b46a4abcc2bb8316b9ec6f64affbd6f
Opcode Fuzzy Hash: 444bb4b80cf38a005ac2374709f29fce7703251f3c7a92361afc363d397f06cf
Instruction Fuzzy Hash: 88E1F532A20516ABCF18DFA8C4517FDFBB0BF48750F558129E956F7240DB30AEA58B90

Function 002500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002500C6

Part of subcall function 002500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0030070C,00000FA0,3E41A55A,?,?,?,?,002723B3,000000FF), ref: 0025011C
Part of subcall function 002500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002723B3,000000FF), ref: 00250127
Part of subcall function 002500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002723B3,000000FF), ref: 00250138
Part of subcall function 002500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0025014E
Part of subcall function 002500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0025015C
Part of subcall function 002500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0025016A
Part of subcall function 002500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00250195
Part of subcall function 002500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002501A0

___scrt_fastfail.LIBCMT ref: 002500E7

Part of subcall function 002500A3: __onexit.LIBCMT ref: 002500A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00250122
SleepConditionVariableCS, xrefs: 00250154
kernel32.dll, xrefs: 00250133
InitializeConditionVariable, xrefs: 00250148
WakeAllConditionVariable, xrefs: 00250162

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 51ff75abc6bf84cc7ce54100865d9401f1485ae517cf6a6d7ab6250e67768af6
Instruction ID: 1f3c7fc9b6a3140086eda6b96d12b24f5e706b20c70128ed48fd8e72d04d5bbe
Opcode Fuzzy Hash: 51ff75abc6bf84cc7ce54100865d9401f1485ae517cf6a6d7ab6250e67768af6
Instruction Fuzzy Hash: 08219B326607016FE7151F64BD49F6A3394DB45F62F10423AFC09932D1DFB48C108AA9

Function 002A44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,002CCC08), ref: 002A4527
_wcslen.LIBCMT ref: 002A453B
_wcslen.LIBCMT ref: 002A4599
_wcslen.LIBCMT ref: 002A45F4
_wcslen.LIBCMT ref: 002A463F
_wcslen.LIBCMT ref: 002A46A7

Part of subcall function 0024F9F2: _wcslen.LIBCMT ref: 0024F9FD

GetDriveTypeW.KERNEL32(?,002F6BF0,00000061), ref: 002A4743

Strings

network, xrefs: 002A469D, 002A46A2
ramdisk, xrefs: 002A46F1
fixed, xrefs: 002A4635, 002A463A
all, xrefs: 002A4531, 002A4536
cdrom, xrefs: 002A458F, 002A4594
unknown, xrefs: 002A4708
removable, xrefs: 002A45EA, 002A45EF

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 3a436b8b0efef88a2f45d63426f051a7f37fcf5fdbc96ee9c6957479f967221f
Instruction ID: 70ef77497134d17748a5402233bee379ec4ac2522fcfb2e5fb2916ef45164ef0
Opcode Fuzzy Hash: 3a436b8b0efef88a2f45d63426f051a7f37fcf5fdbc96ee9c6957479f967221f
Instruction Fuzzy Hash: 7CB103716283029FC710EF28C890A7AF7E5AFE6B64F50491DF496C7291DBB0D864CB52

Function 002C911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

DragQueryPoint.SHELL32(?,?), ref: 002C9147

Part of subcall function 002C7674: ClientToScreen.USER32(?,?), ref: 002C769A
Part of subcall function 002C7674: GetWindowRect.USER32(?,?), ref: 002C7710
Part of subcall function 002C7674: PtInRect.USER32(?,?,002C8B89), ref: 002C7720

SendMessageW.USER32(?,000000B0,?,?), ref: 002C91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002C91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002C91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 002C9225
SendMessageW.USER32(?,000000B0,?,?), ref: 002C923E
SendMessageW.USER32(?,000000B1,?,?), ref: 002C9255
SendMessageW.USER32(?,000000B1,?,?), ref: 002C9277
DragFinish.SHELL32(?), ref: 002C927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002C9371

Strings

@GUI_DROPID, xrefs: 002C929E
@GUI_DRAGFILE, xrefs: 002C9320
@GUI_DRAGID, xrefs: 002C92E9
p#0, xrefs: 002C92BB

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#0
API String ID: 221274066-1452285169
Opcode ID: 33d790ae7d3dbecb59cd785def2813c6fd8a4424b87d8283901b0b9a487f6d5b
Instruction ID: 35a661b1ec556834d9b4563d36d32f18fb474781e89bec0cbafab4f3392991ab
Opcode Fuzzy Hash: 33d790ae7d3dbecb59cd785def2813c6fd8a4424b87d8283901b0b9a487f6d5b
Instruction Fuzzy Hash: 5B616971118301AFC705DF64DC89EAFBBE8EF89750F100A2EF595921A0DB709A59CF92

Function 0023326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00301990), ref: 00272F8D
GetMenuItemCount.USER32(00301990), ref: 0027303D
GetCursorPos.USER32(?), ref: 00273081
SetForegroundWindow.USER32(00000000), ref: 0027308A
TrackPopupMenuEx.USER32(00301990,00000000,?,00000000,00000000,00000000), ref: 0027309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002730A9

Strings

0, xrefs: 0023327D

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 3b69ab85449af2cd2d3306cdd85e8f1831502a3da572ffd61434b70a9fc0c81d
Instruction ID: 850839877dac1fb62dd5210602c30aa7517851a3170af59b73071326a0c8a59e
Opcode Fuzzy Hash: 3b69ab85449af2cd2d3306cdd85e8f1831502a3da572ffd61434b70a9fc0c81d
Instruction Fuzzy Hash: 4971E671664216BFEB218F24DC49F9ABF68FF05364F208216F918661E0C7B1AD24DB91

Function 002C6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 002C6DEB

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002C6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002C6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002C6E94
DestroyWindow.USER32(?), ref: 002C6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00230000,00000000), ref: 002C6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002C6EFD
GetDesktopWindow.USER32 ref: 002C6F16
GetWindowRect.USER32(00000000), ref: 002C6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002C6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002C6F4D

Part of subcall function 00249944: GetWindowLongW.USER32(?,000000EB), ref: 00249952

Strings

tooltips_class32, xrefs: 002C6E58, 002C6EDD
0, xrefs: 002C6D98

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 6defb820df0194f712dc92500cc5f9abd72f83e3d7a6575790ab66fc0b95cd2b
Instruction ID: 2c97fedb13b3d506962362a654b71bbb8a436eed46a53897818fdcf1e3a9aaff
Opcode Fuzzy Hash: 6defb820df0194f712dc92500cc5f9abd72f83e3d7a6575790ab66fc0b95cd2b
Instruction Fuzzy Hash: 7F717770114245AFDB25CF18EC58FAABBE9FF89304F14061EF98A87261C770A916DF11

Function 002AC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002AC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 002AC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 002AC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 002AC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 002AC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 002AC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002AC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002AC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 002AC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 002AC5F0
InternetCloseHandle.WININET(00000000), ref: 002AC5FB

Strings

, xrefs: 002AC575

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 21ef5072f622205d837c594d739eda55e1a11d37a0ccb3c4b2724727cf53e6f3
Instruction ID: a6662ad80f1e79c1211f7babc89ea1fe5a54cd9bc7f8e8942c753ff7b8907a3a
Opcode Fuzzy Hash: 21ef5072f622205d837c594d739eda55e1a11d37a0ccb3c4b2724727cf53e6f3
Instruction Fuzzy Hash: 2D515CB0510205BFDB218F60D948EABBBFCFF09754F60441AF949A6610DB30E958DB60

Function 002C856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 002C8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002C85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002C85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002C85BA
GlobalLock.KERNEL32(00000000), ref: 002C85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002C85D7
GlobalUnlock.KERNEL32(00000000), ref: 002C85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002C85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002C85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,002CFC38,?), ref: 002C8611
GlobalFree.KERNEL32(00000000), ref: 002C8621
GetObjectW.GDI32(?,00000018,?), ref: 002C8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 002C8671
DeleteObject.GDI32(?), ref: 002C8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002C86AF

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7b9c07bede808b6318c77bf21740e68c69b340dcfa694955e84954effebdc93c
Instruction ID: 24e3fc757ab4600981032656220058ebdd92e2d55a649180e87bbde5cf581d45
Opcode Fuzzy Hash: 7b9c07bede808b6318c77bf21740e68c69b340dcfa694955e84954effebdc93c
Instruction Fuzzy Hash: 2D411975600205AFDB119FA5DC4CEAA7BBCFF89751F248158F909E7260DB709901CB60

Function 002A14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 002A1502
VariantCopy.OLEAUT32(?,?), ref: 002A150B
VariantClear.OLEAUT32(?), ref: 002A1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002A15FB
VarR8FromDec.OLEAUT32(?,?), ref: 002A1657
VariantInit.OLEAUT32(?), ref: 002A1708
SysFreeString.OLEAUT32(?), ref: 002A178C
VariantClear.OLEAUT32(?), ref: 002A17D8
VariantClear.OLEAUT32(?), ref: 002A17E7
VariantInit.OLEAUT32(00000000), ref: 002A1823

Strings

Default, xrefs: 002A16AF
%4d%02d%02d%02d%02d%02d, xrefs: 002A1625

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 8d5bf9d88fc3a2bf87ea1678034ec0f1f862755747bcfb9dacddc77d406a0d01
Instruction ID: 23378b7dfaf1d536c1e87d1b12a3a32970804cc94462914454db89b4c7a18105
Opcode Fuzzy Hash: 8d5bf9d88fc3a2bf87ea1678034ec0f1f862755747bcfb9dacddc77d406a0d01
Instruction Fuzzy Hash: D5D11072E20505DBDB149FA4E898B79B7B5BF46720F60809AE446AB180DFB0DC70DF61

Function 002BB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 002BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002BB6AE,?,?), ref: 002BC9B5
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BC9F1
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA68
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002BB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002BB772
RegDeleteValueW.ADVAPI32(?,?), ref: 002BB80A
RegCloseKey.ADVAPI32(?), ref: 002BB87E
RegCloseKey.ADVAPI32(?), ref: 002BB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 002BB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002BB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 002BB922
FreeLibrary.KERNEL32(00000000), ref: 002BB983
RegCloseKey.ADVAPI32(00000000), ref: 002BB994

Strings

advapi32.dll, xrefs: 002BB8ED
RegDeleteKeyExW, xrefs: 002BB8FE

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: e871f042f62610b816a5967516efc2575280191dffe073b83644d89cf997b9b2
Instruction ID: fe5a846943d7e4c7682397ed722efff803f40e9ef3eda1decf124dbbd208e3af
Opcode Fuzzy Hash: e871f042f62610b816a5967516efc2575280191dffe073b83644d89cf997b9b2
Instruction Fuzzy Hash: B3C1BD71228202AFC711DF14C494F6ABBE5FF84348F24849CE49A4B2A2CBB1EC55CF81

Function 002B255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002B25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002B25E8
CreateCompatibleDC.GDI32(?), ref: 002B25F4
SelectObject.GDI32(00000000,?), ref: 002B2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 002B266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002B26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002B26D0
SelectObject.GDI32(?,?), ref: 002B26D8
DeleteObject.GDI32(?), ref: 002B26E1
DeleteDC.GDI32(?), ref: 002B26E8
ReleaseDC.USER32(00000000,?), ref: 002B26F3

Strings

(, xrefs: 002B268D

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ba6502fe8582a3272d77736affec80c757ed19fe4d47897dfb97c5747c06f002
Instruction ID: 206308fa495ce0ec1441a10ee46cc9a8194a04158cc0d2246a0a3d4dafaaf7e3
Opcode Fuzzy Hash: ba6502fe8582a3272d77736affec80c757ed19fe4d47897dfb97c5747c06f002
Instruction Fuzzy Hash: D761E275D10219EFCF04CFA8D988EAEBBB9FF48310F248529E959A7250D770A951CF50

Function 0026DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0026DAA1

Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D659
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D66B
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D67D
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D68F
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D6A1
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D6B3
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D6C5
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D6D7
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D6E9
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D6FB
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D70D
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D71F
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D731

_free.LIBCMT ref: 0026DA96

Part of subcall function 002629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000), ref: 002629DE
Part of subcall function 002629C8: GetLastError.KERNEL32(00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000,00000000), ref: 002629F0

_free.LIBCMT ref: 0026DAB8
_free.LIBCMT ref: 0026DACD
_free.LIBCMT ref: 0026DAD8
_free.LIBCMT ref: 0026DAFA
_free.LIBCMT ref: 0026DB0D
_free.LIBCMT ref: 0026DB1B
_free.LIBCMT ref: 0026DB26
_free.LIBCMT ref: 0026DB5E
_free.LIBCMT ref: 0026DB65
_free.LIBCMT ref: 0026DB82
_free.LIBCMT ref: 0026DB9A

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 41583325887bec42fed12d8aa03b611cbb8a787058883841d098989541164af7
Instruction ID: dab9ddcbb0365426e1c6e7a62019a9d1cd057e3678aa84a7761081893544d06f
Opcode Fuzzy Hash: 41583325887bec42fed12d8aa03b611cbb8a787058883841d098989541164af7
Instruction Fuzzy Hash: 54317C31B2460ADFEB25AE78E841B5AB7E9FF40350F255429E049D7191DE30ACE48B20

Function 0029365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0029369C
_wcslen.LIBCMT ref: 002936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00293797
GetClassNameW.USER32(?,?,00000400), ref: 0029380C
GetDlgCtrlID.USER32(?), ref: 0029385D
GetWindowRect.USER32(?,?), ref: 00293882
GetParent.USER32(?), ref: 002938A0
ScreenToClient.USER32(00000000), ref: 002938A7
GetClassNameW.USER32(?,?,00000100), ref: 00293921
GetWindowTextW.USER32(?,?,00000400), ref: 0029395D

Strings

%s%u, xrefs: 00293734

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 3cbb9a2de396990a363e4d0271350b7b8a61af5f9c321ca4ae82f8619c46d5f0
Instruction ID: 49c9264937d9770ad43ad72cb29f1e92fd85a316837b45a3fa2ff911dc52189b
Opcode Fuzzy Hash: 3cbb9a2de396990a363e4d0271350b7b8a61af5f9c321ca4ae82f8619c46d5f0
Instruction Fuzzy Hash: BC91D271224607AFEB19DF64C885FEAF7A8FF44350F108529F999C2190DB30EA65CB91

Function 00294954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00294994
GetWindowTextW.USER32(?,?,00000400), ref: 002949DA
_wcslen.LIBCMT ref: 002949EB
CharUpperBuffW.USER32(?,00000000), ref: 002949F7
_wcsstr.LIBVCRUNTIME ref: 00294A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00294A64
GetWindowTextW.USER32(?,?,00000400), ref: 00294A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00294AE6
GetClassNameW.USER32(?,?,00000400), ref: 00294B20
GetWindowRect.USER32(?,?), ref: 00294B8B

Strings

ThumbnailClass, xrefs: 00294A6F, 00294AF1

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 36470950aaca73089e6ddb601e80bbd2596e598def3cbfe7d93937d87bbf6012
Instruction ID: 2ed35d11f3b760b255da59b96e3746eccff5a1b3b9997d9580df20836ff4843f
Opcode Fuzzy Hash: 36470950aaca73089e6ddb601e80bbd2596e598def3cbfe7d93937d87bbf6012
Instruction Fuzzy Hash: 4D91F1310282069FDF04EF14C994FAA77E8FF84318F04446AFD859A195DB30ED66CBA1

Function 002C8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002C8D5A
GetFocus.USER32 ref: 002C8D6A
GetDlgCtrlID.USER32(00000000), ref: 002C8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 002C8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 002C8ECF
GetMenuItemCount.USER32(?), ref: 002C8EEC
GetMenuItemID.USER32(?,00000000), ref: 002C8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 002C8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 002C8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002C8FA1

Strings

0, xrefs: 002C8E9F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: ccb9c1757c752114e388ae9eb76f37eb3ee6ebb7157d90c0f8466d46d29c4706
Instruction ID: 0eb2d55f034b5ab2616ceb7a176b02287f7662b74581cc240ba5f7d107929101
Opcode Fuzzy Hash: ccb9c1757c752114e388ae9eb76f37eb3ee6ebb7157d90c0f8466d46d29c4706
Instruction Fuzzy Hash: B081BF715283029FD710CF24D884FABBBE9FB89354F144A1DF98597291DB70D921CBA2

Function 0029DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0029DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0029DC46
_wcslen.LIBCMT ref: 0029DC50
_wcsstr.LIBVCRUNTIME ref: 0029DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0029DCBC

Strings

\VarFileInfo\Translation, xrefs: 0029DCB4
%u.%u.%u.%u, xrefs: 0029DD9A
DefaultLangCodepage, xrefs: 0029DD1F
04090000, xrefs: 0029DCF2
StringFileInfo\, xrefs: 0029DC8F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 652883787a64725b3d3fa730387c62efb5a7c57b610534927fd74d956d580d14
Instruction ID: 944eb6012f638d0e39f90690a4f43157c2c5b0eac61254a5f9cf8e755476814e
Opcode Fuzzy Hash: 652883787a64725b3d3fa730387c62efb5a7c57b610534927fd74d956d580d14
Instruction Fuzzy Hash: 1B412432A602057ADB18BB749C07EBF776CEF46751F100069FD04E6182EB7499359BB8

Function 002BCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 002BCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 002BCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 002BCD48

Part of subcall function 002BCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 002BCCAA
Part of subcall function 002BCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 002BCCBD
Part of subcall function 002BCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002BCCCF
Part of subcall function 002BCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 002BCD05
Part of subcall function 002BCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 002BCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 002BCCF3

Strings

advapi32.dll, xrefs: 002BCCB8
RegDeleteKeyExW, xrefs: 002BCCC9

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 71f7f64bb07977067d97ff5fc6be702548a0a261615be34f7a85b8b651d6a237
Instruction ID: a8cb1ad5bf82d032b5f3b1a767a52ed36a78a0087586069f57c24c374a4f869f
Opcode Fuzzy Hash: 71f7f64bb07977067d97ff5fc6be702548a0a261615be34f7a85b8b651d6a237
Instruction Fuzzy Hash: A3318E7591112ABBDB208F51DC8CEFFBB7CEF55790F240165E909E2240DA709A45EAA0

Function 002A3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002A3D40
_wcslen.LIBCMT ref: 002A3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 002A3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 002A3DBE
RemoveDirectoryW.KERNEL32(?), ref: 002A3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 002A3E55
CloseHandle.KERNEL32(00000000), ref: 002A3E60
CloseHandle.KERNEL32(00000000), ref: 002A3E6B

Strings

\, xrefs: 002A3D77
:, xrefs: 002A3D82
\??\%s, xrefs: 002A3D5B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: e9cfc887a3e37ed97a5667330c67c902b92be19359acbd9f4203ec7227d3dd43
Instruction ID: 3b2e63c27e27bce3a338e9627d965ab61aca6fc29d96d2763bf159d4309f296b
Opcode Fuzzy Hash: e9cfc887a3e37ed97a5667330c67c902b92be19359acbd9f4203ec7227d3dd43
Instruction Fuzzy Hash: 5731A17291020AABDB21DFA0DC49FEB37BCEF8A740F2040B5F909D6060EB7497548B24

Function 0029E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0029E6B4

Part of subcall function 0024E551: timeGetTime.WINMM(?,?,0029E6D4), ref: 0024E555

Sleep.KERNEL32(0000000A), ref: 0029E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0029E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0029E727
SetActiveWindow.USER32 ref: 0029E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0029E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0029E773
Sleep.KERNEL32(000000FA), ref: 0029E77E
IsWindow.USER32 ref: 0029E78A
EndDialog.USER32(00000000), ref: 0029E79B

Strings

BUTTON, xrefs: 0029E719

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 2b5c7fd6e1c4b0b2b754edd2f05d8bc803327e9b70c2c709569ad9908538cf27
Instruction ID: cf1c0d15b82828f17e53763b336a235f29ee2b1fa30887fa532ce0a76aec1a32
Opcode Fuzzy Hash: 2b5c7fd6e1c4b0b2b754edd2f05d8bc803327e9b70c2c709569ad9908538cf27
Instruction Fuzzy Hash: CE21C3B0210209AFEF029F64FC9DE267B6DF754748F250426F509811A1DBB2AC60CB25

Function 0029E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0029EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0029EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0029EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0029EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0029EAA7

Strings

open , xrefs: 0029EA0C
play PlayMe, xrefs: 0029EAA2
status PlayMe mode, xrefs: 0029EA58
close PlayMe, xrefs: 0029EA6E, 0029EA9B
alias PlayMe, xrefs: 0029EA36
play PlayMe wait, xrefs: 0029EA91

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 6018a0178a705808ea5eedba2481fee222f801eeaa313b58cfc070ed9038de72
Instruction ID: 762b86a8a7ca73cd796b8cf45cb870903da3aea45c5bad504687961fd3b94384
Opcode Fuzzy Hash: 6018a0178a705808ea5eedba2481fee222f801eeaa313b58cfc070ed9038de72
Instruction Fuzzy Hash: 7C112471AB025D79DB10E761DD4EDFFAA7CEBD2B40F400439B511A20D1DAB05965CAB0

Function 00295CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00295CE2
GetWindowRect.USER32(00000000,?), ref: 00295CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00295D59
GetDlgItem.USER32(?,00000002), ref: 00295D69
GetWindowRect.USER32(00000000,?), ref: 00295D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00295DCF
GetDlgItem.USER32(?,000003E9), ref: 00295DDD
GetWindowRect.USER32(00000000,?), ref: 00295DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00295E31
GetDlgItem.USER32(?,000003EA), ref: 00295E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00295E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00295E67

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 8aa2330f4d49b8aaae09402b73e56fae50dd96561e33f8012e3fcdaece6e874f
Instruction ID: 13a91df3dcda9accfc95273bc6ca1af5ff59cbdfa07b99d6587e3006eb1e7207
Opcode Fuzzy Hash: 8aa2330f4d49b8aaae09402b73e56fae50dd96561e33f8012e3fcdaece6e874f
Instruction Fuzzy Hash: 505120B0B10615AFDF18CF68DD89EAEBBB9FB48310F208129F519E6294D7709D14CB60

Function 00248BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00248F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00248BE8,?,00000000,?,?,?,?,00248BBA,00000000,?), ref: 00248FC5

DestroyWindow.USER32(?), ref: 00248C81
KillTimer.USER32(00000000,?,?,?,?,00248BBA,00000000,?), ref: 00248D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00286973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00248BBA,00000000,?), ref: 002869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00248BBA,00000000,?), ref: 002869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00248BBA,00000000), ref: 002869D4
DeleteObject.GDI32(00000000), ref: 002869E6

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: b4ffa63846e246eeb52a2eb5ac1b4cf926438a3efeb1b3a4e650555cc12a5331
Instruction ID: bda0e6f8b1d3c02fb34f7512c1b31046bb92f84467b6f1f5fe7e99781a86b235
Opcode Fuzzy Hash: b4ffa63846e246eeb52a2eb5ac1b4cf926438a3efeb1b3a4e650555cc12a5331
Instruction Fuzzy Hash: B6618D35533611DFCB2E9F28D99CB29B7F5FB40312F24451AE0469A9A0CB71A9A0CF90

Function 00249838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00249944: GetWindowLongW.USER32(?,000000EB), ref: 00249952

GetSysColor.USER32(0000000F), ref: 00249862

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8624e776031a215155f04ba8a371ad05a7d0eb5ac194c5b2286a5c3df38fd974
Instruction ID: 95f8b0825ff36672c21a28deb91208ed6bb394b774dffc83c010a2f6be757d53
Opcode Fuzzy Hash: 8624e776031a215155f04ba8a371ad05a7d0eb5ac194c5b2286a5c3df38fd974
Instruction Fuzzy Hash: ED41E6311156009FDB249F3CAC88FBA3B65EB06331F284615FAA6872E1C771DC92DB10

Function 00268D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.%, xrefs: 0026903A, 00268FD0, 00268FF2

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: .%
API String ID: 0-3802303113
Opcode ID: b76b657163f57dc0de6e0beb7665e97d85d4f14b46e24035d8769e2b3b861348
Instruction ID: 188793a9ba884684082f08c2c9974da1129bd98be60815a265eb737c415ccb58
Opcode Fuzzy Hash: b76b657163f57dc0de6e0beb7665e97d85d4f14b46e24035d8769e2b3b861348
Instruction Fuzzy Hash: 52C1F37492428AEFCF11DFA8D841BADBBB8AF09310F144199F815A7392CB7189D1CF61

Function 002996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0027F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00299717
LoadStringW.USER32(00000000,?,0027F7F8,00000001), ref: 00299720

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0027F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00299742
LoadStringW.USER32(00000000,?,0027F7F8,00000001), ref: 00299745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00299866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0029984A
Line %d (File "%s"):, xrefs: 0029978F
^ ERROR, xrefs: 002997FB
Error: , xrefs: 0029981D
Line %d:, xrefs: 002997A0

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 5cd53a599e33a6c87605a16a3b2455e135909c33e3059dc84d7c3049729d0d9d
Instruction ID: 04023245e0164d2fb6484855113e1441fdae38d0e440fd1b32df788f605eadb8
Opcode Fuzzy Hash: 5cd53a599e33a6c87605a16a3b2455e135909c33e3059dc84d7c3049729d0d9d
Instruction Fuzzy Hash: F9414EB2814209AACF14FBE4DE46DEEB378EF55350F104069F60572092EA756FA8CF61

Function 002906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00290804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0029082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00290837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0029083C

Strings

SOFTWARE\Classes\, xrefs: 0029070E
\CLSID, xrefs: 00290724
\IPC$, xrefs: 00290784

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 2d711d20f65f1cd299b71aaaf39b00fe844c5e8bf6e0d59c27ebc7d0be1bbea8
Instruction ID: d80695c818716e012758d06ff0255ef2cc181c168417f2acbf7439a1f164c2ad
Opcode Fuzzy Hash: 2d711d20f65f1cd299b71aaaf39b00fe844c5e8bf6e0d59c27ebc7d0be1bbea8
Instruction Fuzzy Hash: DF4104B282022DABDF15EFA4DC89DEDB778BF44350F144169E905A3160EB709E64CFA0

Function 002B3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002B3C5C
CoInitialize.OLE32(00000000), ref: 002B3C8A
CoUninitialize.OLE32 ref: 002B3C94
_wcslen.LIBCMT ref: 002B3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 002B3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 002B3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 002B3F0E
CoGetObject.OLE32(?,00000000,002CFB98,?), ref: 002B3F2D
SetErrorMode.KERNEL32(00000000), ref: 002B3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 002B3FC4
VariantClear.OLEAUT32(?), ref: 002B3FD8

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 0b9edab59e19c12ad880d8c4ae92d4ebd635c783b54527e770ff70b053d6b7c6
Instruction ID: 6b1bd636062ab12ed4b16ca6a5af37394d8aa234e80dfa5b26b5f850d286354d
Opcode Fuzzy Hash: 0b9edab59e19c12ad880d8c4ae92d4ebd635c783b54527e770ff70b053d6b7c6
Instruction Fuzzy Hash: 19C167B16183069FD700DF68C88496BBBE9FF89784F14491DF98A9B210DB70EE15CB52

Function 002A7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002A7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002A7B8F
SHGetDesktopFolder.SHELL32(?), ref: 002A7BA3
CoCreateInstance.OLE32(002CFD08,00000000,00000001,002F6E6C,?), ref: 002A7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002A7C74
CoTaskMemFree.OLE32(?,?), ref: 002A7CCC
SHBrowseForFolderW.SHELL32(?), ref: 002A7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002A7D7A
CoTaskMemFree.OLE32(00000000), ref: 002A7D81
CoTaskMemFree.OLE32(00000000), ref: 002A7DD6
CoUninitialize.OLE32 ref: 002A7DDC

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: d2c2b1d962309f8dae97a9df29aedc0d65310bdcaac62fd00a8882a0bde5cacc
Instruction ID: 7e48663210b79ca401d462cf128544e66d492e5a42a7e6e8af927d5ca51bf6a1
Opcode Fuzzy Hash: d2c2b1d962309f8dae97a9df29aedc0d65310bdcaac62fd00a8882a0bde5cacc
Instruction Fuzzy Hash: 76C13C75A14109AFCB14DF64C888DAEBBF9FF49314F148499E81A9B261DB30ED51CF90

Function 002C541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002C5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002C5515
CharNextW.USER32(00000158), ref: 002C5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002C5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002C559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002C55AC

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 2dffc8e98ba35444ef6080ddc76aa6ac7cec30ac9c96e91554e725602e819f7b
Instruction ID: 46aea10b2e91817c430a6d4be660435bb4e744da0bed308ddee1db83c7cbc3d6
Opcode Fuzzy Hash: 2dffc8e98ba35444ef6080ddc76aa6ac7cec30ac9c96e91554e725602e819f7b
Instruction Fuzzy Hash: FF618130920629ABDF248F54CC84EFE7BB9FF05760F204249F525A6291D774EAE0DB60

Function 0028FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0028FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0028FB08
VariantInit.OLEAUT32(?), ref: 0028FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0028FB3A
VariantCopy.OLEAUT32(?,?), ref: 0028FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0028FBA1
VariantClear.OLEAUT32(?), ref: 0028FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0028FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0028FBCC
VariantClear.OLEAUT32(?), ref: 0028FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0028FBE9

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 960d825988bad2dc00102d6fb8c143437d353eedaef4e0af979fe6bc8a577117
Instruction ID: 5e7a261fe3dcd96203f2ec2d5a97b7c99ee455789496f744e5341ef5d07f2ea4
Opcode Fuzzy Hash: 960d825988bad2dc00102d6fb8c143437d353eedaef4e0af979fe6bc8a577117
Instruction Fuzzy Hash: B0419135A10219DFDF14EF64D858DAEBBB9FF08354F10C029E80AA7261DB30A955CF90

Function 00299C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00299CA1
GetAsyncKeyState.USER32(000000A0), ref: 00299D22
GetKeyState.USER32(000000A0), ref: 00299D3D
GetAsyncKeyState.USER32(000000A1), ref: 00299D57
GetKeyState.USER32(000000A1), ref: 00299D6C
GetAsyncKeyState.USER32(00000011), ref: 00299D84
GetKeyState.USER32(00000011), ref: 00299D96
GetAsyncKeyState.USER32(00000012), ref: 00299DAE
GetKeyState.USER32(00000012), ref: 00299DC0
GetAsyncKeyState.USER32(0000005B), ref: 00299DD8
GetKeyState.USER32(0000005B), ref: 00299DEA

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 29364d49b6ff1e0dbc47d93db6b2812e779e7fedd0079474d74589c139a608f1
Instruction ID: e77a3ddab0eaca22ff26891d3eb807281f99c831ad10e845926bf6b65df31706
Opcode Fuzzy Hash: 29364d49b6ff1e0dbc47d93db6b2812e779e7fedd0079474d74589c139a608f1
Instruction Fuzzy Hash: EF410B305147CB6DFF309F6888443B5BEA0AF16364F44805FCAC6565C2EBA59DE4C7A2

Function 002B055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002B05BC
inet_addr.WSOCK32(?), ref: 002B061C
gethostbyname.WSOCK32(?), ref: 002B0628
IcmpCreateFile.IPHLPAPI ref: 002B0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002B06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002B06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002B07B9
WSACleanup.WSOCK32 ref: 002B07BF

Strings

Ping, xrefs: 002B0676

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e241d7c6c2c5541ab9dc3625feb0fc97a72feb7bba01421d657cb831560ea241
Instruction ID: 304da37bf0bcf161ec73125817166385ef1a1e09e8aa3f326f7086729863c77c
Opcode Fuzzy Hash: e241d7c6c2c5541ab9dc3625feb0fc97a72feb7bba01421d657cb831560ea241
Instruction Fuzzy Hash: FD918C756242029FD321CF15D4C8F5AFBE4EF84358F1485A9E46A8BAA2CB70EC55CF81

Function 002B8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 002B8CF3

Part of subcall function 00298E54: _wcslen.LIBCMT ref: 00298E77

_wcslen.LIBCMT ref: 002B8D4E
_wcslen.LIBCMT ref: 002B8D9C
_wcslen.LIBCMT ref: 002B8DDC
_wcslen.LIBCMT ref: 002B8E6E

Strings

cdecl, xrefs: 002B8D48, 002B8D4D
stdcall, xrefs: 002B8DD6, 002B8DDB
none, xrefs: 002B8E65, 002B8E6A
winapi, xrefs: 002B8D96, 002B8D9B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 14e28130e2894d99d21b1b2efe2202a4afa50c0431c41102091e05c54aee500a
Instruction ID: 728eba105fed8ec3b2db658852e61bf874395b096c0bb9067a17dc6011e4d3be
Opcode Fuzzy Hash: 14e28130e2894d99d21b1b2efe2202a4afa50c0431c41102091e05c54aee500a
Instruction Fuzzy Hash: 2951C471A241179BCF14DF68C8408FEB3A9BF653A4B204229F969E72C4DB30DD60CB90

Function 002B372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 002B3774
CoUninitialize.OLE32 ref: 002B377F
CoCreateInstance.OLE32(?,00000000,00000017,002CFB78,?), ref: 002B37D9
IIDFromString.OLE32(?,?), ref: 002B384C
VariantInit.OLEAUT32(?), ref: 002B38E4
VariantClear.OLEAUT32(?), ref: 002B3936

Strings

NULL Pointer assignment, xrefs: 002B381E
Failed to create object, xrefs: 002B37E4, 002B389A
Invalid parameter, xrefs: 002B3865

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 969aa5cd941908e3e493335cb3c49fa10c90a46f800df15864f4912f7493f04d
Instruction ID: 0e4672e0dc122f3f7a063910b89adac5f7c8cb2692796c4d43640fd55eb15034
Opcode Fuzzy Hash: 969aa5cd941908e3e493335cb3c49fa10c90a46f800df15864f4912f7493f04d
Instruction Fuzzy Hash: 7E61D5B1628301AFD710DF54C888FAAB7E8EF45790F10491DF9859B291DB70EE58CB92

Function 002C8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

Part of subcall function 0024912D: GetCursorPos.USER32(?), ref: 00249141
Part of subcall function 0024912D: ScreenToClient.USER32(00000000,?), ref: 0024915E
Part of subcall function 0024912D: GetAsyncKeyState.USER32(00000001), ref: 00249183
Part of subcall function 0024912D: GetAsyncKeyState.USER32(00000002), ref: 0024919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 002C8B6B
ImageList_EndDrag.COMCTL32 ref: 002C8B71
ReleaseCapture.USER32 ref: 002C8B77
SetWindowTextW.USER32(?,00000000), ref: 002C8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 002C8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 002C8CFF

Strings

@GUI_DROPID, xrefs: 002C8C51
p#0, xrefs: 002C8C71
@GUI_DRAGFILE, xrefs: 002C8C9A

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#0
API String ID: 1924731296-1516117121
Opcode ID: c964a0d346711e56af2f55e5d3b69d908dcdb3bcf6f7447599fb0d881f7daa12
Instruction ID: 35c1c337aa3a178633865662a96460476d21b9681a0b467bbe8f213f6865475a
Opcode Fuzzy Hash: c964a0d346711e56af2f55e5d3b69d908dcdb3bcf6f7447599fb0d881f7daa12
Instruction Fuzzy Hash: 71519C71115200AFD704DF14DCA9FAA77E4FB88710F10062EF956672E1CB709A64CFA2

Function 002A3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002A33CF

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002A33F0

Strings

Line %d (File "%s"):, xrefs: 002A3443, 002A345C
"%s" (%d) : ==> %s:%s%s, xrefs: 002A3504
^ ERROR , xrefs: 002A349E
Error: , xrefs: 002A34D1
Incorrect parameters to object property !, xrefs: 002A34AB
"%s" (%d) : ==> %s:, xrefs: 002A3522

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 0dae93cd81bcdd0b398f46e49a9d173b7d8d005bbf812d14708523baee8f3e4d
Instruction ID: 4a92f6aa6ee2f842d3deef7ebbd823f76e55186180144c2f3425b22fb020c270
Opcode Fuzzy Hash: 0dae93cd81bcdd0b398f46e49a9d173b7d8d005bbf812d14708523baee8f3e4d
Instruction Fuzzy Hash: 2F516EB1920209ABDF15EBA4CD56EEEB778EF09340F1041A5F50572051EB612FA8DF60

Function 0029B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0029B5FC
_wcslen.LIBCMT ref: 0029B608
_wcslen.LIBCMT ref: 0029B64D
_wcslen.LIBCMT ref: 0029B68C
_wcslen.LIBCMT ref: 0029B6C7

Strings

REMOVE, xrefs: 0029B602, 0029B607
EXISTS, xrefs: 0029B686, 0029B68B
APPEND, xrefs: 0029B6C1, 0029B6C6
KEYS, xrefs: 0029B647, 0029B64C

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: f3e6a8a2174c68ca7f564c91782d4ce09c001a83afe257bff9a7e85ee2cf5ce7
Instruction ID: 7c509aa4a9c2968ea375d16d80b794fa48abb3940600be4b0f8a069ba54991ca
Opcode Fuzzy Hash: f3e6a8a2174c68ca7f564c91782d4ce09c001a83afe257bff9a7e85ee2cf5ce7
Instruction Fuzzy Hash: 7941E833A200279ACF116F7D9A905BEB7A9EFA0754B244239E421D7284E731EDA1C790

Function 002A5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002A53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 002A5416
GetLastError.KERNEL32 ref: 002A5420
SetErrorMode.KERNEL32(00000000,READY), ref: 002A54A7

Strings

READONLY, xrefs: 002A5452
READY, xrefs: 002A5460, 002A5468
INVALID, xrefs: 002A5459
NOTREADY, xrefs: 002A544B
UNKNOWN, xrefs: 002A5444

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 66b027832701b0c4f0a7cccb77aec150e4fdffff516de175984cf0c414ea4da7
Instruction ID: 9fe1620e405ecd905d47f80e5305dd85d3b3bd592f615dd8ffb63d8aced23c2f
Opcode Fuzzy Hash: 66b027832701b0c4f0a7cccb77aec150e4fdffff516de175984cf0c414ea4da7
Instruction Fuzzy Hash: 8E31E575A206159FC710DF68C488EAABBF4FF4A305F188065E505CB252DB70DD92CB90

Function 002C3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 002C3C79
SetMenu.USER32(?,00000000), ref: 002C3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002C3D10
IsMenu.USER32(?), ref: 002C3D24
CreatePopupMenu.USER32 ref: 002C3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002C3D5B
DrawMenuBar.USER32 ref: 002C3D63

Strings

0, xrefs: 002C3C54
F, xrefs: 002C3D4E

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 7ad6c5e46897cde4c52deec787e5424f5280cc6fcaa44bbf4d6116b83d0155e6
Instruction ID: e0b1772935b7eaa210ce438f0c80e13e7dd64af08e0c334c0708e367c7b324ed
Opcode Fuzzy Hash: 7ad6c5e46897cde4c52deec787e5424f5280cc6fcaa44bbf4d6116b83d0155e6
Instruction Fuzzy Hash: 1E418A74A1120AAFDB14CF64E858FAABBB5FF49350F14452DF946A7360D730AA20CF90

Function 002C3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002C3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002C3AA0
GetWindowLongW.USER32(?,000000F0), ref: 002C3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002C3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002C3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 002C3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 002C3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 002C3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 002C3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 002C3C13

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: f9cc2795a36bd9e83ebd542301aab989cf45cad9ad9892f938efa4bfc7c02548
Instruction ID: 141b4b9aec285819adfca331ea04f36f74f3d6fccdd04298c04e92053b81d473
Opcode Fuzzy Hash: f9cc2795a36bd9e83ebd542301aab989cf45cad9ad9892f938efa4bfc7c02548
Instruction Fuzzy Hash: 6F617775A00208AFDB11DFA8CC81FEEB7B8EB09704F10459AFA15A72A1C770AE55DF50

Function 0029B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0029B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0029A1E1,?,00000001), ref: 0029B165
GetWindowThreadProcessId.USER32(00000000), ref: 0029B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0029A1E1,?,00000001), ref: 0029B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0029B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0029A1E1,?,00000001), ref: 0029B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0029A1E1,?,00000001), ref: 0029B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0029A1E1,?,00000001), ref: 0029B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0029A1E1,?,00000001), ref: 0029B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0029A1E1,?,00000001), ref: 0029B21D

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 7ae92d77a44d124a860ee000887392c9e26570fe8ab77271baf7c64168550a91
Instruction ID: c94a86faf485d56eab5596ea18523fb547ee63f219643ffe5fb877a79e6cd5b9
Opcode Fuzzy Hash: 7ae92d77a44d124a860ee000887392c9e26570fe8ab77271baf7c64168550a91
Instruction Fuzzy Hash: 39319C75922205BFDF129F24FE58FAD7BADFB51311F20401AFA0AD6190D7B4AA418F60

Function 00262C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00262C94

Part of subcall function 002629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000), ref: 002629DE
Part of subcall function 002629C8: GetLastError.KERNEL32(00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000,00000000), ref: 002629F0

_free.LIBCMT ref: 00262CA0
_free.LIBCMT ref: 00262CAB
_free.LIBCMT ref: 00262CB6
_free.LIBCMT ref: 00262CC1
_free.LIBCMT ref: 00262CCC
_free.LIBCMT ref: 00262CD7
_free.LIBCMT ref: 00262CE2
_free.LIBCMT ref: 00262CED
_free.LIBCMT ref: 00262CFB

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 492d2beea0b9e46bd9e4bfc14eed7e82c115c157e0e5ee84475b68e15ce09eef
Instruction ID: e87ef3d52280ab1fd7ac907152833730b3027f1cca732c35e8730af742c8a05d
Opcode Fuzzy Hash: 492d2beea0b9e46bd9e4bfc14eed7e82c115c157e0e5ee84475b68e15ce09eef
Instruction Fuzzy Hash: EF11F636221408EFCB06EF54D842CDC3BA5FF45380F5150A1F9485B222D631EEA49F90

Function 002A7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002A7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 002A7FC1
GetFileAttributesW.KERNEL32(?), ref: 002A7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 002A8005
SetCurrentDirectoryW.KERNEL32(?), ref: 002A8017
SetCurrentDirectoryW.KERNEL32(?), ref: 002A8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002A80B0

Strings

*.*, xrefs: 002A8066

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: a0788f93bbfab0190cc612fe5e05e104472a16e3069d22c8127af0c7581ba4d4
Instruction ID: fc3ffd17d90298997c498721f2ee9e3ccb1863662a79b70aa8487316cfc08db8
Opcode Fuzzy Hash: a0788f93bbfab0190cc612fe5e05e104472a16e3069d22c8127af0c7581ba4d4
Instruction Fuzzy Hash: 6781C1725283429BCB20EF14C9449AAB3E8BF8A310F144C6EF885D7250EF75DD698F56

Function 00235BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00235C7A

Part of subcall function 00235D0A: GetClientRect.USER32(?,?), ref: 00235D30
Part of subcall function 00235D0A: GetWindowRect.USER32(?,?), ref: 00235D71
Part of subcall function 00235D0A: ScreenToClient.USER32(?,?), ref: 00235D99

GetDC.USER32 ref: 002746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00274708
SelectObject.GDI32(00000000,00000000), ref: 00274716
SelectObject.GDI32(00000000,00000000), ref: 0027472B
ReleaseDC.USER32(?,00000000), ref: 00274733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002747C4

Strings

U, xrefs: 00274693

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 72471e4ea8a9319a851577fceb0bcfadccb74873eeadb1bef8d301940cd757c1
Instruction ID: b6f78b9e81cd67b889ade8e4b97460f67b50ddea619d35c9e73155e847e86c33
Opcode Fuzzy Hash: 72471e4ea8a9319a851577fceb0bcfadccb74873eeadb1bef8d301940cd757c1
Instruction Fuzzy Hash: 9571F430520206DFCF26AF64C984EBA7BB5FF4A314F24826AED595A166C331DC61DF50

Function 002A359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002A35E4

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

LoadStringW.USER32(00302390,?,00000FFF,?), ref: 002A360A

Strings

Line %d (File "%s"):, xrefs: 002A366B
"%s" (%d) : ==> %s:%s%s, xrefs: 002A3724
^ ERROR, xrefs: 002A36C9
Error: , xrefs: 002A36EF
"%s" (%d) : ==> %s:, xrefs: 002A3742

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 00a1573e9e75fe240ae41da9662792203354b71e6ac45f39130a9c4f6d9bc94f
Instruction ID: 5d8067a533d720f245f470695e7b925063088eb16057fed36ebb967ad5f7e263
Opcode Fuzzy Hash: 00a1573e9e75fe240ae41da9662792203354b71e6ac45f39130a9c4f6d9bc94f
Instruction Fuzzy Hash: CF515DB182020ABBDF15EBA0CC56EEDBB78EF05350F144165F105721A1EB711BA9DFA0

Function 002AC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002AC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002AC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002AC2CA
GetLastError.KERNEL32 ref: 002AC322
SetEvent.KERNEL32(?), ref: 002AC336
InternetCloseHandle.WININET(00000000), ref: 002AC341

Strings

, xrefs: 002AC2BB

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 782ef79f97a91e66e19d260ca6726f9e56a8f419dfd01c96f5e6c9f4790ba640
Instruction ID: 4d7b9562ce718afaeca91d8679462c0941e2fb717ae31f76bfbe513397e24649
Opcode Fuzzy Hash: 782ef79f97a91e66e19d260ca6726f9e56a8f419dfd01c96f5e6c9f4790ba640
Instruction Fuzzy Hash: 5F317FB1510204AFDB219F649C88EAB7BFCEB4A744F24855EF44AD2200DF30DD199B61

Function 0029989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00273AAF,?,?,Bad directive syntax error,002CCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002998BC
LoadStringW.USER32(00000000,?,00273AAF,?), ref: 002998C3

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00299987

Strings

Line %d (File "%s"):, xrefs: 0029992D
Error: , xrefs: 00299955
., xrefs: 0029996D
Line %d:, xrefs: 00299912
%s (%d) : ==> %s.: %s %s, xrefs: 002998F1

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 6201278cf78f19863a40b3a8a03f6cff0a9a843050c42f278cd2d612c55e03d1
Instruction ID: 3d7975e3d1a24cf5b9aa1fd2a1e141ddda829106a564b9b4a38411cb151c51cc
Opcode Fuzzy Hash: 6201278cf78f19863a40b3a8a03f6cff0a9a843050c42f278cd2d612c55e03d1
Instruction Fuzzy Hash: 1F218C7182021AABDF15AF90CC0AEEE7739FF19300F044469F519660A2EA7196B8DF50

Function 0029209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0029214D

Strings

smallicons, xrefs: 00292115
SHELLDLL_DefView, xrefs: 002920CC
details, xrefs: 002920FB
largeicons, xrefs: 002920E1
list, xrefs: 0029212F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 18b2c64ef0ff6042e3bc304428735c873b7feed3331a295ed032e1b0f9314689
Instruction ID: 7091c61ec06c5683c923416099c0cf10ed011abf6014802d6586437978b56589
Opcode Fuzzy Hash: 18b2c64ef0ff6042e3bc304428735c873b7feed3331a295ed032e1b0f9314689
Instruction Fuzzy Hash: F4113D765B8717F5FE012620EC1ADB6779CCF05359F300026FF0CA40D6EAB198795A18

Function 0026CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0026CEB7
_free.LIBCMT ref: 0026CF22
_free.LIBCMT ref: 0026CF48
_free.LIBCMT ref: 0026CF71
_free.LIBCMT ref: 0026CFA9
_free.LIBCMT ref: 0026CFDA
_free.LIBCMT ref: 0026D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0026D09C
_free.LIBCMT ref: 0026D0B5

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: d724d229a81d5b8e0f1f00000899b12e5d816fc05fa52b1d0ad4864505b82c9b
Instruction ID: 82ae6cd46c72d117a68589823f4b37452ef61452b8fccc80dbcbc488f0f1a688
Opcode Fuzzy Hash: d724d229a81d5b8e0f1f00000899b12e5d816fc05fa52b1d0ad4864505b82c9b
Instruction Fuzzy Hash: B4618B71A25302EFDB25BFB49C81B797BA9EF05310F24016FF884D7641D6329DA08BA0

Function 002C50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 002C5186
ShowWindow.USER32(?,00000000), ref: 002C51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002C51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002C51D1

Part of subcall function 002C6FBA: DeleteObject.GDI32(00000000), ref: 002C6FE6

GetWindowLongW.USER32(?,000000F0), ref: 002C520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002C521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002C524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 002C5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 002C5296

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: d27ea44c251a2bbcace00c4f6f60b4c6e934766f47818305bf8eb6fb834dae27
Instruction ID: 6916e7507518ba1272062e507605085aa4c7e00af819bf507d8758c3b86d428a
Opcode Fuzzy Hash: d27ea44c251a2bbcace00c4f6f60b4c6e934766f47818305bf8eb6fb834dae27
Instruction Fuzzy Hash: 5E51C530A70A29BEEF249F24CC49F9977A5EB04324F544219F919962E0C3B1F9E0DF41

Function 00248B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00286890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00248874,00000000,00000000,00000000,000000FF,00000000), ref: 00286901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0028691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00248874,00000000,00000000,00000000,000000FF,00000000), ref: 0028692D

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: d8acb5468211059463aff3dffdf9aac5f2f1a45726066f2a6feb8e376c965244
Instruction ID: 86c7fe0556fc7346db414b4487a1ba007afa58faafd11a061c3613ce8658b799
Opcode Fuzzy Hash: d8acb5468211059463aff3dffdf9aac5f2f1a45726066f2a6feb8e376c965244
Instruction Fuzzy Hash: 58518B74A20206EFDB24DF24CC59FAA7BB5EB44754F204518F916D72E0DB70E9A0DB50

Function 002AC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002AC182
GetLastError.KERNEL32 ref: 002AC195
SetEvent.KERNEL32(?), ref: 002AC1A9

Part of subcall function 002AC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002AC272
Part of subcall function 002AC253: GetLastError.KERNEL32 ref: 002AC322
Part of subcall function 002AC253: SetEvent.KERNEL32(?), ref: 002AC336
Part of subcall function 002AC253: InternetCloseHandle.WININET(00000000), ref: 002AC341

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 4b66fb7d088871d48029e33f34a7c272aa0a54d789d27901f5e0d97c98f0683b
Instruction ID: 1fb2001b18be0da6e8d65b77babab10e6925e87049f877da743a3c4be1a4049d
Opcode Fuzzy Hash: 4b66fb7d088871d48029e33f34a7c272aa0a54d789d27901f5e0d97c98f0683b
Instruction Fuzzy Hash: 84319071210605AFDB219FA5ED48A66BBF8FF5A300B24441EF95A83610DB31E824DFA0

Function 002925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00293A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00293A57
Part of subcall function 00293A3D: GetCurrentThreadId.KERNEL32 ref: 00293A5E
Part of subcall function 00293A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002925B3), ref: 00293A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00292601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00292605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0029260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00292623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00292627

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 5cda34749546870e24e725c67798c5d65998630cc804a8bac34a2ee995c5396d
Instruction ID: 1c0be4226f1eef560b273f9c09d2781d69910eccbc6e240324f57e20d50c6dcd
Opcode Fuzzy Hash: 5cda34749546870e24e725c67798c5d65998630cc804a8bac34a2ee995c5396d
Instruction Fuzzy Hash: 3A01D4307A0210BBFB106769AC8EF593F5DDB8EB12F210011F31CAE1D1C9E22454CAA9

Function 00291803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00291449,?,?,00000000), ref: 0029180C
HeapAlloc.KERNEL32(00000000,?,00291449,?,?,00000000), ref: 00291813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00291449,?,?,00000000), ref: 00291828
GetCurrentProcess.KERNEL32(?,00000000,?,00291449,?,?,00000000), ref: 00291830
DuplicateHandle.KERNEL32(00000000,?,00291449,?,?,00000000), ref: 00291833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00291449,?,?,00000000), ref: 00291843
GetCurrentProcess.KERNEL32(00291449,00000000,?,00291449,?,?,00000000), ref: 0029184B
DuplicateHandle.KERNEL32(00000000,?,00291449,?,?,00000000), ref: 0029184E
CreateThread.KERNEL32(00000000,00000000,00291874,00000000,00000000,00000000), ref: 00291868

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ba6e052c74dc07f09b875dab0a9aaf650cfc4953de953c7f9cf8d76946b158de
Instruction ID: c299e6863ca074db602ec9348e471efb4a1548460c9ff705be4b8c439ad62351
Opcode Fuzzy Hash: ba6e052c74dc07f09b875dab0a9aaf650cfc4953de953c7f9cf8d76946b158de
Instruction Fuzzy Hash: 6401BFB5240344BFE710AB66EC4DF5B3B6CEB89B11F144411FA09DB191C6B49810CB20

Function 00263E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00263F0B
__alldvrm.LIBCMT ref: 0026410C
__alldvrm.LIBCMT ref: 0026412E

Strings

}}%, xrefs: 00263E8A
}}%, xrefs: 00263E96, 00263EF1, 00263F0A, 00264090
}}%, xrefs: 002640CD

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}%$}}%$}}%
API String ID: 1036877536-2031228006
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 2b897eaa799acaecf6bd5f1a850d19753eb3fd14d250ee9aed31197fa2ad7ffa
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 02A16B71E303969FEB25EF18C8917AEBBE4EF62350F1441ADE5859B281C2748DE1CB50

Function 002BA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0029D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0029D501
Part of subcall function 0029D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0029D50F
Part of subcall function 0029D4DC: CloseHandle.KERNELBASE(00000000), ref: 0029D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 002BA16D
GetLastError.KERNEL32 ref: 002BA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 002BA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 002BA268
GetLastError.KERNEL32(00000000), ref: 002BA273
CloseHandle.KERNEL32(00000000), ref: 002BA2C4

Strings

SeDebugPrivilege, xrefs: 002BA18F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 74aef1f9281e4a4f3c4c3e48718e1a5c7b7c8a6b958394580e847d647e104604
Instruction ID: c9d6b043d47ee165c69f90807d4ef73431e9174aa383646b0776cfc0bfec162a
Opcode Fuzzy Hash: 74aef1f9281e4a4f3c4c3e48718e1a5c7b7c8a6b958394580e847d647e104604
Instruction Fuzzy Hash: C861B170224242AFD720DF19C494F55BBE5AF44358F18849CE86A8BBA3C772EC55CF92

Function 002C3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002C3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 002C393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002C3954
_wcslen.LIBCMT ref: 002C3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002C39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002C39F4

Strings

SysListView32, xrefs: 002C38F7

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d18bab2f453271c399443710efb20a1f6270cf5f5a0c6cdbb07faf2ac1739520
Instruction ID: 78435adfc20cab1eb77fe92b4cee539f81cf2d4b8820286369532b46aed7ae00
Opcode Fuzzy Hash: d18bab2f453271c399443710efb20a1f6270cf5f5a0c6cdbb07faf2ac1739520
Instruction Fuzzy Hash: 0841C671A10219ABDF21DF64CC49FEA77A9EF08350F10462AF958E7281D7719EA0CF90

Function 0029BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0029BCFD
IsMenu.USER32(00000000), ref: 0029BD1D
CreatePopupMenu.USER32 ref: 0029BD53
GetMenuItemCount.USER32(014255D0), ref: 0029BDA4
InsertMenuItemW.USER32(014255D0,?,00000001,00000030), ref: 0029BDCC

Strings

2, xrefs: 0029BD37
0, xrefs: 0029BCA8

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: b7a767439307f0ffcd44a639c0af16a2f0e471dc15c25654d943b0b637ecaea2
Instruction ID: a6a00f1b0e3bd8bb92dfb42631f81bf7e39e1a8b1d8095eb892f90c66ed0a5e7
Opcode Fuzzy Hash: b7a767439307f0ffcd44a639c0af16a2f0e471dc15c25654d943b0b637ecaea2
Instruction Fuzzy Hash: BD51B370A2020ADBDF12CFA8EA88BADBBF4BF45314F244169E405E7290D7709955CB71

Function 00252D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00252D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00252D53
_ValidateLocalCookies.LIBCMT ref: 00252DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00252E0C
_ValidateLocalCookies.LIBCMT ref: 00252E61

Strings

csm, xrefs: 00252DF6
&H%, xrefs: 00252DFE, 00252E07, 00252E18

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H%$csm
API String ID: 1170836740-3280660909
Opcode ID: cdbd37b157107621f4bc09daf5344a3c8b24aa6b172abfeb69ed1645a2e21e7f
Instruction ID: f3c7ebe9691212158fccee6e4c1418a4c06e3d3641f255d9233bdc49856e5984
Opcode Fuzzy Hash: cdbd37b157107621f4bc09daf5344a3c8b24aa6b172abfeb69ed1645a2e21e7f
Instruction Fuzzy Hash: B641E434A21209DBCF10DF68C885A9EBBB4BF46366F148055EC146B392D731AA2DCF94

Function 0029C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0029C913

Strings

info, xrefs: 0029C8B4
stop, xrefs: 0029C8E4
warning, xrefs: 0029C8FC
question, xrefs: 0029C8CC
blank, xrefs: 0029C895

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: becbe59396b0c9ee608da7ae75619db8b96973761f7af70ef3eca29b1a95f182
Instruction ID: 35c7e2ca53b8e8aed94f40b89d63375ee86653f6caa20a5d2cd3afa04a3982f2
Opcode Fuzzy Hash: becbe59396b0c9ee608da7ae75619db8b96973761f7af70ef3eca29b1a95f182
Instruction Fuzzy Hash: 6D11EB316B930BBABB056B54DC86DBAF79CDF15359B30003AF904A6282D7B09D605768

Function 0029DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0029DE42
gethostname.WSOCK32(?,00000100), ref: 0029DE5C
gethostbyname.WSOCK32(?), ref: 0029DE69
inet_ntoa.WSOCK32(?), ref: 0029DEAB
_strcat.LIBCMT ref: 0029DEB9
WSACleanup.WSOCK32 ref: 0029DEDE

Strings

0.0.0.0, xrefs: 0029DE87

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: afab3b3fa9f808ef8206fd1fc03f5ec3de185674a55fd7da27a5fab8fd744f07
Instruction ID: 3c33d484282cd12f7a0f5e2208c87f5f2ab35702bd56fb02c06af36d24aed9bd
Opcode Fuzzy Hash: afab3b3fa9f808ef8206fd1fc03f5ec3de185674a55fd7da27a5fab8fd744f07
Instruction Fuzzy Hash: 4E115971920105AFCF20BF70EC4AEEFB7ACDF11361F100169F54996091EF718AA49E60

Function 0029ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0029ED2A
_wcslen.LIBCMT ref: 0029ED3B
_wcslen.LIBCMT ref: 0029ED79
_wcslen.LIBCMT ref: 0029EDAF
_wcslen.LIBCMT ref: 0029EDDF
_wcslen.LIBCMT ref: 0029EDEF
_wcslen.LIBCMT ref: 0029EE2B
_wcslen.LIBCMT ref: 0029EE5A

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 3d8050530fd09ef92be0a8f0e9be5a68ebdf4ae361e7f4762fa526e2965a725c
Instruction ID: efd78ca29c9de3895969fe7b63561b435290d494b04279cbb5ff8d701687920c
Opcode Fuzzy Hash: 3d8050530fd09ef92be0a8f0e9be5a68ebdf4ae361e7f4762fa526e2965a725c
Instruction Fuzzy Hash: D0418265C2011865CF11FBB4888AADFB7ACAF45711F508466ED14E3122EB34D269C7A9

Function 0024F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0028682C,00000004,00000000,00000000), ref: 0024F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0028682C,00000004,00000000,00000000), ref: 0028F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0028682C,00000004,00000000,00000000), ref: 0028F454

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5c7a3c9a21dae0423ff1bcc820d4603ac28b9309225fb1dd64c98a9b737ea901
Instruction ID: 83059cb3cd2676f15a1f53e0278cc1c43acf9718eda5382f003fa351aa70b799
Opcode Fuzzy Hash: 5c7a3c9a21dae0423ff1bcc820d4603ac28b9309225fb1dd64c98a9b737ea901
Instruction Fuzzy Hash: 37414C342396C1BAD7FD9F289B88B2A7B95AFD6314F24443DE04B525A0C771A8A0CB11

Function 002C2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002C2D1B
GetDC.USER32(00000000), ref: 002C2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002C2D2E
ReleaseDC.USER32(00000000,00000000), ref: 002C2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002C2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002C2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002C5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 002C2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002C2DE1

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 16ba11acf5804e1407331a7541ae3f8d32ac55bcb2ad0f9b68d61781bfdf6d40
Instruction ID: 166d16d1ea3d2f248e1de6c28c56557eb24ef51f19bc2f4a61a69f87bbb8162b
Opcode Fuzzy Hash: 16ba11acf5804e1407331a7541ae3f8d32ac55bcb2ad0f9b68d61781bfdf6d40
Instruction Fuzzy Hash: BC31BA72211610BFEB248F10DC8AFEB3BADEF49711F184055FE0D9A291CA758C50CBA0

Function 00295622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00295637
_memcmp.LIBVCRUNTIME ref: 00295659
_memcmp.LIBVCRUNTIME ref: 00295671
_memcmp.LIBVCRUNTIME ref: 00295684
_memcmp.LIBVCRUNTIME ref: 0029569E
_memcmp.LIBVCRUNTIME ref: 002956B1
_memcmp.LIBVCRUNTIME ref: 002956C9
_memcmp.LIBVCRUNTIME ref: 002956E4

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 22d685998c91e21aa480402f94b2986f2fff7a88e36121b8f842a30c7d4ac011
Instruction ID: 63418df1ccc8904aa344fefde4bf8e4b47405c3a6c728a7b151f170e149e0b44
Opcode Fuzzy Hash: 22d685998c91e21aa480402f94b2986f2fff7a88e36121b8f842a30c7d4ac011
Instruction Fuzzy Hash: F6213B61770A2A77DA1A9E209E92FFB334DAF21385F440025FD049A585F770EE34C7A9

Function 002B4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 002B502E, 002B5383
Not an Object type, xrefs: 002B5007

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e64d41eae384f33b31efaa14cb0a6433c404de70dd09c7827985a222f27e4178
Instruction ID: d7e77e738a97f29ccc3e40fc357f2416dcad06366645b24afc36740058fad47a
Opcode Fuzzy Hash: e64d41eae384f33b31efaa14cb0a6433c404de70dd09c7827985a222f27e4178
Instruction Fuzzy Hash: 2DD1AF71A2061A9FDF14DFA8C880BEEB7B5BF48384F148469E915AF281E770DD51CB90

Function 00271522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002715CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00271651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002717FB,?,002717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002716E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002716FB

Part of subcall function 00263820: RtlAllocateHeap.NTDLL(00000000,?,00301444,?,0024FDF5,?,?,0023A976,00000010,00301440,002313FC,?,002313C6,?,00231129), ref: 00263852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00271777
__freea.LIBCMT ref: 002717A2
__freea.LIBCMT ref: 002717AE

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 8732f9b37489485c60f2464294a6f87240f97286e43ff0033fb5fdd7a51c7054
Instruction ID: 0dd1f88adf504c78938885ed34c91d41005f9e0c3e391ad4dbce214de85e70c0
Opcode Fuzzy Hash: 8732f9b37489485c60f2464294a6f87240f97286e43ff0033fb5fdd7a51c7054
Instruction Fuzzy Hash: 2391C571E202179ADB288E6CCC81AEEBBB5AF49710F588559E809E7180D735DD70CBA0

Function 002B4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002B4648
VariantInit.OLEAUT32(?), ref: 002B4749
VariantClear.OLEAUT32(?), ref: 002B4753
VariantClear.OLEAUT32(?), ref: 002B47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 002B45D8, 002B4706, 002B47BE
Incorrect Object type in FOR..IN loop, xrefs: 002B472C

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 623b89eb4d676effcb5868855e9a1d3e51904eb6c9c58f0fdcf3d9df990da5e0
Instruction ID: 8fe0986cc2f6c8ef2ece5ea6f413d812f1d989c19a8e273f3e306e159ad7c20e
Opcode Fuzzy Hash: 623b89eb4d676effcb5868855e9a1d3e51904eb6c9c58f0fdcf3d9df990da5e0
Instruction Fuzzy Hash: 2991C470A20219ABDF24DFA4C884FEEB7B8EF46754F108559F505AB282DB709951CFA0

Function 002A1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 002A125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 002A1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002A12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002A12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002A135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002A13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002A1430

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: dd36352c879d38a6e09640aa4198d37049dbd300004711d8518e530fd6cbec84
Instruction ID: 2134e85101c3d88a5b2933bbc2c4926e29a3292b61d448298d35ad78c81ade04
Opcode Fuzzy Hash: dd36352c879d38a6e09640aa4198d37049dbd300004711d8518e530fd6cbec84
Instruction Fuzzy Hash: 0191C2719202199FEB04DF98C885BBEB7B5FF46325F104029E941EB291DB74E961CF50

Function 0024948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: bcd590e490a6042d65a16849b19ea62746b55856d2bd3522a1c18b59e4424cc2
Instruction ID: 8d4526b26de569abcbbb4e176ea464efb42f5657381ea122e35617c21b231867
Opcode Fuzzy Hash: bcd590e490a6042d65a16849b19ea62746b55856d2bd3522a1c18b59e4424cc2
Instruction Fuzzy Hash: 6C911671D1021AAFCB14CFA9CC88AEEBBB8FF49320F244559E515B7291D374A991CB60

Function 002B3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002B396B
CharUpperBuffW.USER32(?,?), ref: 002B3A7A
_wcslen.LIBCMT ref: 002B3A8A
VariantClear.OLEAUT32(?), ref: 002B3C1F

Part of subcall function 002A0CDF: VariantInit.OLEAUT32(00000000), ref: 002A0D1F
Part of subcall function 002A0CDF: VariantCopy.OLEAUT32(?,?), ref: 002A0D28
Part of subcall function 002A0CDF: VariantClear.OLEAUT32(?), ref: 002A0D34

Strings

Incorrect Parameter format, xrefs: 002B39A6, 002B3BA1
AUTOIT.ERROR, xrefs: 002B3A80, 002B3A85

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: f86be39648756c152d28ce8a865c5ac4c44f36761f17f2e47a1991a9b87e35bc
Instruction ID: 8a4dbbc6af550e49ef9e03b29d9d9d6cdbf8d3a313c71d68e12e7abfd09f07c7
Opcode Fuzzy Hash: f86be39648756c152d28ce8a865c5ac4c44f36761f17f2e47a1991a9b87e35bc
Instruction Fuzzy Hash: E29146756283059FCB04EF24C4809AAB7E4BF89354F14882EF88997351DB30EE55CF92

Function 002B4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0029000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?,?,?,0029035E), ref: 0029002B
Part of subcall function 0029000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?,?), ref: 00290046
Part of subcall function 0029000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?,?), ref: 00290054
Part of subcall function 0029000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?), ref: 00290064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 002B4C51
_wcslen.LIBCMT ref: 002B4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 002B4DCF
CoTaskMemFree.OLE32(?), ref: 002B4DDA

Strings

NULL Pointer assignment, xrefs: 002B4E23, 002B4E52

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: b9465ee89aa0a161a79c3cfb119f8922bca757f31a44b410517b3fba46ef9785
Instruction ID: c3bd008180e5c8d11eaacea7b31955242b74d9ce4fd288dbf8836ed97b24f2bd
Opcode Fuzzy Hash: b9465ee89aa0a161a79c3cfb119f8922bca757f31a44b410517b3fba46ef9785
Instruction Fuzzy Hash: FD9129B1D1021DAFDF14EFA4C881EEEB7B8BF08354F104169E915A7251DB709A54CF60

Function 002C20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 002C2183
GetMenuItemCount.USER32(00000000), ref: 002C21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002C21DD
_wcslen.LIBCMT ref: 002C2213
GetMenuItemID.USER32(?,?), ref: 002C224D
GetSubMenu.USER32(?,?), ref: 002C225B

Part of subcall function 00293A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00293A57
Part of subcall function 00293A3D: GetCurrentThreadId.KERNEL32 ref: 00293A5E
Part of subcall function 00293A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002925B3), ref: 00293A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002C22E3

Part of subcall function 0029E97B: Sleep.KERNEL32 ref: 0029E9F3

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 97a6b86b93e4f255cc0702d260116f9cfbb0e5c8f0c3742871329c24a92c22d7
Instruction ID: fcca7a0a8959b6634709ae9768ffb637ebde3d4a4b56d710349d788c9f6aeda6
Opcode Fuzzy Hash: 97a6b86b93e4f255cc0702d260116f9cfbb0e5c8f0c3742871329c24a92c22d7
Instruction Fuzzy Hash: BC71AC75A20205EFCB14EF64C845FAEB7F5EF88310F148559E81AAB341DB74AD158F90

Function 002C7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(014253C8), ref: 002C7F37
IsWindowEnabled.USER32(014253C8), ref: 002C7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 002C801E
SendMessageW.USER32(014253C8,000000B0,?,?), ref: 002C8051
IsDlgButtonChecked.USER32(?,?), ref: 002C8089
GetWindowLongW.USER32(014253C8,000000EC), ref: 002C80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002C80C3

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 4b85c700bc1cfe61a8f652d983da1c6860b7669fbb1c76395f761d7ca6f91061
Instruction ID: fbd3ba99742714c867c9b8fa357b02d450ed75509de0da732bdc510fb0047fc0
Opcode Fuzzy Hash: 4b85c700bc1cfe61a8f652d983da1c6860b7669fbb1c76395f761d7ca6f91061
Instruction Fuzzy Hash: 5571DF34628206AFEB259F64CCD4FAABBB9EF09340F14425DE94593261CB32AC64DF10

Function 0029AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0029AEF9
GetKeyboardState.USER32(?), ref: 0029AF0E
SetKeyboardState.USER32(?), ref: 0029AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0029AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0029AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0029AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0029B020

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 63ae647884b0901a9b3083a206fc5419483e9b7983c9f74a74de50fc9ae880fa
Instruction ID: 383abaee498a6c32d466dd99915c52b8484881ff79eaed6ee6dc19bb04352289
Opcode Fuzzy Hash: 63ae647884b0901a9b3083a206fc5419483e9b7983c9f74a74de50fc9ae880fa
Instruction Fuzzy Hash: 7651E1A0A247D63DFF374734CD49BBABEA95B06304F088489E1D9458C2C3D9ACE8D791

Function 0029ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0029AD19
GetKeyboardState.USER32(?), ref: 0029AD2E
SetKeyboardState.USER32(?), ref: 0029AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0029ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0029ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0029AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0029AE38

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d475e43a84e6c3f3575b2a857854b7e367f5a798548594e0dfeaadc3b7ca1ff5
Instruction ID: 27a15d2eb0ff31bae0798d83a1e9a31874973ae68acb33351cf8d92ef5423d96
Opcode Fuzzy Hash: d475e43a84e6c3f3575b2a857854b7e367f5a798548594e0dfeaadc3b7ca1ff5
Instruction Fuzzy Hash: 2151E7A19247D63DFF3787348C55B7A7E986B46300F088499E1D5468C2D394ECA4D7A2

Function 0026542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00273CD6,?,?,?,?,?,?,?,?,00265BA3,?,?,00273CD6,?,?), ref: 00265470
__fassign.LIBCMT ref: 002654EB
__fassign.LIBCMT ref: 00265506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00273CD6,00000005,00000000,00000000), ref: 0026552C
WriteFile.KERNEL32(?,00273CD6,00000000,00265BA3,00000000,?,?,?,?,?,?,?,?,?,00265BA3,?), ref: 0026554B
WriteFile.KERNEL32(?,?,00000001,00265BA3,00000000,?,?,?,?,?,?,?,?,?,00265BA3,?), ref: 00265584

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e9aa8c17ef49822836e36c087e9ab415608780b4f7be097cca821a6f6e878f81
Instruction ID: b72a47232a643fed258b4ce16ae6f4620821ff84130da17bc8b120b96a4caa9f
Opcode Fuzzy Hash: e9aa8c17ef49822836e36c087e9ab415608780b4f7be097cca821a6f6e878f81
Instruction Fuzzy Hash: E751C1B0A1064ADFDB10CFA8D849BEEBBF9EF08300F14415EF556E7291D6709A91CB60

Function 002B10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 002B307A
Part of subcall function 002B304E: _wcslen.LIBCMT ref: 002B309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002B1112
WSAGetLastError.WSOCK32 ref: 002B1121
WSAGetLastError.WSOCK32 ref: 002B11C9
closesocket.WSOCK32(00000000), ref: 002B11F9

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 00f7f9046bf8641aa4f3115789ec566b679e05fbe758c1a21616d155a9467036
Instruction ID: 09b7ef0c2760bd4664fec664579811f9ffde219805034e744a1c3865adfea3ce
Opcode Fuzzy Hash: 00f7f9046bf8641aa4f3115789ec566b679e05fbe758c1a21616d155a9467036
Instruction Fuzzy Hash: 52411671220204AFDB109F18D888BEAB7E9EF443A4F648159FD099B291C770AD61CFA0

Function 0029CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0029DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0029CF22,?), ref: 0029DDFD

Part of subcall function 0029DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0029CF22,?), ref: 0029DE16

lstrcmpiW.KERNEL32(?,?), ref: 0029CF45
MoveFileW.KERNEL32(?,?), ref: 0029CF7F
_wcslen.LIBCMT ref: 0029D005
_wcslen.LIBCMT ref: 0029D01B
SHFileOperationW.SHELL32(?), ref: 0029D061

Strings

\*.*, xrefs: 0029CFF3

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 306f119777f52a7e06df5d87b516fcfa8dba44df355412083e1f4323bb60b0fd
Instruction ID: 8fc9c39ae400b88f5865f918025427ae3e2426fff42ae637e401d18e97c96128
Opcode Fuzzy Hash: 306f119777f52a7e06df5d87b516fcfa8dba44df355412083e1f4323bb60b0fd
Instruction Fuzzy Hash: EF4179719152195FDF12EFA4D981EDDB7B8AF08380F1000E6E509EB141EB34AB98CF50

Function 002C2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 002C2E1C
GetWindowLongW.USER32(?,000000F0), ref: 002C2E4F
GetWindowLongW.USER32(?,000000F0), ref: 002C2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 002C2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 002C2EE0
GetWindowLongW.USER32(?,000000F0), ref: 002C2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002C2F0B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 9cf33f5781012a640d582dd6925c3e85ad7b44d0b2755c58870ab1a02ea5678b
Instruction ID: 3e7e07e3f9936aeab4cb9859395d234680b9fd891fe9f19aa6d5798a27dc4184
Opcode Fuzzy Hash: 9cf33f5781012a640d582dd6925c3e85ad7b44d0b2755c58870ab1a02ea5678b
Instruction Fuzzy Hash: 51311330615255EFDB21DF18ED98FA537E8EB8A710F240269F904AB2B2CB71B854DB40

Function 00297726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00297769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0029778F
SysAllocString.OLEAUT32(00000000), ref: 00297792
SysAllocString.OLEAUT32(?), ref: 002977B0
SysFreeString.OLEAUT32(?), ref: 002977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002977DE
SysAllocString.OLEAUT32(?), ref: 002977EC

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: aff98c3ef77c3bb87d20a8564abbf3066efe2a1a7128f842bdc445b5e3bab350
Instruction ID: 690df75451e4c2b17a5fa951d034176054bd8bad797e62d07ae96d7a1edf0d80
Opcode Fuzzy Hash: aff98c3ef77c3bb87d20a8564abbf3066efe2a1a7128f842bdc445b5e3bab350
Instruction Fuzzy Hash: DF219276624219AFDF14EFA9DC88CFBB7ACEB097647148025F919DB150D670DC418B60

Function 002977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00297842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00297868
SysAllocString.OLEAUT32(00000000), ref: 0029786B
SysAllocString.OLEAUT32 ref: 0029788C
SysFreeString.OLEAUT32 ref: 00297895
StringFromGUID2.OLE32(?,?,00000028), ref: 002978AF
SysAllocString.OLEAUT32(?), ref: 002978BD

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0a63d62346bd2b42fc34b4c3a14c8ec281991056895a0d5193af9ea499f08770
Instruction ID: e9ae33ac3ff71ca0d7d8ba4e5447e6b19a4b198dcddea2f62d53dfe9e870b297
Opcode Fuzzy Hash: 0a63d62346bd2b42fc34b4c3a14c8ec281991056895a0d5193af9ea499f08770
Instruction Fuzzy Hash: A9218031628205AFDF14AFB8DC8CDAA77ECFB097607148125F919CB2A1DA70DC51DB64

Function 002A04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002A04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002A052E

Strings

nul, xrefs: 002A0567

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 30cf9f9020ad1e3952f0d7731688959dc832ebce1ec4d37fb5cb2b65e7ba480e
Instruction ID: dae882443569e358e1b0296b3e0b6cdb60a5c832188ed2ec1e2c0af2dcea38b8
Opcode Fuzzy Hash: 30cf9f9020ad1e3952f0d7731688959dc832ebce1ec4d37fb5cb2b65e7ba480e
Instruction Fuzzy Hash: DD218271D103069FDF209F69DC88A5A7BB4BF46764F604A19F8A5D71E0DB709960CF20

Function 002A05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002A05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002A0601

Strings

nul, xrefs: 002A0639

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 0d07226ec9d8ba29a03b5caea03043a2473fba4b121a65f9aed53b8276d8358b
Instruction ID: 5179099f8ec357680f67b6a9966957138e28dbc379e2ebf5b52c297345646afc
Opcode Fuzzy Hash: 0d07226ec9d8ba29a03b5caea03043a2473fba4b121a65f9aed53b8276d8358b
Instruction Fuzzy Hash: A5213575510306DBDB209F69DC84E5A77E8BF96B24F200A19FDA1E72D0DBB09970CB50

Function 002C40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0023600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0023604C
Part of subcall function 0023600E: GetStockObject.GDI32(00000011), ref: 00236060
Part of subcall function 0023600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0023606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002C4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002C411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002C412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002C4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002C4145

Strings

Msctls_Progress32, xrefs: 002C40E3

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8f6c6267cd8e8ea7d54f7d1cc41f13b9a2f083719fc8c41f12a8fc880c9e676f
Instruction ID: 2589f6a4d87a9467cf104c0f4c6d47186dc8d970f93771ad82b1073e46edee06
Opcode Fuzzy Hash: 8f6c6267cd8e8ea7d54f7d1cc41f13b9a2f083719fc8c41f12a8fc880c9e676f
Instruction Fuzzy Hash: 8B1193B11501197EEF119E64CC85EE77F9DEF08798F104211FA18A2050C6729C21DBA4

Function 0026D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0026D7A3: _free.LIBCMT ref: 0026D7CC

_free.LIBCMT ref: 0026D82D

Part of subcall function 002629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000), ref: 002629DE
Part of subcall function 002629C8: GetLastError.KERNEL32(00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000,00000000), ref: 002629F0

_free.LIBCMT ref: 0026D838
_free.LIBCMT ref: 0026D843
_free.LIBCMT ref: 0026D897
_free.LIBCMT ref: 0026D8A2
_free.LIBCMT ref: 0026D8AD
_free.LIBCMT ref: 0026D8B8

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 7177430487b93fa0804aaa39900197a93de7d4e765bae839d0f3eca0f44a00a9
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: FD115171B61B08EAD522BFB0CC47FCBBBDC6F40700F440825B299A6092DA65B5A54E51

Function 0029DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0029DA74
LoadStringW.USER32(00000000), ref: 0029DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0029DA91
LoadStringW.USER32(00000000), ref: 0029DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0029DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0029DAB9

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: bb3d427c3a16941aee2aed78185106f8a62b023db6af43281a76d6638d9d306f
Instruction ID: 1b87e881ded3f35fb7ab05b474ef8f480d31d6bf25797480ba3b1881e55fa099
Opcode Fuzzy Hash: bb3d427c3a16941aee2aed78185106f8a62b023db6af43281a76d6638d9d306f
Instruction Fuzzy Hash: E80162F29102087FEB10ABA4AD8DEE7726CEB08311F500496F74AE2041EA749E944F74

Function 002A096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0141EC78,0141EC78), ref: 002A097B
EnterCriticalSection.KERNEL32(0141EC58,00000000), ref: 002A098D
TerminateThread.KERNEL32(?,000001F6), ref: 002A099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 002A09A9
CloseHandle.KERNEL32(?), ref: 002A09B8
InterlockedExchange.KERNEL32(0141EC78,000001F6), ref: 002A09C8
LeaveCriticalSection.KERNEL32(0141EC58), ref: 002A09CF

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 5abbd2a69e8fff78b76b67e6b361056f43bb3e3ea9347ac1a80da1faf0b9f3fc
Instruction ID: 0bada5659ce849cd8adff0f60ddc3ef1a664318136c8639c72d129d3929599f3
Opcode Fuzzy Hash: 5abbd2a69e8fff78b76b67e6b361056f43bb3e3ea9347ac1a80da1faf0b9f3fc
Instruction Fuzzy Hash: ABF01932442A02ABD7416FA4FE8CED6BA29FF01702F502025F206908A0CB74A875CF91

Function 002B1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 002B1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002B1DE1
WSAGetLastError.WSOCK32 ref: 002B1DF2
htons.WSOCK32(?,?,?,?,?), ref: 002B1EDB
inet_ntoa.WSOCK32(?), ref: 002B1E8C

Part of subcall function 002939E8: _strlen.LIBCMT ref: 002939F2

Part of subcall function 002B3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,002AEC0C), ref: 002B3240

_strlen.LIBCMT ref: 002B1F35

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 62f34b73937711f10d139ea04a9010ee4b739334241c9b9b5dde15e289fff2f0
Instruction ID: c6a0f6e077d8cbcc74357ea34c5ca6e08297ef6a9fc18ffef57a24bc80434133
Opcode Fuzzy Hash: 62f34b73937711f10d139ea04a9010ee4b739334241c9b9b5dde15e289fff2f0
Instruction Fuzzy Hash: C1B10270224301AFC324DF24C895F6A7BE5AF84358FA4854CF55A5B2E2CB71ED61CB91

Function 00235D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00235D30
GetWindowRect.USER32(?,?), ref: 00235D71
ScreenToClient.USER32(?,?), ref: 00235D99
GetClientRect.USER32(?,?), ref: 00235ED7
GetWindowRect.USER32(?,?), ref: 00235EF8

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 367122047d6e71f02220e5a3f733299d9fe05d92182bc86ef8bd02a0a39695e9
Instruction ID: 286289b977c7bf83972ce9b57fe34c01f5163741386d7cefec38da0b68c97f3a
Opcode Fuzzy Hash: 367122047d6e71f02220e5a3f733299d9fe05d92182bc86ef8bd02a0a39695e9
Instruction Fuzzy Hash: EDB18A75A20B5ADBDB10DFA8C4807EEB7F1FF48310F14841AE8A9D7250DB34AA61DB50

Function 002601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002600D6
__allrem.LIBCMT ref: 002600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0026010B
__allrem.LIBCMT ref: 00260122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00260140

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 8ab277a01b12b0780a272284010bc5a4f8bc8a7b3fd4f956ba6afeb3ebb5f767
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 74815972A207069BE7209F78CC81B6B73E8AF41320F24453EF855D7AC1E770D9A49B94

Function 002661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002582D9,002582D9,?,?,?,0026644F,00000001,00000001,8BE85006), ref: 00266258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0026644F,00000001,00000001,8BE85006,?,?,?), ref: 002662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002663D8
__freea.LIBCMT ref: 002663E5

Part of subcall function 00263820: RtlAllocateHeap.NTDLL(00000000,?,00301444,?,0024FDF5,?,?,0023A976,00000010,00301440,002313FC,?,002313C6,?,00231129), ref: 00263852

__freea.LIBCMT ref: 002663EE
__freea.LIBCMT ref: 00266413

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f77c5113ea46b6f0ad08a66b6e64d48d54d6f3ca976c0f2578a3ab3407d43b2e
Instruction ID: 8f7dd2a7a27eeca2b402cc3c91940586106581dcdd5c7ba9bc100ef5a638b549
Opcode Fuzzy Hash: f77c5113ea46b6f0ad08a66b6e64d48d54d6f3ca976c0f2578a3ab3407d43b2e
Instruction Fuzzy Hash: E351E472620217ABDB258FA4DC89EAF77A9EF44B10F144269FC05D6240DB74DCF0CAA0

Function 002BBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 002BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002BB6AE,?,?), ref: 002BC9B5
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BC9F1
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA68
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002BBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002BBD25
RegCloseKey.ADVAPI32(00000000), ref: 002BBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002BBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 002BBDF3
RegCloseKey.ADVAPI32(?), ref: 002BBDFF

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 9104908365ede1f6343b11e97ac7f74e30b65c518e478c3d8c8acd8ea202938e
Instruction ID: 584aec8455a66a722525c2b618226017b9aaba71e5e95a24b409884656ea5121
Opcode Fuzzy Hash: 9104908365ede1f6343b11e97ac7f74e30b65c518e478c3d8c8acd8ea202938e
Instruction Fuzzy Hash: 2281DD70228242AFC715DF24C885E6ABBE5FF84348F14895CF4994B2A2CB71ED55CF92

Function 0028F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0028F7B9
SysAllocString.OLEAUT32(00000001), ref: 0028F860
VariantCopy.OLEAUT32(0028FA64,00000000), ref: 0028F889
VariantClear.OLEAUT32(0028FA64), ref: 0028F8AD
VariantCopy.OLEAUT32(0028FA64,00000000), ref: 0028F8B1
VariantClear.OLEAUT32(?), ref: 0028F8BB

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e7faa03ee762535de34eb64f2784e6a5b1739f83bc922e4297f03653c1811724
Instruction ID: 88b333b592b9e7fa4735581834f73f0ad9f6cb97083ce875264715c672245cc0
Opcode Fuzzy Hash: e7faa03ee762535de34eb64f2784e6a5b1739f83bc922e4297f03653c1811724
Instruction Fuzzy Hash: AA51D739631310BACFA4BF65D995B29B3A4EF45310F208467E905DF2D1DBB08C60CB66

Function 002A910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00237620: _wcslen.LIBCMT ref: 00237625

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002A94E5
_wcslen.LIBCMT ref: 002A9506
_wcslen.LIBCMT ref: 002A952D
GetSaveFileNameW.COMDLG32(00000058), ref: 002A9585

Strings

X, xrefs: 002A9412

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: ade5f693adaf00a3971cc144b8d01249df75916af47c97bc65dea39f87b26bd1
Instruction ID: 16cedac7c0594c49f3634c4233adb6f43bc6020da44c18808806f59bc1065b42
Opcode Fuzzy Hash: ade5f693adaf00a3971cc144b8d01249df75916af47c97bc65dea39f87b26bd1
Instruction Fuzzy Hash: F5E1C2715283419FCB24DF25C481B6AB7E4BF86314F04896DF8899B2A2DB30DD55CF92

Function 0024920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

BeginPaint.USER32(?,?,?), ref: 00249241
GetWindowRect.USER32(?,?), ref: 002492A5
ScreenToClient.USER32(?,?), ref: 002492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002492D3
EndPaint.USER32(?,?,?,?,?), ref: 00249321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002871EA

Part of subcall function 00249339: BeginPath.GDI32(00000000), ref: 00249357

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 640916a7307c0f1d6570278dd318e9e6bc334a6d57b529f18bba2b63709c9d42
Instruction ID: 08180f9f00112485a55b3236dac451523f0f7746010f15facd2e3f83069f3558
Opcode Fuzzy Hash: 640916a7307c0f1d6570278dd318e9e6bc334a6d57b529f18bba2b63709c9d42
Instruction Fuzzy Hash: 5D41B031115201AFD721DF24DC98FBB7BA8EF86320F240269F9A8872E1C7709895DB61

Function 002A07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 002A080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 002A0847
EnterCriticalSection.KERNEL32(?), ref: 002A0863
LeaveCriticalSection.KERNEL32(?), ref: 002A08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002A08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 002A0921

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 322149481d5dd0837f963b437c6d0cdf44b21aff439f5062b48616e358dcb503
Instruction ID: 5e873f5524986d495cb75bbd8a294359b9afe460d0602a3d8504e0b3a98fe9e0
Opcode Fuzzy Hash: 322149481d5dd0837f963b437c6d0cdf44b21aff439f5062b48616e358dcb503
Instruction Fuzzy Hash: 84419871A10206EFDF04AF54DCC5AAAB7B8FF44300F1440A9ED049A296DB30DE65DFA4

Function 002C81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0028F3AB,00000000,?,?,00000000,?,0028682C,00000004,00000000,00000000), ref: 002C824C
EnableWindow.USER32(?,00000000), ref: 002C8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002C82D1
ShowWindow.USER32(?,00000004), ref: 002C82E5
EnableWindow.USER32(?,00000001), ref: 002C830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 002C832F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e7a8ea3145696f22f325513253beb691e550b5d707098501a3dda01bc16a0d74
Instruction ID: be3a7f149071f2e7e4bad2056c3b5f9eade91884a60b4f827781fdb91fd550fa
Opcode Fuzzy Hash: e7a8ea3145696f22f325513253beb691e550b5d707098501a3dda01bc16a0d74
Instruction Fuzzy Hash: 4641A330601685AFDB16CF14DC99FA47BE4FB4A714F1892ADE9084B262CB31A851CB91

Function 00294C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00294C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00294CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00294CEA
_wcslen.LIBCMT ref: 00294D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00294D10
_wcsstr.LIBVCRUNTIME ref: 00294D1A

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: cb8bf29b958363578511e831f7ed90617b971754a989d73af9e0fbca57db9362
Instruction ID: 71001f4539d382ab176046ab405708d99568c8f8e479d7682fa3bdf3fb3b21a3
Opcode Fuzzy Hash: cb8bf29b958363578511e831f7ed90617b971754a989d73af9e0fbca57db9362
Instruction Fuzzy Hash: 1621F935614201BBEF196F35AD49E7B7B9CDF85750F20402AF809CA191EA61DC6196A0

Function 002A581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00233AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00233A97,?,?,00232E7F,?,?,?,00000000), ref: 00233AC2

_wcslen.LIBCMT ref: 002A587B
CoInitialize.OLE32(00000000), ref: 002A5995
CoCreateInstance.OLE32(002CFCF8,00000000,00000001,002CFB68,?), ref: 002A59AE
CoUninitialize.OLE32 ref: 002A59CC

Strings

.lnk, xrefs: 002A5876, 002A58C1, 002A5985

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: dd8d0b9982ce82e2bb5e2ca2cede1d30aeb9e9f5ded5b1e2b1a7d92ce31e2d6d
Instruction ID: b867701b535b4e6e2d4bdbf86a82bc6c90dc044bba2e3c037491416fdab4ce3e
Opcode Fuzzy Hash: dd8d0b9982ce82e2bb5e2ca2cede1d30aeb9e9f5ded5b1e2b1a7d92ce31e2d6d
Instruction Fuzzy Hash: 5DD153B56246129FCB14DF24C480A2BBBE1FF8A714F108959F8899B261DB31EC55CF92

Function 0029175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00290FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00290FCA
Part of subcall function 00290FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00290FD6
Part of subcall function 00290FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00290FE5
Part of subcall function 00290FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00290FEC
Part of subcall function 00290FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00291002

GetLengthSid.ADVAPI32(?,00000000,00291335), ref: 002917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002917BA
HeapAlloc.KERNEL32(00000000), ref: 002917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002917DA
GetProcessHeap.KERNEL32(00000000,00000000,00291335), ref: 002917EE
HeapFree.KERNEL32(00000000), ref: 002917F5

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d66fbc87cf67acd85eaf7866a20f128639a8dd13230fcc948d51163700925e27
Instruction ID: ebe87f15bbefbee4ebf16028d1e96f65e5f37960a9053e052cf165894bb16a02
Opcode Fuzzy Hash: d66fbc87cf67acd85eaf7866a20f128639a8dd13230fcc948d51163700925e27
Instruction Fuzzy Hash: 3511AC32520207FFDF109FA6DC49FEEBBA9EB45355F244028F4499B220C775A960CB60

Function 002914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00291506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00291515
CloseHandle.KERNEL32(00000004), ref: 00291520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0029154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00291563

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 69147b6f83cb1808dd63866752fbf1ded10ceafa6b2df5283f24d179641916ba
Instruction ID: 38a905f07f522ef927e4f0d8a04e4d903439b149fb89803dbd9222749bbacf73
Opcode Fuzzy Hash: 69147b6f83cb1808dd63866752fbf1ded10ceafa6b2df5283f24d179641916ba
Instruction Fuzzy Hash: 8A11567250020AABDF119FA8ED49FDE7BA9FF48744F154024FA09A2060C375CE65DB60

Function 00253382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00253379,00252FE5), ref: 00253390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0025339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002533B7
SetLastError.KERNEL32(00000000,?,00253379,00252FE5), ref: 00253409

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 001817113cb7dec6823e53dae8836f1b2e2404ab0103438f18c6b7feaf148a15
Instruction ID: 8917b467068fbe00156140e52899f901ad3a4fc76561e43559363fec59ed84ba
Opcode Fuzzy Hash: 001817113cb7dec6823e53dae8836f1b2e2404ab0103438f18c6b7feaf148a15
Instruction Fuzzy Hash: 9801D232629316BAA6156B747D899B62A98DB053FB330123DFC10851F0EE314D2A998C

Function 00262D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00265686,00273CD6,?,00000000,?,00265B6A,?,?,?,?,?,0025E6D1,?,002F8A48), ref: 00262D78
_free.LIBCMT ref: 00262DAB
_free.LIBCMT ref: 00262DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0025E6D1,?,002F8A48,00000010,00234F4A,?,?,00000000,00273CD6), ref: 00262DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0025E6D1,?,002F8A48,00000010,00234F4A,?,?,00000000,00273CD6), ref: 00262DEC
_abort.LIBCMT ref: 00262DF2

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 47158ac079d99c401c98102f2c466e3a4e534bd70c1e77d51a3cd2a625b8ccaf
Instruction ID: bacc1b8d09d0268237f0493ad60277d11cca4d912c12fddd6b71d1f25f3c1795
Opcode Fuzzy Hash: 47158ac079d99c401c98102f2c466e3a4e534bd70c1e77d51a3cd2a625b8ccaf
Instruction Fuzzy Hash: EAF0A931525E02E7C2126734BC1AE5F1559ABC27A1F350424F828931D5DE248CF94560

Function 002C8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00249639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00249693
Part of subcall function 00249639: SelectObject.GDI32(?,00000000), ref: 002496A2
Part of subcall function 00249639: BeginPath.GDI32(?), ref: 002496B9
Part of subcall function 00249639: SelectObject.GDI32(?,00000000), ref: 002496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 002C8A4E
LineTo.GDI32(?,00000003,00000000), ref: 002C8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 002C8A70
LineTo.GDI32(?,00000000,00000003), ref: 002C8A80
EndPath.GDI32(?), ref: 002C8A90
StrokePath.GDI32(?), ref: 002C8AA0

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 9c0973215965e7449f83e960df1a03407a2a711f64b87d1278af200b02abd910
Instruction ID: a86a549629a41d32c49267950017110fd903b55535b8ef91279134e52aecd4cd
Opcode Fuzzy Hash: 9c0973215965e7449f83e960df1a03407a2a711f64b87d1278af200b02abd910
Instruction Fuzzy Hash: F3110576400149FFEB129F90EC88FAA7F6CEB08350F148026FA599A1A1C7719D65DFA0

Function 002951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00295218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00295229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00295230
ReleaseDC.USER32(00000000,00000000), ref: 00295238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0029524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00295261

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: badb4352d5eba7b8e9177e7ac3537d01b689313dd24d56949b5e7fb0fd98efa3
Instruction ID: 0a2dde004cb1f7988f28320f3f525cdcea6587d728099eca3bdf9b2ed22b597d
Opcode Fuzzy Hash: badb4352d5eba7b8e9177e7ac3537d01b689313dd24d56949b5e7fb0fd98efa3
Instruction Fuzzy Hash: 22014475E01715BBEF105FA59D49E5EBFB8EF44751F144065FA08A7281D6709C10CF60

Function 00231BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00231BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00231BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00231C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00231C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00231C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00231C22

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 496e3a368edca2f58a1b83e389f28a3344bf0b19145d5e4654ce359cc2d2a205
Instruction ID: 720b773d93786106ccb6c22f59ad866b8cd23f9713b5cbe552734403a5dd309a
Opcode Fuzzy Hash: 496e3a368edca2f58a1b83e389f28a3344bf0b19145d5e4654ce359cc2d2a205
Instruction Fuzzy Hash: 3A0167B0902B5ABDE3008F6A8C85B52FFA8FF59354F10411BE15C4BA42C7F5A864CBE5

Function 0029EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0029EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0029EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0029EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0029EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0029EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0029EB75

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ecbeacf76bbb350ca5cc8976fdbe4f4e46f766af933d9626db5a5a597eb7251f
Instruction ID: 9e852df6800361dec50cca12fd1ff59a65123cab493d65e0ad3550ae68949bb0
Opcode Fuzzy Hash: ecbeacf76bbb350ca5cc8976fdbe4f4e46f766af933d9626db5a5a597eb7251f
Instruction Fuzzy Hash: 64F03A72640558BBE7215B63AD0EEEF3A7CEFCAB15F200158F609D1091D7A05A01C6B5

Function 00287439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00287452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00287469
GetWindowDC.USER32(?), ref: 00287475
GetPixel.GDI32(00000000,?,?), ref: 00287484
ReleaseDC.USER32(?,00000000), ref: 00287496
GetSysColor.USER32(00000005), ref: 002874B0

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 93b612dd446c5af26d088cb38153f3b15f0063757836cd97baa2b1ebe0a27f2d
Instruction ID: 88c904beeae2aa3666ebef704a4d2fe9d9f1fb283a220f714913e998c1ef0ab1
Opcode Fuzzy Hash: 93b612dd446c5af26d088cb38153f3b15f0063757836cd97baa2b1ebe0a27f2d
Instruction Fuzzy Hash: A6014B35410215EFDB51AFA4ED0CFAA7BB9FB04311F750164F929A21A1CB711E62EB50

Function 00291874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0029187F
UnloadUserProfile.USERENV(?,?), ref: 0029188B
CloseHandle.KERNEL32(?), ref: 00291894
CloseHandle.KERNEL32(?), ref: 0029189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002918A5
HeapFree.KERNEL32(00000000), ref: 002918AC

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f0affb64e2e3217b6bfc1734ec3556a1698ea3c6ac0a8ca5b76fe5988853af8b
Instruction ID: 2dec979c6c6ff1d832587e02f26dc863e67c3cadddf8d16dbd7550b360ee5c5e
Opcode Fuzzy Hash: f0affb64e2e3217b6bfc1734ec3556a1698ea3c6ac0a8ca5b76fe5988853af8b
Instruction Fuzzy Hash: DEE0E536404501BBDB016FA2FD0CD0ABF39FF49B22B208220F22D81470CB729420DF50

Function 0023BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0023BEB3

Strings

D%0, xrefs: 0023BCA2
D%0, xrefs: 0023BE9A
D%0D%0, xrefs: 0023BCA5
D%0, xrefs: 0023BDED, 0023BD91, 0023BD1B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%0$D%0$D%0$D%0D%0
API String ID: 1385522511-516430114
Opcode ID: 8e078e5a989ad2f704bb591b03d5f5988be88284119ff9a75bc779b4861827ab
Instruction ID: 25d44792c914e1a91cafa3c2e42e1b40bded772cfafa14f159e6638937e1eae4
Opcode Fuzzy Hash: 8e078e5a989ad2f704bb591b03d5f5988be88284119ff9a75bc779b4861827ab
Instruction Fuzzy Hash: 07918CB5A2020ACFCB29CF59C4A06AAB7F1FF59310F20456ADA45AB350D731ED91CF90

Function 002B7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00250242: EnterCriticalSection.KERNEL32(0030070C,00301884,?,?,0024198B,00302518,?,?,?,002312F9,00000000), ref: 0025024D
Part of subcall function 00250242: LeaveCriticalSection.KERNEL32(0030070C,?,0024198B,00302518,?,?,?,002312F9,00000000), ref: 0025028A

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 002500A3: __onexit.LIBCMT ref: 002500A9

__Init_thread_footer.LIBCMT ref: 002B7BFB

Part of subcall function 002501F8: EnterCriticalSection.KERNEL32(0030070C,?,?,00248747,00302514), ref: 00250202
Part of subcall function 002501F8: LeaveCriticalSection.KERNEL32(0030070C,?,00248747,00302514), ref: 00250235

Strings

G, xrefs: 002B7C7F
5, xrefs: 002B7C78
Variable must be of type 'Object'., xrefs: 002B7C3A
+T(, xrefs: 002B7E2E

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T($5$G$Variable must be of type 'Object'.
API String ID: 535116098-2278887451
Opcode ID: 2a20aa8a0274c267dbda658ed4464e16599809d5eec65e3269c0cf5dad8bc3b6
Instruction ID: 94f790ebc992e0cedf186656a847e92cd327e58782158815a24c073876b2b291
Opcode Fuzzy Hash: 2a20aa8a0274c267dbda658ed4464e16599809d5eec65e3269c0cf5dad8bc3b6
Instruction Fuzzy Hash: 22918C74A2420AAFCB14EF54C891DEDB7B1FF89380F508059F8069B292DB71AE61CF51

Function 0029C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00237620: _wcslen.LIBCMT ref: 00237625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0029C6EE
_wcslen.LIBCMT ref: 0029C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0029C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0029C7CA

Strings

0, xrefs: 0029C6AF

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 45d75a48d037c3a35701cbabb4090c2595a2250b457ab26d1a1ba05e3bbab3bd
Instruction ID: 377206f910ec621f5bb321d6d8af6fcbf360e6d6142812d27a293969056b6329
Opcode Fuzzy Hash: 45d75a48d037c3a35701cbabb4090c2595a2250b457ab26d1a1ba05e3bbab3bd
Instruction Fuzzy Hash: 9851CF716343029BDB159F68C885AABB7ECAF89310F240A2DF995E21D0DB70D924CF52

Function 002BAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 002BAEA3

Part of subcall function 00237620: _wcslen.LIBCMT ref: 00237625

GetProcessId.KERNEL32(00000000), ref: 002BAF38
CloseHandle.KERNEL32(00000000), ref: 002BAF67

Strings

@, xrefs: 002BAE72
<, xrefs: 002BAE6B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: f737198d19bdae5b221fc364cac58040f6e40d78af90928b1dd7eaa0862e18a6
Instruction ID: 282bf95f2fc7cb7ada2161ece7fafb7530898c59b6512c60300dda51105783b6
Opcode Fuzzy Hash: f737198d19bdae5b221fc364cac58040f6e40d78af90928b1dd7eaa0862e18a6
Instruction Fuzzy Hash: 877166B1A20219DFCF14DF54C484A9EBBF0AF08310F0484A9E856AB7A2C771ED55CF91

Function 0029719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00297206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0029723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0029724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002972CF

Strings

DllGetClassObject, xrefs: 00297242

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 64319052be32d86b41b095eb6d73ac530bee4c12c796c4e1958923ad584b64bc
Instruction ID: 014a79ffa5d60da097689cf0f072f32dd33bdc2bb0aea8d1047c05eb28dbb885
Opcode Fuzzy Hash: 64319052be32d86b41b095eb6d73ac530bee4c12c796c4e1958923ad584b64bc
Instruction Fuzzy Hash: 68416D71A34204EFDF15CF54C884A9A7BB9EF45710F2580AEBD099F20AD7B0D954CBA0

Function 002C3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002C3E35
IsMenu.USER32(?), ref: 002C3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002C3E92
DrawMenuBar.USER32 ref: 002C3EA5

Strings

0, xrefs: 002C3D89

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 0eef3a5e4b086b6b056db2688762fb5efc0cc49943aea70b4191669a11d1da43
Instruction ID: 04dde4642ecdcd57486fb7a0d5ed7273cb49c23775cac8128691153077e9f4ac
Opcode Fuzzy Hash: 0eef3a5e4b086b6b056db2688762fb5efc0cc49943aea70b4191669a11d1da43
Instruction Fuzzy Hash: D0414C75A2120AEFDB10DF50D884E9ABBB9FF49354F04862DF905A7250D730AE65CFA0

Function 00291DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 00293CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00293CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00291E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00291E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00291EA9

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

Strings

ComboBox, xrefs: 00291DF0
ListBox, xrefs: 00291E25

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: afe04b055c950ffbf6caac1f26d2f97c19660da76de37d50747054b2f668dbeb
Instruction ID: dcf7b58266f9b3ca50752ac2929456da8008eb390a54445dc48b98757cb12c7e
Opcode Fuzzy Hash: afe04b055c950ffbf6caac1f26d2f97c19660da76de37d50747054b2f668dbeb
Instruction Fuzzy Hash: 4A2123B1A20105BADF18AF61DD4ACFFB7B8DF86350F204129F865A31E0DB7449398A20

Function 002C2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002C2F8D
LoadLibraryW.KERNEL32(?), ref: 002C2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002C2FA9
DestroyWindow.USER32(?), ref: 002C2FB1

Strings

SysAnimate32, xrefs: 002C2F68

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 337c848400b7574498900ea7356fcd6609001a662b3003dbcac7f7ab844f6706
Instruction ID: 686771e04a8299ddc1c0f21165a1c6e4b10e60693d6e5168f9d381f5dd52682e
Opcode Fuzzy Hash: 337c848400b7574498900ea7356fcd6609001a662b3003dbcac7f7ab844f6706
Instruction Fuzzy Hash: 6921B87122020AEBEB218E649C84FBB77BDEB59364F20532CFA1092590CA71DC659B60

Function 00254D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00254D1E,002628E9,?,00254CBE,002628E9,002F88B8,0000000C,00254E15,002628E9,00000002), ref: 00254D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00254DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00254D1E,002628E9,?,00254CBE,002628E9,002F88B8,0000000C,00254E15,002628E9,00000002,00000000), ref: 00254DC3

Strings

mscoree.dll, xrefs: 00254D86
CorExitProcess, xrefs: 00254D98

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 30725583af854da0be868b5f0267d88811ee2fcfed0cfe1d9666725e66aad7ab
Instruction ID: 52666f5831810a4edaaf2bb347e407471906e0b509d9314b311f61efbc0f4bca
Opcode Fuzzy Hash: 30725583af854da0be868b5f0267d88811ee2fcfed0cfe1d9666725e66aad7ab
Instruction Fuzzy Hash: 6DF0A430550208BBEB155F90EC4DFADBFB4EF04752F1400A4FC09A2260CB705D94CE94

Function 0028D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0028D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0028D3BF
FreeLibrary.KERNEL32(00000000), ref: 0028D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0028D3B9
X64, xrefs: 0028D2A8

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: d723ab51c25020bf7a4662725db942792601a4e4267892c6c1a9dc5dc12f7d4e
Instruction ID: 23d28a11ac314bc392d4ac0e420d793950256730d67bc92103c13afdc9ef6928
Opcode Fuzzy Hash: d723ab51c25020bf7a4662725db942792601a4e4267892c6c1a9dc5dc12f7d4e
Instruction Fuzzy Hash: F2F0EC3D8775129BE7753B115C5CD69B3149F11702F644595FC09E20CADBE0CD788B92

Function 00234E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00234EDD,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00234EAE
FreeLibrary.KERNEL32(00000000,?,?,00234EDD,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234EC0

Strings

kernel32.dll, xrefs: 00234E94
Wow64DisableWow64FsRedirection, xrefs: 00234EA8

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 659ac164e86cd06ee3b6b31557bc28fb2363b816a7a6112b5edbd11699e0532b
Instruction ID: df29adebf11b95ba644a432460518ed73e06045474c12224295ffbc2b21496c4
Opcode Fuzzy Hash: 659ac164e86cd06ee3b6b31557bc28fb2363b816a7a6112b5edbd11699e0532b
Instruction Fuzzy Hash: FFE0CD75E115235BD2322F267C1CF6FA554AFC2F62F190155FD0CD2110DBA0DD1280B0

Function 00234E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00273CDE,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00234E74
FreeLibrary.KERNEL32(00000000,?,?,00273CDE,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00234E6E
kernel32.dll, xrefs: 00234E5B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: fe5c235a0038d3f70c8e8cf946f800422240b8f2063b7f19d61a73b467d519df
Instruction ID: 29e00cc22235481515cc66b192798c18e614346b050dfa8246c4cb4c9302c2fe
Opcode Fuzzy Hash: fe5c235a0038d3f70c8e8cf946f800422240b8f2063b7f19d61a73b467d519df
Instruction Fuzzy Hash: 98D02B329226335746322F26BC1CE8F6A18AF86F513190264F90CE2110CFA0CD22C1E0

Function 002A2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002A2C05
DeleteFileW.KERNEL32(?), ref: 002A2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002A2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002A2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002A2CC0

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 45618f807606706ecb751aa3b47ebd35fd93d5c288c3ab19220589370d2c1fa8
Instruction ID: 131f3e9e158ec05525132110298bb7b98babed79a214746b219afc71d533c4ea
Opcode Fuzzy Hash: 45618f807606706ecb751aa3b47ebd35fd93d5c288c3ab19220589370d2c1fa8
Instruction Fuzzy Hash: 38B17071D20129EBDF25DFA4CC85EDEB77DEF49350F1040A6FA09E6141EA309A588F61

Function 002BA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 002BA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002BA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 002BA468
CloseHandle.KERNEL32(?), ref: 002BA63D

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: d84f54496e5d353afd0f6e73bdfb2b9f901c0ee24349b23549f1d999c2e5bb65
Instruction ID: 7b2d088d22078c0bc369a7ca40ae22ea914543e8f79ff7207d6737379a5300e4
Opcode Fuzzy Hash: d84f54496e5d353afd0f6e73bdfb2b9f901c0ee24349b23549f1d999c2e5bb65
Instruction Fuzzy Hash: 57A1B1B1614301AFD720DF24D886F2AB7E5AF84714F14885DF69A9B292D7B0EC518F82

Function 0026BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,002D3700), ref: 0026BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0030121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0026BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00301270,000000FF,?,0000003F,00000000,?), ref: 0026BC36
_free.LIBCMT ref: 0026BB7F

Part of subcall function 002629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000), ref: 002629DE
Part of subcall function 002629C8: GetLastError.KERNEL32(00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000,00000000), ref: 002629F0

_free.LIBCMT ref: 0026BD4B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c3b38f8e2091a16abae1bb024f87a0b6c368a7b5402d1c5a26af97c32a3f888a
Instruction ID: 55c94ed66fb64999d00bb84bba43505faa0881b39c59387fde59bdbf5c353a64
Opcode Fuzzy Hash: c3b38f8e2091a16abae1bb024f87a0b6c368a7b5402d1c5a26af97c32a3f888a
Instruction Fuzzy Hash: 5A51C671910209EFCB16EF699C819AEB7BCEF40360F10466BE554D7291EB709EE18B50

Function 0029E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0029DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0029CF22,?), ref: 0029DDFD

Part of subcall function 0029DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0029CF22,?), ref: 0029DE16

Part of subcall function 0029E199: GetFileAttributesW.KERNEL32(?,0029CF95), ref: 0029E19A

lstrcmpiW.KERNEL32(?,?), ref: 0029E473
MoveFileW.KERNEL32(?,?), ref: 0029E4AC
_wcslen.LIBCMT ref: 0029E5EB
_wcslen.LIBCMT ref: 0029E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0029E650

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 09f60305cf2f5ac1d76f4eb5eb9587ce89751d76ee22d4bde89774043b758dcf
Instruction ID: 1a695b1d585157023a2f42ede863791604d64ed03019b70cb6595b909ce5dfad
Opcode Fuzzy Hash: 09f60305cf2f5ac1d76f4eb5eb9587ce89751d76ee22d4bde89774043b758dcf
Instruction Fuzzy Hash: 695164B24183459BCB24EB90D8819DFB3DCAF85340F10491EF689D3191EF74A598CB66

Function 002BB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 002BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002BB6AE,?,?), ref: 002BC9B5
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BC9F1
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA68
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002BBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002BBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002BBB63
RegCloseKey.ADVAPI32(?,?), ref: 002BBBA6
RegCloseKey.ADVAPI32(00000000), ref: 002BBBB3

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 0b14d325da5dfc3bb5144b50a5d0428dee34c73cc1ccb3761d7bf442d0209c87
Instruction ID: c6798a20778389128b7bed6890bbe4c275eb143d7c05bda79c01c83caf069b57
Opcode Fuzzy Hash: 0b14d325da5dfc3bb5144b50a5d0428dee34c73cc1ccb3761d7bf442d0209c87
Instruction Fuzzy Hash: E361D171228241AFC715DF14C890E6ABBE5FF84348F14895CF4998B2A2CB71ED55CF92

Function 00298BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00298BCD
VariantClear.OLEAUT32 ref: 00298C3E
VariantClear.OLEAUT32 ref: 00298C9D
VariantClear.OLEAUT32(?), ref: 00298D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00298D3B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 7c7c255a46d5ceb944696a0ef1afadeb86cd7289614f6fcdf811b8012ffc5ebf
Instruction ID: 8ff3e6e2d3618276ce7ef7ae093abad453a2627f303239b870381f4b9ff2c786
Opcode Fuzzy Hash: 7c7c255a46d5ceb944696a0ef1afadeb86cd7289614f6fcdf811b8012ffc5ebf
Instruction Fuzzy Hash: D6515CB5A10219EFCB14CF68D894EAAB7F8FF89314B158559E909DB350E730E911CFA0

Function 002A8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002A8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 002A8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 002A8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002A8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002A8C5F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: a3ef10596c9d3787516e6df75bc8a9538b247df4aa882e89a912aab21997261b
Instruction ID: b5ace39883e4f5f1d657ff4687810f879ccb28f2fd39ed6ead848dc0b3318b3f
Opcode Fuzzy Hash: a3ef10596c9d3787516e6df75bc8a9538b247df4aa882e89a912aab21997261b
Instruction Fuzzy Hash: F7513975A10219AFCB19DF65C880A69BBF5FF49314F088459E849AB362CB31ED61CF90

Function 002B8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 002B8F40
GetProcAddress.KERNEL32(00000000,?), ref: 002B8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 002B8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 002B9032
FreeLibrary.KERNEL32(00000000), ref: 002B9052

Part of subcall function 0024F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,002A1043,?,75C0E610), ref: 0024F6E6
Part of subcall function 0024F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0028FA64,00000000,00000000,?,?,002A1043,?,75C0E610,?,0028FA64), ref: 0024F70D

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 64bc950d27ece34368cdaea24504ba7d6af9fa2d573fbcc767e51ebabac16079
Instruction ID: 5d672f0a0ab3d630b055d6b5dfa9f48af3e7ce177e598560f7afddccd82b7966
Opcode Fuzzy Hash: 64bc950d27ece34368cdaea24504ba7d6af9fa2d573fbcc767e51ebabac16079
Instruction Fuzzy Hash: 94516874610205DFCB05EF68C4848ADBBB1FF49354F5880A8E90A9B762DB31ED96CF90

Function 002C6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 002C6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 002C6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 002C6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,002AAB79,00000000,00000000), ref: 002C6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 002C6CC7

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: dc158990d6de0ca3b0737f1aa8818463d8bc37f209a8da941f497deedd3f8e07
Instruction ID: 0f466ddfa86eecb3af0b43396a43140dc1dd3826846874fffb8676ba69184592
Opcode Fuzzy Hash: dc158990d6de0ca3b0737f1aa8818463d8bc37f209a8da941f497deedd3f8e07
Instruction Fuzzy Hash: 0741F935624105AFD724CF28CD5CFA97BA9EB49350F14032EF899A72E1C371EE61CA80

Function 00262051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002620C3
_free.LIBCMT ref: 002620E3

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 410e23f62f0ac1c6c6e36e631e0154fb45fef211cdc37bb3f81e985858b0a4a7
Instruction ID: 8d1a3b5d4e16143f0e430e8f84d09e1e45c0a81140e3613029fa1d4fdf33ec88
Opcode Fuzzy Hash: 410e23f62f0ac1c6c6e36e631e0154fb45fef211cdc37bb3f81e985858b0a4a7
Instruction Fuzzy Hash: C3410332A10604DFCB24DF78C980A6DB3F5EF89314F2545A8EA15EB392DB31AD55CB80

Function 0024912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00249141
ScreenToClient.USER32(00000000,?), ref: 0024915E
GetAsyncKeyState.USER32(00000001), ref: 00249183
GetAsyncKeyState.USER32(00000002), ref: 0024919D

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8c0fa64402c7a410dbfad666dc83af9fdfa8036adcf8963ddab7e971995b7e66
Instruction ID: 32cfad460269dd1630c82b82ba6f48db6cdf0735d8006d7ae4a2bdd21346ba17
Opcode Fuzzy Hash: 8c0fa64402c7a410dbfad666dc83af9fdfa8036adcf8963ddab7e971995b7e66
Instruction Fuzzy Hash: 2C414F3591851BEBDF19AF64C848BEEB774FB05320F20431AE42DA62D0C770A9A4DF51

Function 002A3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002A38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 002A3922
TranslateMessage.USER32(?), ref: 002A394B
DispatchMessageW.USER32(?), ref: 002A3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002A3966

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: daca7b4345f1de7c7f8cc2585572539acd78dca90a71e2112b21c123c98a4204
Instruction ID: b822dd86db5dfee22c7f2edab1270dc7599488b36d8bafaca0dc80b15786a8f6
Opcode Fuzzy Hash: daca7b4345f1de7c7f8cc2585572539acd78dca90a71e2112b21c123c98a4204
Instruction Fuzzy Hash: 7931BF709253439FEB26CF349858BB777ACAB07304F14456AF466821A0EBF49A94CB11

Function 002ACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,002AC21E,00000000), ref: 002ACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 002ACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,002AC21E,00000000), ref: 002ACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,002AC21E,00000000), ref: 002ACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,002AC21E,00000000), ref: 002ACFF2

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 039a453041ac412d9323552576340e2ede4f5a04220f8e75862456d981781a94
Instruction ID: e82e7ec4222f8d8c4e277a01b05a994445ece41fb342aab7285e7c2a1715e921
Opcode Fuzzy Hash: 039a453041ac412d9323552576340e2ede4f5a04220f8e75862456d981781a94
Instruction Fuzzy Hash: 6E318071520206EFDB24DFA5D984DABBBF9EB05310B20442FF50AD2910DB30AD51DF60

Function 00291901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00291915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002919E2

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: c2d98f0f6ebc483fcacaae8e2962c8715a25c63f37cd12ce95b713c9de3872f2
Instruction ID: 344d90a5539da50d9d9f1c9e86eaaf65d97974e21516324dbdd29076ac314efb
Opcode Fuzzy Hash: c2d98f0f6ebc483fcacaae8e2962c8715a25c63f37cd12ce95b713c9de3872f2
Instruction Fuzzy Hash: 6631DF71A1021AEFEF04CFA9DD99ADE3BB5EB44314F104229F925A72D0C3B09964CB90

Function 002C5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 002C5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 002C579D
_wcslen.LIBCMT ref: 002C57AF
_wcslen.LIBCMT ref: 002C57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 002C5816

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: cf837cdc472638104700558380a7c5d47078efae9eab52cd33821bba46edf283
Instruction ID: 21c427a974eb6d1c169e85c1b7da43110370335ec1ba9959a149f768761d8e4d
Opcode Fuzzy Hash: cf837cdc472638104700558380a7c5d47078efae9eab52cd33821bba46edf283
Instruction Fuzzy Hash: D22181319246299ADB209F60CC85FEEB7BCFF44324F10835AE919AA180D770E9D5CF50

Function 002B0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 002B0951
GetForegroundWindow.USER32 ref: 002B0968
GetDC.USER32(00000000), ref: 002B09A4
GetPixel.GDI32(00000000,?,00000003), ref: 002B09B0
ReleaseDC.USER32(00000000,00000003), ref: 002B09E8

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5cedfc6031937bacd76a7523b36f8973bb58d405349f42c223fb267da1c1dd90
Instruction ID: 7f57d25fe871886756bfe3694120d68b1a4fc381f0caa3a535f1c0a9d202ddda
Opcode Fuzzy Hash: 5cedfc6031937bacd76a7523b36f8973bb58d405349f42c223fb267da1c1dd90
Instruction Fuzzy Hash: 15218E75A10204AFD704EF65D988EAEBBE9EF49740F148069E94AA7762CB70AC14CF50

Function 0026CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0026CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0026CDE9

Part of subcall function 00263820: RtlAllocateHeap.NTDLL(00000000,?,00301444,?,0024FDF5,?,?,0023A976,00000010,00301440,002313FC,?,002313C6,?,00231129), ref: 00263852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0026CE0F
_free.LIBCMT ref: 0026CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0026CE31

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 69f466ddfd76f30b5e6e3c8081214183a1843d33a93620cf02046cb823f4097d
Instruction ID: bdeca72755a82c2dca176748b8dd1c38126ecc6225b3739299ba7e2b984a951a
Opcode Fuzzy Hash: 69f466ddfd76f30b5e6e3c8081214183a1843d33a93620cf02046cb823f4097d
Instruction Fuzzy Hash: AA01D872A222157F23212AB67C8CC7B797DDEC6FA13350129F909C7200DA668D6181B0

Function 00249639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00249693
SelectObject.GDI32(?,00000000), ref: 002496A2
BeginPath.GDI32(?), ref: 002496B9
SelectObject.GDI32(?,00000000), ref: 002496E2

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e47cb5fc9d860a4897444679b7e19b9763dc2fd4fdcd2336ad14dd0e6c53281b
Instruction ID: 6cd80007735063f8a0b1f7deb27732dcc509af3f8ae38ae1a6c1313530a67494
Opcode Fuzzy Hash: e47cb5fc9d860a4897444679b7e19b9763dc2fd4fdcd2336ad14dd0e6c53281b
Instruction Fuzzy Hash: C9218331823306EFDB129F25EC28BAB3B6CBB50325F210216F414A61B0D3B098A1CFD0

Function 00295711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00295726
_memcmp.LIBVCRUNTIME ref: 00295744
_memcmp.LIBVCRUNTIME ref: 00295757
_memcmp.LIBVCRUNTIME ref: 0029576F
_memcmp.LIBVCRUNTIME ref: 00295787

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 09e0e56edceea3358d7ebca57427a4b363c8c6ab63139099cdaa412e59245ed4
Instruction ID: 27990b98710a8ccedf8b86f01f12de682f6d7be8011c478641ea92090e9c0dea
Opcode Fuzzy Hash: 09e0e56edceea3358d7ebca57427a4b363c8c6ab63139099cdaa412e59245ed4
Instruction Fuzzy Hash: 2801F9613B1615BBDA099A509E92FFBB35D9B21395F004025FD049A241F770EF34C7A4

Function 00262DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0025F2DE,00263863,00301444,?,0024FDF5,?,?,0023A976,00000010,00301440,002313FC,?,002313C6), ref: 00262DFD
_free.LIBCMT ref: 00262E32
_free.LIBCMT ref: 00262E59
SetLastError.KERNEL32(00000000,00231129), ref: 00262E66
SetLastError.KERNEL32(00000000,00231129), ref: 00262E6F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 55c2b026a85e2c8a168d82cc60cea124494954d6c56bc354d308f3f6b1d628ed
Instruction ID: f3dde305bfebd435cc9aefca0091169f1ce2346658b9431c5500b7bbe58f2750
Opcode Fuzzy Hash: 55c2b026a85e2c8a168d82cc60cea124494954d6c56bc354d308f3f6b1d628ed
Instruction Fuzzy Hash: C601F436675E01E7C6126B347D49D2B265DABD13B5B350038F829A32D3EB729CB94520

Function 0029000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?,?,?,0029035E), ref: 0029002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?,?), ref: 00290046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?,?), ref: 00290054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?), ref: 00290064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?,?), ref: 00290070

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1ca62d21482997f69f0175069803eb2e4b79e1c7c45e4c013e3c14f418888b72
Instruction ID: abeb4ff34e47efc7dac7176118ac7ac5c0a92e6e2d51d6c741ed5502eb2c0780
Opcode Fuzzy Hash: 1ca62d21482997f69f0175069803eb2e4b79e1c7c45e4c013e3c14f418888b72
Instruction Fuzzy Hash: 2D01A272610219BFDF118F68EC88FAE7AEDEF44751F244224F909D2210D771DD508BA0

Function 0029E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0029E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0029E9A5
Sleep.KERNEL32(00000000), ref: 0029E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0029E9B7
Sleep.KERNEL32 ref: 0029E9F3

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b74e412bf290d09d5ff8c824d6b0ba4e1d27d90c184b91ac6e0ef7eebccc42d9
Instruction ID: bafaf835af2fc2f84eb9b08d97bc3ffe351566b6766a3f1e05ee48968ad6e67e
Opcode Fuzzy Hash: b74e412bf290d09d5ff8c824d6b0ba4e1d27d90c184b91ac6e0ef7eebccc42d9
Instruction Fuzzy Hash: 0F015B31C11529DBDF00DFE5EC5DADDBB78FB08300F160566E906B2141CB7099648BA2

Function 002910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00291114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 00291120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 0029112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 00291136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0029114D

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: e29d9d21da8b2b91b1ebba195dc8504529be328ed2fcf65fa74357525c314b9e
Instruction ID: 602036d135828a943b5245f60bf180dfbdeddcc417c1c9056c1db27330b5d1ae
Opcode Fuzzy Hash: e29d9d21da8b2b91b1ebba195dc8504529be328ed2fcf65fa74357525c314b9e
Instruction Fuzzy Hash: CE013C75200206BFDB114FA6EC4DE6A3F6EEF893A0B244429FA49D7360DB71DC119B60

Function 00290FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00290FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00290FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00290FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00290FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00291002

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 56736c0dc05d703c7819aeef278ccd2e09b23ad97352397b474608d253bfd160
Instruction ID: b440c6081c14eeb163b338675b0f24085d416b325fee6d623da40c9286110ca8
Opcode Fuzzy Hash: 56736c0dc05d703c7819aeef278ccd2e09b23ad97352397b474608d253bfd160
Instruction Fuzzy Hash: E2F04935200312ABDB215FA6AC4DF563BADFF89762F244424FE49C7251CA71DC60CA60

Function 00291014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0029102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00291036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00291045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0029104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00291062

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ee14416dace6df5a4e9933e14e17262406faa0be724a8ba1b08fa8f84dd2e213
Instruction ID: 26d6d134ba09a8e72a07b9454aa7eafa4fe8d3e7b26cc9e65681e1fd14ca742a
Opcode Fuzzy Hash: ee14416dace6df5a4e9933e14e17262406faa0be724a8ba1b08fa8f84dd2e213
Instruction Fuzzy Hash: E8F06D35200312EBDB215FA6FC4DF563BADFF897A1F240424FE49C7250CA71D8608A60

Function 002A030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,002A017D,?,002A32FC,?,00000001,00272592,?), ref: 002A0324
CloseHandle.KERNEL32(?,?,?,?,002A017D,?,002A32FC,?,00000001,00272592,?), ref: 002A0331
CloseHandle.KERNEL32(?,?,?,?,002A017D,?,002A32FC,?,00000001,00272592,?), ref: 002A033E
CloseHandle.KERNEL32(?,?,?,?,002A017D,?,002A32FC,?,00000001,00272592,?), ref: 002A034B
CloseHandle.KERNEL32(?,?,?,?,002A017D,?,002A32FC,?,00000001,00272592,?), ref: 002A0358
CloseHandle.KERNEL32(?,?,?,?,002A017D,?,002A32FC,?,00000001,00272592,?), ref: 002A0365

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 65c82bd68f68cac5b208ae8cf67ed5104f5c885cb75ae9ea271dbf3e8d9acdb4
Instruction ID: d274f8cf2ae4c6d7f0370228d58b454c07245881a1138d4ef88711f5e56ce667
Opcode Fuzzy Hash: 65c82bd68f68cac5b208ae8cf67ed5104f5c885cb75ae9ea271dbf3e8d9acdb4
Instruction Fuzzy Hash: DC01EE72810B028FCB30AF66D8C0806FBF9BF613053148A7FD19652930CBB1A968CF80

Function 0026D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0026D752

Part of subcall function 002629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000), ref: 002629DE
Part of subcall function 002629C8: GetLastError.KERNEL32(00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000,00000000), ref: 002629F0

_free.LIBCMT ref: 0026D764
_free.LIBCMT ref: 0026D776
_free.LIBCMT ref: 0026D788
_free.LIBCMT ref: 0026D79A

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a33f1093118ed711551cf714140daf7b6fbd17c095ff149a697f7cb351ff75b
Instruction ID: 5a2d5c3c489e3d821d0fd8f900cc30ff8ebcee2d2cd0ab42c45e63f77500d937
Opcode Fuzzy Hash: 1a33f1093118ed711551cf714140daf7b6fbd17c095ff149a697f7cb351ff75b
Instruction Fuzzy Hash: 6DF0FF32B6560DEB8626EF64FAC5C26B7DDBB447A0BB41815F048D7501CB20FCD4CA65

Function 00295C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00295C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00295C6F
MessageBeep.USER32(00000000), ref: 00295C87
KillTimer.USER32(?,0000040A), ref: 00295CA3
EndDialog.USER32(?,00000001), ref: 00295CBD

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: e4652fb26c547cb44d3d92e9ea65d5bccface5e52c80c8de05ad8adea644b87d
Instruction ID: 81ae79c6d07639558c6e3d356d21ba19ab03c43a96e71b307acfea0fdaca05c8
Opcode Fuzzy Hash: e4652fb26c547cb44d3d92e9ea65d5bccface5e52c80c8de05ad8adea644b87d
Instruction Fuzzy Hash: 9E018670610B14ABEF215F10EE4EFA677BCBB00B05F10055AF687A15E1DBF4A9948F90

Function 002622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002622BE

Part of subcall function 002629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000), ref: 002629DE
Part of subcall function 002629C8: GetLastError.KERNEL32(00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000,00000000), ref: 002629F0

_free.LIBCMT ref: 002622D0
_free.LIBCMT ref: 002622E3
_free.LIBCMT ref: 002622F4
_free.LIBCMT ref: 00262305

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a3077b1315ab9b5e9e5267c76f66f35561a7286f7a81840b27c29e791a40afff
Instruction ID: cd8cc27a8284aa2f1dec19698c854d67e42a0022417f906c0c17839962a54690
Opcode Fuzzy Hash: a3077b1315ab9b5e9e5267c76f66f35561a7286f7a81840b27c29e791a40afff
Instruction Fuzzy Hash: B2F030B0523915CBC71BAF54BC21A183BACB7587E1F20151BF410D2271C73004A5AFA5

Function 002495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002495D4
StrokeAndFillPath.GDI32(?,?,002871F7,00000000,?,?,?), ref: 002495F0
SelectObject.GDI32(?,00000000), ref: 00249603
DeleteObject.GDI32 ref: 00249616
StrokePath.GDI32(?), ref: 00249631

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 833a862f816a7ef67f6f90fe7523273282d9fbac8765f75db30fd9b078732231
Instruction ID: 316563803252530d2bbae8aa202d952142dec2056a4231d4e70b48d752fce0ef
Opcode Fuzzy Hash: 833a862f816a7ef67f6f90fe7523273282d9fbac8765f75db30fd9b078732231
Instruction Fuzzy Hash: C4F04F31026605EFDB175F65ED2CB653F69FB00322F248215F469590F0C77089A5DFA0

Function 00260F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002610F9
__freea.LIBCMT ref: 00261117

Part of subcall function 00261537: _free.LIBCMT ref: 0026154F

Strings

a/p, xrefs: 002611DE
am/pm, xrefs: 0026117A

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: c926153399755918975e42086a23bb3f9d3927c43aacba1890fe017389f128bb
Instruction ID: c210799436bde0f9716835f32f5eb83bc1991aa25cf9399f1501b400b270caef
Opcode Fuzzy Hash: c926153399755918975e42086a23bb3f9d3927c43aacba1890fe017389f128bb
Instruction Fuzzy Hash: 0AD1DF31930206DADB289F68C895BBAB7B1EF06300F2C4199E9069B754D775BDF0CB91

Function 002B61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00250242: EnterCriticalSection.KERNEL32(0030070C,00301884,?,?,0024198B,00302518,?,?,?,002312F9,00000000), ref: 0025024D
Part of subcall function 00250242: LeaveCriticalSection.KERNEL32(0030070C,?,0024198B,00302518,?,?,?,002312F9,00000000), ref: 0025028A

Part of subcall function 002500A3: __onexit.LIBCMT ref: 002500A9

__Init_thread_footer.LIBCMT ref: 002B6238

Part of subcall function 002501F8: EnterCriticalSection.KERNEL32(0030070C,?,?,00248747,00302514), ref: 00250202
Part of subcall function 002501F8: LeaveCriticalSection.KERNEL32(0030070C,?,00248747,00302514), ref: 00250235

Part of subcall function 002A359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002A35E4
Part of subcall function 002A359C: LoadStringW.USER32(00302390,?,00000FFF,?), ref: 002A360A

Strings

x#0, xrefs: 002B6353
x#0, xrefs: 002B633A
x#0, xrefs: 002B636F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#0$x#0$x#0
API String ID: 1072379062-3395092969
Opcode ID: e34a942fcb579963a1767f1a287674ceb48a4405362c3c7ae143e49bc4528276
Instruction ID: d58be9188616cc629a137b03a59dddcb8bc403ff0685cd8a9d5a443d487c9820
Opcode Fuzzy Hash: e34a942fcb579963a1767f1a287674ceb48a4405362c3c7ae143e49bc4528276
Instruction Fuzzy Hash: 29C18B71A20106AFDB24DF98C894EFEB7B9EF48340F148069F9459B291DB74ED64CB90

Function 00265AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO#, xrefs: 00265BA8, 00265C6C

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: JO#
API String ID: 0-1472918460
Opcode ID: 8a2662cb33d1a9605149e1dc66fc9e4746e21a1ee528c0956c77401719c0c97d
Instruction ID: 491b436cdd2b087c30679343a2689f36ef9c2299712e968a0a2cf72808beb50a
Opcode Fuzzy Hash: 8a2662cb33d1a9605149e1dc66fc9e4746e21a1ee528c0956c77401719c0c97d
Instruction Fuzzy Hash: 1151D171D3062AAFCB119FA8CD45FAEBBB8EF05314F14005AF805A7291D77199A1CB61

Function 00268A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00268B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00268B7A
__dosmaperr.LIBCMT ref: 00268B81

Strings

.%, xrefs: 00268A63

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .%
API String ID: 2434981716-3802303113
Opcode ID: ee9f40035f7d959e31b6f138896cd0c882936b80c5e01c21d59aed7fe57ffbc5
Instruction ID: fcd49be0c22d3fe51c8856d72cf6b8fae5dee41f9c44faa1ac59f55e21f49af8
Opcode Fuzzy Hash: ee9f40035f7d959e31b6f138896cd0c882936b80c5e01c21d59aed7fe57ffbc5
Instruction Fuzzy Hash: 2E41AEB0624046AFD7259F64D884A797FE5DB45308F2843AAF884C7542DE718CA29790

Function 00292716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0029B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002921D0,?,?,00000034,00000800,?,00000034), ref: 0029B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00292760

Part of subcall function 0029B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0029B3F8

Part of subcall function 0029B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0029B355
Part of subcall function 0029B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00292194,00000034,?,?,00001004,00000000,00000000), ref: 0029B365
Part of subcall function 0029B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00292194,00000034,?,?,00001004,00000000,00000000), ref: 0029B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0029281A

Strings

@, xrefs: 00292832

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e8165d680f46820229151cfd43e4167522e17ff50564a99e02ee53e20935f07b
Instruction ID: 06499286ea2ed812bdc0878fe551330c0f831ace17912812900f7805f820b7b3
Opcode Fuzzy Hash: e8165d680f46820229151cfd43e4167522e17ff50564a99e02ee53e20935f07b
Instruction Fuzzy Hash: B6412972900218BEDF11DFA4DD45EEEBBB8AF09300F104095EA55B7181DA706E99CFA0

Function 0026172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00261769
_free.LIBCMT ref: 00261834
_free.LIBCMT ref: 0026183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00261760, 00261767, 00261796, 002617CE

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: 79f4438c2eb639ed2cbf70ba510f77f69b14fba53a609805117579ba590df498
Instruction ID: 87653a854085950a21865b1d5466cf0bb7a05ca49737f143c98d2ce964d31146
Opcode Fuzzy Hash: 79f4438c2eb639ed2cbf70ba510f77f69b14fba53a609805117579ba590df498
Instruction Fuzzy Hash: 08316275A11219EFDB22DF999885D9EBBFCEB85310F184166F804D7211D770AEA0CB90

Function 0029C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0029C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0029C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00301990,014255D0), ref: 0029C395

Strings

0, xrefs: 0029C2DF

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 9776ca29c830b5cd054fea58f3cc3967bab47774498fffa01195bdaa6555d4b3
Instruction ID: 89c72262328078171aa39d4a72fd4ed86ae271a213927709cd5ae4abdc3ff631
Opcode Fuzzy Hash: 9776ca29c830b5cd054fea58f3cc3967bab47774498fffa01195bdaa6555d4b3
Instruction Fuzzy Hash: 1641E6712143029FDB20DF24D884F1ABBE4EF85310F2086ADF8A5972D1D770E954CB66

Function 002C4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002CCC08,00000000,?,?,?,?), ref: 002C44AA
GetWindowLongW.USER32 ref: 002C44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002C44D7

Strings

SysTreeView32, xrefs: 002C447C

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7b77c56725c3e47ca06166abba57de988d667b632fb95c597fa02fa195e53135
Instruction ID: cbadaf5f4b7ffb05e359f2e08665bf9772c2e7f13cde0189f48d051bf983c594
Opcode Fuzzy Hash: 7b77c56725c3e47ca06166abba57de988d667b632fb95c597fa02fa195e53135
Instruction Fuzzy Hash: C231AD31220606AFDB24AE38DC55FEB7BA9EB08334F204329F979921D0D770EC609B50

Function 00296E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00296EED
VariantCopyInd.OLEAUT32(?,?), ref: 00296F08
VariantClear.OLEAUT32(?), ref: 00296F12

Strings

*j), xrefs: 00296E8B, 00296E90, 00296EF8

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j)
API String ID: 2173805711-389742949
Opcode ID: f12c9e1d30c4cc2c20b715eaab685d7d7b3f3a516aa4135faa73f818fa8c7b3d
Instruction ID: 886823f48b872f0e6c3141ef6118d3c0dd6ff163f51c6a3af694505db22e2f3e
Opcode Fuzzy Hash: f12c9e1d30c4cc2c20b715eaab685d7d7b3f3a516aa4135faa73f818fa8c7b3d
Instruction Fuzzy Hash: CA3191B2624245DFCF09AFA4E8599BD37B6EF85300F2004A9F9034B6A1C7749936DF90

Function 002B304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002B335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,002B3077,?,?), ref: 002B3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 002B307A
_wcslen.LIBCMT ref: 002B309B
htons.WSOCK32(00000000,?,?,00000000), ref: 002B3106

Strings

255.255.255.255, xrefs: 002B3095, 002B309A

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: c6554edb84c7e8b55756f8e1558e96a6de96b4a929ca232d039a1438f97d1622
Instruction ID: e730c4df7675da8833a2decda506046863a99999e10978db60b7018be90c608a
Opcode Fuzzy Hash: c6554edb84c7e8b55756f8e1558e96a6de96b4a929ca232d039a1438f97d1622
Instruction Fuzzy Hash: B03107356202029FCB10DF2CC885EEA77E4EF14398F248559E8158B392DB72DE55CB60

Function 002C3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002C3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002C3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 002C3F78

Strings

SysMonthCal32, xrefs: 002C3F0B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 8c3a79bef6012ed394d73508bca088cdad9220db903e6279f86ff6e9938d0978
Instruction ID: 59bd6f7d553387790b9b259d293839604409d92f7440a3444d5dda96aa21821d
Opcode Fuzzy Hash: 8c3a79bef6012ed394d73508bca088cdad9220db903e6279f86ff6e9938d0978
Instruction Fuzzy Hash: 70219F32620219BBDF25CF50DC46FEA3B79EF48714F114618FA196B1D0D6B5A960CB90

Function 002C4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002C4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002C4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002C471A

Strings

msctls_updown32, xrefs: 002C4684

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: df135df18360ba3c343fae392304d7e72dd4f8105f21e2c4eb89927c5b5147e1
Instruction ID: 49c0e337b21846a9d5d2859374542c72cf16f7e15837137a9d98becfe469c55b
Opcode Fuzzy Hash: df135df18360ba3c343fae392304d7e72dd4f8105f21e2c4eb89927c5b5147e1
Instruction Fuzzy Hash: 362190B5610209AFDB11EF64DCD1DB777ADEB5A394B140159FA049B351CB70EC21CA60

Function 002995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0029961D

Strings

#requireadmin, xrefs: 002995D9
#notrayicon, xrefs: 002995B7
#OnAutoItStartRegister, xrefs: 002995F3

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 2c1095dc5c29a14ad925c79da782f4df7511ad1590b22c88e923abe28bb9eed7
Instruction ID: d97f3b97fb0a1ee1819f0552b229eef73af30fb11220192914dc179762f21cd7
Opcode Fuzzy Hash: 2c1095dc5c29a14ad925c79da782f4df7511ad1590b22c88e923abe28bb9eed7
Instruction Fuzzy Hash: 6C21387223451266DB31AE2C9D02FB7B3AC9FA5320F50402EFE4997041EBA1ADF5C6D5

Function 002C37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002C3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002C3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002C3876

Strings

Listbox, xrefs: 002C380F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 36013d356b9b25e75d4e576479841f4146b6906cdc1ac243ed3373ca4f4b2628
Instruction ID: 78a6d56a28ad791f08b3e7307b1310b6d7b2add7e4b1e6ae6eb87d99589b86bf
Opcode Fuzzy Hash: 36013d356b9b25e75d4e576479841f4146b6906cdc1ac243ed3373ca4f4b2628
Instruction Fuzzy Hash: 91218072620119BBEB11DF54DC85FBB776EEF89750F11C628F9049B190C671DC618BA0

Function 002A49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002A4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002A4A5C
SetErrorMode.KERNEL32(00000000,?,?,002CCC08), ref: 002A4AD0

Strings

%lu, xrefs: 002A4A6F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: db693f87eabe382b917d116cf5b50b8d5fdb22c8e1642db41dc9d20b9708fce9
Instruction ID: 394a8c9281f968e31bb05470f1b1d79131b44460375dcd3b03a8ac233e09d7c4
Opcode Fuzzy Hash: db693f87eabe382b917d116cf5b50b8d5fdb22c8e1642db41dc9d20b9708fce9
Instruction Fuzzy Hash: 17317371A10109AFDB10DF54C885EAAB7F8EF49308F1480A5F909DB252DB71EE55CF61

Function 002C41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002C424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002C4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002C4271

Strings

msctls_trackbar32, xrefs: 002C4226

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 8f1f3cb733f83bb3aeaed599a5128ad03046aed9be7e03e77f75e588ce09e404
Instruction ID: 267c53afb69d20386f33f58984408a363336ba22ed033a0f6d396d659c845163
Opcode Fuzzy Hash: 8f1f3cb733f83bb3aeaed599a5128ad03046aed9be7e03e77f75e588ce09e404
Instruction Fuzzy Hash: 5E110631250208BEEF216F28CC06FAB3BACEF85B54F114228FA55E2090D2B1DC61DB10

Function 00292F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

Part of subcall function 00292DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00292DC5
Part of subcall function 00292DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00292DD6
Part of subcall function 00292DA7: GetCurrentThreadId.KERNEL32 ref: 00292DDD
Part of subcall function 00292DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00292DE4

GetFocus.USER32 ref: 00292F78

Part of subcall function 00292DEE: GetParent.USER32(00000000), ref: 00292DF9

GetClassNameW.USER32(?,?,00000100), ref: 00292FC3
EnumChildWindows.USER32(?,0029303B), ref: 00292FEB

Strings

%s%d, xrefs: 00292FFF

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 4b94e8e53b62809dd829823217d2721a9f773bcd9fdce845e0217a68fe9a2099
Instruction ID: 0d3411d34c4717e628206509dc59e622f5d679dc23fe518c039be966b6d64f70
Opcode Fuzzy Hash: 4b94e8e53b62809dd829823217d2721a9f773bcd9fdce845e0217a68fe9a2099
Instruction Fuzzy Hash: 4311D671610205ABCF14BF709C89EFD776EAF84304F148075FA09AB252DE7099598F70

Function 0029D66A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0029D682
DeviceIoControl.KERNEL32(00000000,pow,00000007,0000000C,?,0000000C,?,00000000), ref: 0029D6BF
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0029D6C8

Strings

pow, xrefs: 0029D6B9

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: pow
API String ID: 33631002-2276729525
Opcode ID: 545acf4cb02a1186adf94f4ebd459e806cc71b2086a0506abc0aa1dbc45c6208
Instruction ID: d50fbf2591b4c98b5290096ab1a8af5c0e3228b5bc14cec22d218a8fe5135e6b
Opcode Fuzzy Hash: 545acf4cb02a1186adf94f4ebd459e806cc71b2086a0506abc0aa1dbc45c6208
Instruction Fuzzy Hash: 7D01B1B2D00228BBE7109BA9EC48FAFBABCEB08750F104515B914E7190D2B49A008BF0

Function 002C5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002C58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002C58EE
DrawMenuBar.USER32(?), ref: 002C58FD

Strings

0, xrefs: 002C588F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: ce3fd3835cc61cda5b75e9dbce4fe0444f26d98c6907c52fca2c0124b40a72b0
Instruction ID: 71f196385ad89180751d7a7ec20be3516a22eb2dc7fbd45d50b0f4afaf921037
Opcode Fuzzy Hash: ce3fd3835cc61cda5b75e9dbce4fe0444f26d98c6907c52fca2c0124b40a72b0
Instruction Fuzzy Hash: 9B018E31520228EEDB219F11DC44FAEBBB4FF85361F108099E848D6151DB309AA0DF60

Function 0029007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9b4f538186f0c3e45d2d3c3c54c2d4128999afc7c92d05243de56fbc3e1c89
Instruction ID: 7bfc3806f2123f12c46fab009617f3905ea179f87078602d7354350182d13cd8
Opcode Fuzzy Hash: fc9b4f538186f0c3e45d2d3c3c54c2d4128999afc7c92d05243de56fbc3e1c89
Instruction Fuzzy Hash: 76C17B75A1021AEFDB14CFA4C898EAEB7B5FF48304F208598E905EB251C771ED91CB90

Function 002B342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002B3459
CoUninitialize.OLE32 ref: 002B3463
VariantInit.OLEAUT32(?), ref: 002B346E
VariantClear.OLEAUT32(?), ref: 002B371B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: db41bf22b63c2798198f07ab4825f98b6d4ae9575551f68530b49bb72c943434
Instruction ID: 9edd4a551214b6e62e5569473a9915976e7538a0aa471d551390742b05cfcc54
Opcode Fuzzy Hash: db41bf22b63c2798198f07ab4825f98b6d4ae9575551f68530b49bb72c943434
Instruction Fuzzy Hash: A8A179B56243009FCB14DF28C485A6AB7E5FF88754F148859F98A9B362DB30EE11CF91

Function 00290436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,002CFC08,?), ref: 002905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,002CFC08,?), ref: 00290608
CLSIDFromProgID.OLE32(?,?,00000000,002CCC40,000000FF,?,00000000,00000800,00000000,?,002CFC08,?), ref: 0029062D
_memcmp.LIBVCRUNTIME ref: 0029064E

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 106a40b7457066599c2ca1edf8c4d820c321d822516c1b8373253186957d1439
Instruction ID: 087547d1e06024660783c0d0d653eb728e51dc54da48049a595bdc29ed06a090
Opcode Fuzzy Hash: 106a40b7457066599c2ca1edf8c4d820c321d822516c1b8373253186957d1439
Instruction Fuzzy Hash: 0B810971A1010AEFCF04DF94C984EEEB7B9FF89315F204598E516AB250DB71AE16CB60

Function 002BA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 002BA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 002BA6BA

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Process32NextW.KERNEL32(00000000,?), ref: 002BA79C
CloseHandle.KERNEL32(00000000), ref: 002BA7AB

Part of subcall function 0024CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00273303,?), ref: 0024CE8A

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 9b3184663e4f30f95f0e183098cb2c914fedb12d7d9c38d20dd397bfbad15035
Instruction ID: dc2813d385264a5d9d192f2daf051f13299f3cab2b3560d627eece971dfedcef
Opcode Fuzzy Hash: 9b3184663e4f30f95f0e183098cb2c914fedb12d7d9c38d20dd397bfbad15035
Instruction Fuzzy Hash: 7A516BB1518300AFD710EF24C886A6BBBE8FF89754F00892DF58997261EB70D914CF92

Function 00271391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002714C0

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 05cd09bbc7af4bc3658d58b480b7480670cc2b3484c38ea63c3e49dbdfcdfa44
Instruction ID: 7a469469a40b85ef6045679160f1af26db8c784afec493b7c9082b2a11b29f7d
Opcode Fuzzy Hash: 05cd09bbc7af4bc3658d58b480b7480670cc2b3484c38ea63c3e49dbdfcdfa44
Instruction Fuzzy Hash: 8B418072630101ABDB257FFD9C46ABE3AA5EF41370F24C225FC1DD3191EA7448B15A61

Function 002C6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002C62E2
ScreenToClient.USER32(?,?), ref: 002C6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 002C6382

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 3067778ce47e126defe018a18cd4692862bdff8ebb13fa7bd5b5927c7b672a8f
Instruction ID: fc88ea823dab4aa737eccec71aed027e285bd7eb064cf1eb253cceabe07f5199
Opcode Fuzzy Hash: 3067778ce47e126defe018a18cd4692862bdff8ebb13fa7bd5b5927c7b672a8f
Instruction Fuzzy Hash: 02514D7091024AEFCB10DF54D988EAE7BB5EF45760F10829DF81597290D730ED51CB90

Function 002B1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 002B1AFD
WSAGetLastError.WSOCK32 ref: 002B1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 002B1B8A
WSAGetLastError.WSOCK32 ref: 002B1B94

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 802edfb279602066cdafee6297ad1325f05073c5d5aa4aea54a8dac0e5f39199
Instruction ID: 973ec51e54c5ac0f116e7334b28e798021430419c341d77c3547d0990895fc78
Opcode Fuzzy Hash: 802edfb279602066cdafee6297ad1325f05073c5d5aa4aea54a8dac0e5f39199
Instruction Fuzzy Hash: B841D274610201AFE720AF24C886F6A77E5AB44718F94C44CFA1A9F7D3D772DD628B90

Function 0026B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36da8ea2ecc12751c4f619bb872de1bba8c69939091c108164212440aaefe93
Instruction ID: 924ce84220e32e20e885e96bfd2256c9d6d82e40ec7aeba14a0dd2fd8ac27747
Opcode Fuzzy Hash: b36da8ea2ecc12751c4f619bb872de1bba8c69939091c108164212440aaefe93
Instruction Fuzzy Hash: E8412D71920714BFD725AF38CC41BAABBE9EF88710F10452AF546DB2D1D77199E18B80

Function 002A56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002A5783
GetLastError.KERNEL32(?,00000000), ref: 002A57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002A57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002A57FA

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ae7f67e021b930458594bc2f82e5a3ef0e5fd7273071d29c1714bfe408447bb2
Instruction ID: bfd8f8dc03ff6208831856353e0ab3cdc21992f00aed1b40eb75f750383da418
Opcode Fuzzy Hash: ae7f67e021b930458594bc2f82e5a3ef0e5fd7273071d29c1714bfe408447bb2
Instruction Fuzzy Hash: 82411B79610611DFCF25DF15C444A1ABBE1AF89320F198488EC4A6B362CB34FD51CF91

Function 0026D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00256D71,00000000,00000000,002582D9,?,002582D9,?,00000001,00256D71,?,00000001,002582D9,002582D9), ref: 0026D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0026D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0026D9AB
__freea.LIBCMT ref: 0026D9B4

Part of subcall function 00263820: RtlAllocateHeap.NTDLL(00000000,?,00301444,?,0024FDF5,?,?,0023A976,00000010,00301440,002313FC,?,002313C6,?,00231129), ref: 00263852

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 202b46d94498e76fb3d8a14c5842971f21e78ab52d12a1b3ef6cd2a6fda7753f
Instruction ID: 8896b6275a9928c35c989add2f164f90482540b51e7f9742c5c30c6d9634b97a
Opcode Fuzzy Hash: 202b46d94498e76fb3d8a14c5842971f21e78ab52d12a1b3ef6cd2a6fda7753f
Instruction Fuzzy Hash: 5331BE72A2120AABDF24DF65DC85EAF7BA5EF41310B154168FC08D7250EB35DDA4CBA0

Function 002C52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 002C5352
GetWindowLongW.USER32(?,000000F0), ref: 002C5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002C5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002C53A8

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f98c857a35015883743fadfbcc640f5efcf5dae7626d9ed41c8d46ad632e0112
Instruction ID: 9d7f16dd6a0c5b57201ffb15e1e4f2a661a864ebface169022d71762a7811f22
Opcode Fuzzy Hash: f98c857a35015883743fadfbcc640f5efcf5dae7626d9ed41c8d46ad632e0112
Instruction Fuzzy Hash: D531C134A75AA9AFEB249E14CC15FE87765AB04390F58428AFA10971E1C7B0F9E09B41

Function 0029AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0029ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0029AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0029AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0029ACC6

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d7a3c3018dd1e3b0157b30076673eab7571f55ffd5ff8eb9d10dd07f6f60f261
Instruction ID: 9a405015baed22ac5fe170421def1a79e2ab06d1091278310730c6c3fb5fbeff
Opcode Fuzzy Hash: d7a3c3018dd1e3b0157b30076673eab7571f55ffd5ff8eb9d10dd07f6f60f261
Instruction Fuzzy Hash: A8313930A203196FEF35CF69CC08BFA7BA5AB89321F14471BE4855A1D0C37589A187D2

Function 002C7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 002C769A
GetWindowRect.USER32(?,?), ref: 002C7710
PtInRect.USER32(?,?,002C8B89), ref: 002C7720
MessageBeep.USER32(00000000), ref: 002C778C

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 408ba0596b3f5d5992f38a9280eec37536e3e1629210b2d7506f9fd48b4d3fc2
Instruction ID: 39c8079e676f8652fb63695cefd5fe476373a387dd816a8a0631b55a905f7f9c
Opcode Fuzzy Hash: 408ba0596b3f5d5992f38a9280eec37536e3e1629210b2d7506f9fd48b4d3fc2
Instruction Fuzzy Hash: 1F417A34A152199FCB02CF68C894FA9B7F9BF49314F1942ADE8149B261C730A959CF90

Function 002C16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002C16EB

Part of subcall function 00293A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00293A57
Part of subcall function 00293A3D: GetCurrentThreadId.KERNEL32 ref: 00293A5E
Part of subcall function 00293A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002925B3), ref: 00293A65

GetCaretPos.USER32(?), ref: 002C16FF
ClientToScreen.USER32(00000000,?), ref: 002C174C
GetForegroundWindow.USER32 ref: 002C1752

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b7f4cd097725f7edbd3944a773049d599ba3d5ab2a9d396bd5c10ac6a9e820d8
Instruction ID: 35f5bf0ac86470dcf68030d0bfe22f59330ba8ed7a282d547f3d5421c017f155
Opcode Fuzzy Hash: b7f4cd097725f7edbd3944a773049d599ba3d5ab2a9d396bd5c10ac6a9e820d8
Instruction Fuzzy Hash: 8A3130B5D10149AFCB04EFA9C885DAEB7FDEF49304B5080AAE415E7212E7319E55CFA0

Function 002C8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

GetCursorPos.USER32(?), ref: 002C9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00287711,?,?,?,?,?), ref: 002C9016
GetCursorPos.USER32(?), ref: 002C905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00287711,?,?,?), ref: 002C9094

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: cb027a3dbe5eff0de478a6d9b7a4aaec669ca4ab4eb3e97ccdf4a3012eba7d74
Instruction ID: d4993bea84d56e0dccaca4e3f7be99624831dbef6d183ab2a384bac84645caa7
Opcode Fuzzy Hash: cb027a3dbe5eff0de478a6d9b7a4aaec669ca4ab4eb3e97ccdf4a3012eba7d74
Instruction Fuzzy Hash: 9C219F35611018EFCB268F94DC5CFEA7BB9EF89350F144169F90557261C33199A0DB60

Function 0029D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,002CCB68), ref: 0029D2FB
GetLastError.KERNEL32 ref: 0029D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0029D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,002CCB68), ref: 0029D376

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 9730f31024bebdf7a84cd78a6e05787b43aa4cc27aae5b576d140733ca8c45b2
Instruction ID: 682d8b9d6aa6aa08547022eb695366acdf744092b89975be89b8154e9983b27b
Opcode Fuzzy Hash: 9730f31024bebdf7a84cd78a6e05787b43aa4cc27aae5b576d140733ca8c45b2
Instruction Fuzzy Hash: B621A370528202DF8B00DF24D88586AB7E4EF56365F204A5DF899C32A1D730D956DF97

Function 00291571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00291014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0029102A
Part of subcall function 00291014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00291036
Part of subcall function 00291014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00291045
Part of subcall function 00291014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0029104C
Part of subcall function 00291014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00291062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002915BE
_memcmp.LIBVCRUNTIME ref: 002915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00291617
HeapFree.KERNEL32(00000000), ref: 0029161E

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: c215d7141a59c8b3b28f266c2f3fab98af001974d4b5c400b6b4bfb4d938927d
Instruction ID: 5821e07f19d545b447190922f445654540d7f40ece3747d719ef65186fce3dc1
Opcode Fuzzy Hash: c215d7141a59c8b3b28f266c2f3fab98af001974d4b5c400b6b4bfb4d938927d
Instruction Fuzzy Hash: 0021AF71E5010AEFDF00DFA6C949BEEB7B8EF44344F194459E445AB241E770AE25CBA0

Function 002C2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 002C280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002C2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002C2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002C2840

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 831dd8cfe1393e9c94cf79d5a4b823e52f5afa706ec9488ff8fce4cb915f1b99
Instruction ID: 89897d1e7b161058015ecfb1043c5f6b9fa31917cac406a143df775df7a27627
Opcode Fuzzy Hash: 831dd8cfe1393e9c94cf79d5a4b823e52f5afa706ec9488ff8fce4cb915f1b99
Instruction Fuzzy Hash: AF21B031214511EFD7149F24C884FAABB99AF85324F24825CF42A8B6E2CB71EC56CBD0

Function 002978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00298D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0029790A,?,000000FF,?,00298754,00000000,?,0000001C,?,?), ref: 00298D8C
Part of subcall function 00298D7D: lstrcpyW.KERNEL32(00000000,?,?,0029790A,?,000000FF,?,00298754,00000000,?,0000001C,?,?,00000000), ref: 00298DB2
Part of subcall function 00298D7D: lstrcmpiW.KERNEL32(00000000,?,0029790A,?,000000FF,?,00298754,00000000,?,0000001C,?,?), ref: 00298DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00298754,00000000,?,0000001C,?,?,00000000), ref: 00297923
lstrcpyW.KERNEL32(00000000,?,?,00298754,00000000,?,0000001C,?,?,00000000), ref: 00297949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00298754,00000000,?,0000001C,?,?,00000000), ref: 00297984

Strings

cdecl, xrefs: 0029797B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 9ecc72549d36097f30a31d3d7a278b1c035b98f3a6665ed7e74cfa224e2e9942
Instruction ID: cde38054561493d663c15765071b1b001660cedec4a256dfc7d53116ee284875
Opcode Fuzzy Hash: 9ecc72549d36097f30a31d3d7a278b1c035b98f3a6665ed7e74cfa224e2e9942
Instruction Fuzzy Hash: 1111293A220342AFDF155F39D848E7B77A5FF85350B10402AF906C7264EF719821CB61

Function 002C7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 002C7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 002C7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002C7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,002AB7AD,00000000), ref: 002C7D6B

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 13e2644667728cfb6790a21a2bffd2af53f2d9893bf13f95b0a9622e3b795f6f
Instruction ID: 9c81b4a7cafdf402a85491fd38ac539dd6f2bab4dc618baacd7b4d4bca57781c
Opcode Fuzzy Hash: 13e2644667728cfb6790a21a2bffd2af53f2d9893bf13f95b0a9622e3b795f6f
Instruction Fuzzy Hash: 3F11A231525616AFCB119F28DC08F663BA9AF45360F254729F83AD72F0D7309960CF90

Function 002C5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002C56BB
_wcslen.LIBCMT ref: 002C56CD
_wcslen.LIBCMT ref: 002C56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 002C5816

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 19736fefc338a2ce493f11c68f4ca5310f20b7aee2b549fe141ebb912ff7a6bd
Instruction ID: 4bda4770c46a0353dfbb8e49b8ebe99da3578d727baf2da225d2e7b70d82b455
Opcode Fuzzy Hash: 19736fefc338a2ce493f11c68f4ca5310f20b7aee2b549fe141ebb912ff7a6bd
Instruction Fuzzy Hash: F311E43162062996DB209F61CC85FEE77ACBF10364B20426EF905D6081E7B0EAE4CF60

Function 00261D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1837119fa89693ade6656b98c099879549ba47fbdf92e8033228049d6eabd04b
Instruction ID: fc3c2adae5df51b3b93d13e6bd6751a691a36ce6f04cbe3b22a36de4b6a1b084
Opcode Fuzzy Hash: 1837119fa89693ade6656b98c099879549ba47fbdf92e8033228049d6eabd04b
Instruction Fuzzy Hash: 8801D6B2626A17BEF7112A787CC1F27661CDF817B8F380325F525511D2DBA0ACB09570

Function 00291A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00291A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00291A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00291A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00291A8A

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 94a63abc361a176240074d79c6cfb8082ca347be8b6f96c27f68c1ef5ae1f53d
Instruction ID: 01ca418151412f347fea14602407496e92d3abe2d2a8c820622016952606ea76
Opcode Fuzzy Hash: 94a63abc361a176240074d79c6cfb8082ca347be8b6f96c27f68c1ef5ae1f53d
Instruction Fuzzy Hash: 7411093AD0121AFFEF11DBA5CD85FADBB78EB08750F200091EA04B7294D6716E60DB94

Function 0029E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0029E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0029E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0029E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0029E24D

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 38c6c27305140a4ed17f79497e5e805a2d93885d9931db215dfe9dcd3dde2933
Instruction ID: 6a2f6b794472c2421c379e9bcfcae24b7efdbacdba3ed75f0d6d480fb7275b36
Opcode Fuzzy Hash: 38c6c27305140a4ed17f79497e5e805a2d93885d9931db215dfe9dcd3dde2933
Instruction Fuzzy Hash: 2511C476D14259BBCF01DFA8AC09E9E7FACEB45720F15425AF928E3291D6B08D1487A0

Function 0025D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0025CFF9,00000000,00000004,00000000), ref: 0025D218
GetLastError.KERNEL32 ref: 0025D224
__dosmaperr.LIBCMT ref: 0025D22B
ResumeThread.KERNEL32(00000000), ref: 0025D249

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: cbb2932cf3b9de8f4dd2ec48119ab95b112f89a25f0cb98dc5aa1a6b5d1e017a
Instruction ID: f61657f34f432800b4121d0f5553f6757d4b22426bd764ff333d9518bf01b6ba
Opcode Fuzzy Hash: cbb2932cf3b9de8f4dd2ec48119ab95b112f89a25f0cb98dc5aa1a6b5d1e017a
Instruction Fuzzy Hash: C0012632425205BBC7215FA5EC09BAE7A69DF81332F204219FC29D20D1DBB0C829CAA4

Function 0023600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0023604C
GetStockObject.GDI32(00000011), ref: 00236060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0023606A

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: dc16de0b85a3bc30f436292714e2b39f91f2e33b054c1ba16697543ef0f632d6
Instruction ID: b142679084795f8b1993c6496910901c79f815fe1667e83619ee9ffd34f8577a
Opcode Fuzzy Hash: dc16de0b85a3bc30f436292714e2b39f91f2e33b054c1ba16697543ef0f632d6
Instruction Fuzzy Hash: ED11ADB2511509BFEF164FA49C49EEABB6DFF093A4F144202FA0892010C732DC60DBA0

Function 00253B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00253B56

Part of subcall function 00253AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00253AD2
Part of subcall function 00253AA3: ___AdjustPointer.LIBCMT ref: 00253AED

_UnwindNestedFrames.LIBCMT ref: 00253B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00253B7C
CallCatchBlock.LIBVCRUNTIME ref: 00253BA4

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 9c2d85f5e6f345e7d85ea113304ef6322dad36b35c4a3a1d2b01dfc71f8444d6
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: C2012932110149BBDF12AE95CC46EEB7B69EF48799F044014FE4896121C732E975DFA4

Function 00263073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002313C6,00000000,00000000,?,0026301A,002313C6,00000000,00000000,00000000,?,0026328B,00000006,FlsSetValue), ref: 002630A5
GetLastError.KERNEL32(?,0026301A,002313C6,00000000,00000000,00000000,?,0026328B,00000006,FlsSetValue,002D2290,FlsSetValue,00000000,00000364,?,00262E46), ref: 002630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0026301A,002313C6,00000000,00000000,00000000,?,0026328B,00000006,FlsSetValue,002D2290,FlsSetValue,00000000), ref: 002630BF

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 9e01632ac51724035c186568a2a3df2d5d1327964aa829e1fc67b9b3e3f759e8
Instruction ID: 6da9a9449c69a6d87ebfc5158724dad17129b092c16a9b82e48fb026f7ea12bb
Opcode Fuzzy Hash: 9e01632ac51724035c186568a2a3df2d5d1327964aa829e1fc67b9b3e3f759e8
Instruction Fuzzy Hash: 0501AC32771223ABC731CF79AC48D577798DF45761B250620F919D7180D721D959C6D0

Function 00297464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0029747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00297497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002974CA

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c8d2e305cb0ac554ebf832752f8d4f1da461b82616286bc85cb93ae5b079e7d0
Instruction ID: b4aac2480951cd2b26ae42c2bd90a4159a9432a98aeb0d91f0d626a0f4e032a1
Opcode Fuzzy Hash: c8d2e305cb0ac554ebf832752f8d4f1da461b82616286bc85cb93ae5b079e7d0
Instruction Fuzzy Hash: 08116DB5625315ABFB308F14EC09F967BFCEF00B04F208569E65AD6192D7B0E914DBA0

Function 0029B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0029ACD3,?,00008000), ref: 0029B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0029ACD3,?,00008000), ref: 0029B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0029ACD3,?,00008000), ref: 0029B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0029ACD3,?,00008000), ref: 0029B126

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 841854996649862eb634c84df6dbb4e5fd23577098c014aad7c5e9ff1fac1755
Instruction ID: c297563ca445acc79327da0482459f4b22e4b2e63b25720104aff5efb164e279
Opcode Fuzzy Hash: 841854996649862eb634c84df6dbb4e5fd23577098c014aad7c5e9ff1fac1755
Instruction Fuzzy Hash: 30118B30C2062DE7CF01AFE5FA68AEEBF78FF09310F114095D949B2181CB7046608B91

Function 002C7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002C7E33
ScreenToClient.USER32(?,?), ref: 002C7E4B
ScreenToClient.USER32(?,?), ref: 002C7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002C7E8A

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 91cea487d2770fcd1d2701c1fa133a1b984299046c240d11dcf97e85102b4357
Instruction ID: f2224544244016523b09b5b8b14a6508213973b75961cb84f0f1362a78ef3c2c
Opcode Fuzzy Hash: 91cea487d2770fcd1d2701c1fa133a1b984299046c240d11dcf97e85102b4357
Instruction Fuzzy Hash: 9A1156B9D0020AAFDB41DF98D984AEEBBF9FF08310F505156E915E3210D735AA55CF50

Function 00292DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00292DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00292DD6
GetCurrentThreadId.KERNEL32 ref: 00292DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00292DE4

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: fe35cabe7728eea261a5b8206062224ca40c67a7d45a2341cb449a3f0b60eb82
Instruction ID: 8f9fc16356e4df1da08d8b4b1ddcbc57fdacc6270fe889b02f1e8abb3f5ccd7a
Opcode Fuzzy Hash: fe35cabe7728eea261a5b8206062224ca40c67a7d45a2341cb449a3f0b60eb82
Instruction Fuzzy Hash: E3E09271511224BBDB201F73AC0DFEB3E6CEF83BA1F200015F10AD10809AA0C845C6B0

Function 002C8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00249639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00249693
Part of subcall function 00249639: SelectObject.GDI32(?,00000000), ref: 002496A2
Part of subcall function 00249639: BeginPath.GDI32(?), ref: 002496B9
Part of subcall function 00249639: SelectObject.GDI32(?,00000000), ref: 002496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 002C8887
LineTo.GDI32(?,?,?), ref: 002C8894
EndPath.GDI32(?), ref: 002C88A4
StrokePath.GDI32(?), ref: 002C88B2

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 65e142a1477ab5889d8b03cf788dbd7a23365e8cf852db02fba0fe71e1ca138a
Instruction ID: a2887ed0bc9b9d078622c6188398327bbc30da5a77cf1db7c3f5c82ae720a523
Opcode Fuzzy Hash: 65e142a1477ab5889d8b03cf788dbd7a23365e8cf852db02fba0fe71e1ca138a
Instruction Fuzzy Hash: C9F0B836012259FAEB126F94AC0EFCE3F29AF06310F148204FA15610E2C7B41520CFE9

Function 002498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002498CC
SetTextColor.GDI32(?,?), ref: 002498D6
SetBkMode.GDI32(?,00000001), ref: 002498E9
GetStockObject.GDI32(00000005), ref: 002498F1

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f6be3e688e0002e93ed59677e25c8ad5af2380fdc528c64bc65b1abf8e076cef
Instruction ID: 0076230eb4eb8c78ba0bc3f549094c9eb70d68ef79c97a3224f2060be14ade06
Opcode Fuzzy Hash: f6be3e688e0002e93ed59677e25c8ad5af2380fdc528c64bc65b1abf8e076cef
Instruction Fuzzy Hash: 9BE06D31644280AEDB215F75BC0DFE93F20AB12376F288219F6FE980E1C3B186909F10

Function 0029162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00291634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002911D9), ref: 0029163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002911D9), ref: 00291648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002911D9), ref: 0029164F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 9f44e3f9c058802dc9844b5b1b58c760bc379d9752f436abe169fb548bf313c2
Instruction ID: 4ff5ba356f35466728a6976659e047ae91e470f92ff547c4f2764b9ef9905bdd
Opcode Fuzzy Hash: 9f44e3f9c058802dc9844b5b1b58c760bc379d9752f436abe169fb548bf313c2
Instruction Fuzzy Hash: A6E08671A01212DBDB201FA1BD0DF463B7CBF44791F284808F74DC9080D6348451C750

Function 0028D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0028D858
GetDC.USER32(00000000), ref: 0028D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0028D882
ReleaseDC.USER32(?), ref: 0028D8A3

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1b99f3bdd3bddeb8e68ff36d4252c49d486851b46f661c24bdb20b610e41a1b9
Instruction ID: b27447022e76b9fa8fa292be817c343a20f557126b90177d6607e49a6c65ad64
Opcode Fuzzy Hash: 1b99f3bdd3bddeb8e68ff36d4252c49d486851b46f661c24bdb20b610e41a1b9
Instruction Fuzzy Hash: C9E04FB4810204DFCF41AFA0E90CA6DBBB5FB48310F348009F85EE7250C7798912AF40

Function 0028D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0028D86C
GetDC.USER32(00000000), ref: 0028D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0028D882
ReleaseDC.USER32(?), ref: 0028D8A3

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 40d5b2751dc1ac47464abd7608fdcf4b2a0497219e546157a52359d074ab2eb4
Instruction ID: 8819a4e68e614dcdc64b053ef775cd3c95f465ae319e446c100086455db8ec08
Opcode Fuzzy Hash: 40d5b2751dc1ac47464abd7608fdcf4b2a0497219e546157a52359d074ab2eb4
Instruction Fuzzy Hash: E0E09AB5810204DFCB519FA0E90CA6DBBB5BB48311F349449E95EE7250C77959129F50

Function 002A4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00237620: _wcslen.LIBCMT ref: 00237625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 002A4ED4

Strings

*, xrefs: 002A4E10
LPT, xrefs: 002A4DFB

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: abc627640e612d2a500a2d97c1ac07453d91acf3d7d8c8d2bef4f276c2393abc
Instruction ID: ca902eca0690b6e3f85c83431fce98f5a031e3a688fc97097076c95e15620606
Opcode Fuzzy Hash: abc627640e612d2a500a2d97c1ac07453d91acf3d7d8c8d2bef4f276c2393abc
Instruction Fuzzy Hash: ED917075A102059FCB14DF58C484EAABBF1BF89304F148099E80A9F762CBB1ED95CF90

Function 0025E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0025E30D

Strings

pow, xrefs: 0025E2E5, 0025E302

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 6f657574ee1df76c01392148252701cb3d36de30f2e11aabec5824b275044044
Instruction ID: 47b4f7b1b7995c376535bac5db63de682f72063a917f03881b7db4feba02d1be
Opcode Fuzzy Hash: 6f657574ee1df76c01392148252701cb3d36de30f2e11aabec5824b275044044
Instruction Fuzzy Hash: FE51BD61E3C203A6CF197F14E9013793B94AF50746F304D99E8D1822E9EB358DFD8A4A

Function 002B7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0028569E,00000000,?,002CCC08,?,00000000,00000000), ref: 002B78DD

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

CharUpperBuffW.USER32(0028569E,00000000,?,002CCC08,00000000,?,00000000,00000000), ref: 002B783B

Strings

<s/, xrefs: 002B77C8

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s/
API String ID: 3544283678-2113131146
Opcode ID: 6ea81a25670a0cbbcbc41ce371b0e4353dc41e3f0d7a26e449d1abeca6087c20
Instruction ID: 0121eeaa0d52fc4c59fb330b6a0f1b24cfd1b58a4edbc701cf57a7ccce864021
Opcode Fuzzy Hash: 6ea81a25670a0cbbcbc41ce371b0e4353dc41e3f0d7a26e449d1abeca6087c20
Instruction Fuzzy Hash: B56168B2934119AACF04EBA4CC95DFDB378BF54740F544129E642B3091EF60AA69DFA0

Function 0024E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0024E1B1

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 338ea66513f3012d1967e3cd158bd168cb247b29a36452b076a86ed29aadb3e0
Instruction ID: 3349fefc39ed9f29f550f5a2c7e907fc4f9776f4c8b358a49c22bf98e43bac3d
Opcode Fuzzy Hash: 338ea66513f3012d1967e3cd158bd168cb247b29a36452b076a86ed29aadb3e0
Instruction Fuzzy Hash: C8518778625243DFEF18EF24C481ABABBA4FF25310F254055EC919B2D0D7709D62CB90

Function 0024F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0024F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0024F2BB

Strings

@, xrefs: 0024F2AF

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: fb7f3cf2b92d805f5c85aa237ee936564e1c86cefa05099bc210047c53c958bb
Instruction ID: dc88cb9425ed3f1d73255ef9f25bd6b24a18c62f7f997e982cf78dd096415d46
Opcode Fuzzy Hash: fb7f3cf2b92d805f5c85aa237ee936564e1c86cefa05099bc210047c53c958bb
Instruction Fuzzy Hash: 495137B14187489BD320AF11E886BAFBBF8FB84300F91885DF1D9511A5EB708539CB66

Function 002B5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002B57E0
_wcslen.LIBCMT ref: 002B57EC

Strings

CALLARGARRAY, xrefs: 002B57E6, 002B57EB

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 8fb400e0da59a9de3a20e65a314d72348a2a87761e9b643917f2deccbd81f1b1
Instruction ID: b72594fa9ccf7a9ffbf028289b8a6b400240815cb13d08ce70b476fd7d4c3678
Opcode Fuzzy Hash: 8fb400e0da59a9de3a20e65a314d72348a2a87761e9b643917f2deccbd81f1b1
Instruction Fuzzy Hash: 8141B071A201199FCF14DFA8C885AEEBBB5FF59360F144029E505AB251E7709DA1CF90

Function 002AD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002AD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002AD13A

Strings

|, xrefs: 002AD10B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: d083e492ad99384187b4d58a155c5e333b8401a2cc674a3f3f0713910d153904
Instruction ID: 2c35eef4c9a14f484972ee5c2d37a05340f7608080176ff4db46777cc779c388
Opcode Fuzzy Hash: d083e492ad99384187b4d58a155c5e333b8401a2cc674a3f3f0713910d153904
Instruction Fuzzy Hash: 01311BB1D10109ABCF15EFA4CC85EEEBFB9FF09300F104059E819A6165DB35AA66DF50

Function 002C356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 002C3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002C365C

Strings

static, xrefs: 002C35BC

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 59d9684167f09ecd6b20221a0fe1487aa2caa9bf41fcf13632d5d6fa18bd7b81
Instruction ID: 58dbeb329cb5a96602f7f4437dd1fa0d00a01a57e599343d4a79bd21f9d9f5c0
Opcode Fuzzy Hash: 59d9684167f09ecd6b20221a0fe1487aa2caa9bf41fcf13632d5d6fa18bd7b81
Instruction Fuzzy Hash: 32319E71120204AADB10DF24D880FBB73ADFF88760F10961DF86997280DA31ADA18B64

Function 002C4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 002C461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002C4634

Strings

', xrefs: 002C458E

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: a8026149cc1e711b28d8ea9d93d0c27fea338a58d8fe003071fbaef5f9e0520d
Instruction ID: 9ff2225095f885874f24a340b4c92bd7e8f86b76f22747dfa61b574dfd389fdf
Opcode Fuzzy Hash: a8026149cc1e711b28d8ea9d93d0c27fea338a58d8fe003071fbaef5f9e0520d
Instruction Fuzzy Hash: 83316974A1020A9FDB04DF68C9A0FDABBB9FF19340F20016AE904AB345D770A911CF90

Function 002C31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002C327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002C3287

Strings

Combobox, xrefs: 002C3249

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 65d9181d52117817a3d391fe8f83dfa92ff50449ae469a6bb0b0ea5815f7e4ef
Instruction ID: e760feddada161ef3e5c0afe2f558bff6f86fb515135356642c6dac36f9cdf0f
Opcode Fuzzy Hash: 65d9181d52117817a3d391fe8f83dfa92ff50449ae469a6bb0b0ea5815f7e4ef
Instruction Fuzzy Hash: BC1122713202097FFF25DE54DC80FBB376EEB843A0F208628F91897290C6719D608B60

Function 002C3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0023600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0023604C
Part of subcall function 0023600E: GetStockObject.GDI32(00000011), ref: 00236060
Part of subcall function 0023600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0023606A

GetWindowRect.USER32(00000000,?), ref: 002C377A
GetSysColor.USER32(00000012), ref: 002C3794

Strings

static, xrefs: 002C3757

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5835b36a04f627dfd248a15eecd97dd646355ceda9f001de794138f318e7dbcd
Instruction ID: 492564ef84d200fbb49cea8fe982e153c89d556932717d5b41d290f01fed4a2d
Opcode Fuzzy Hash: 5835b36a04f627dfd248a15eecd97dd646355ceda9f001de794138f318e7dbcd
Instruction Fuzzy Hash: CC116DB262020AAFDF01DFA8CC49EEA7BF8FB08314F104A18F955E2250D775E865DB50

Function 002ACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002ACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 002ACDA6

Strings

<local>, xrefs: 002ACD66

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 8219e67be180144790828cf1a79c9f5a147e0aa4c9ca38a98b110a2be155599d
Instruction ID: c155dcf9fc19bb6e224e0df658d1f4d9b7453e0871d1d5b962b7f1c812b51416
Opcode Fuzzy Hash: 8219e67be180144790828cf1a79c9f5a147e0aa4c9ca38a98b110a2be155599d
Instruction Fuzzy Hash: 1011A371625A36BBD7284B668C49EE7BE6CEB137A4F204236B11982180DB609864D6F0

Function 002C3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002C34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002C34BA

Strings

edit, xrefs: 002C348F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 50817d131ef5d70fcf67013a9b989524ce378644c01cf2d4fc4cd701245fd532
Instruction ID: c8e14f3a5ab28b9856e44217939c4efb833af21a3a9dde0ce678abaaab2bd227
Opcode Fuzzy Hash: 50817d131ef5d70fcf67013a9b989524ce378644c01cf2d4fc4cd701245fd532
Instruction Fuzzy Hash: 9C116D71120109AAEB269E64DC44FAB376AEB05374F608B28F965931D0C771DD619B50

Function 00296C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

CharUpperBuffW.USER32(?,?,?), ref: 00296CB6
_wcslen.LIBCMT ref: 00296CC2

Strings

STOP, xrefs: 00296CBC, 00296CC1

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: f8223d902a7db2f1cd460477c6c6c7dac51eb00053ac3152fd434b11cdbdc186
Instruction ID: 9876007a351fe188ccb4faece6f1cc26d4532bb36d418f42676bb9317d33a2f2
Opcode Fuzzy Hash: f8223d902a7db2f1cd460477c6c6c7dac51eb00053ac3152fd434b11cdbdc186
Instruction Fuzzy Hash: B20104326345278ACF21AFFDDC888BF77E4EE61710B100535F86292190EA71D860CA50

Function 00291CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 00293CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00293CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00291D4C

Strings

ComboBox, xrefs: 00291CEB
ListBox, xrefs: 00291D16

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 39a652e96138c05c696341dbecfea54b37edad6a267330219ac04d7183b51d4c
Instruction ID: e74e02d0d025887a53ab2a3729dcd7848668c2ef43c9b923c32cf2dcedce0d9a
Opcode Fuzzy Hash: 39a652e96138c05c696341dbecfea54b37edad6a267330219ac04d7183b51d4c
Instruction Fuzzy Hash: 5301D871621219AB8F08EFA4CD55CFE7768FF47390F14091AF822572C1EA705938CA70

Function 00291BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 00293CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00293CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00291C46

Strings

ComboBox, xrefs: 00291BE5
ListBox, xrefs: 00291C10

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7cba813d4549cff8251d0e7971763e1767f460391aff20dacca83596986cc36d
Instruction ID: cb3bd02765cfd7c074727603a97acf8bd4a93b64b86e41887fc6fa58f4d4b3f4
Opcode Fuzzy Hash: 7cba813d4549cff8251d0e7971763e1767f460391aff20dacca83596986cc36d
Instruction Fuzzy Hash: 8D01F7B16A410966CF08EB90CA51DFF77A89F56340F10001BF50663281EAA09E38CAB2

Function 00291C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 00293CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00293CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00291CC8

Strings

ComboBox, xrefs: 00291C69
ListBox, xrefs: 00291C94

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bc9ed26aee65f71be61a7b476103cbee62aac4de6d5d56f0e909e195e3d3ef1b
Instruction ID: 1f91e7bf58597a12a5cc738e69beb6c252cfa8ddeef7c93bd6cda8fd885a1f98
Opcode Fuzzy Hash: bc9ed26aee65f71be61a7b476103cbee62aac4de6d5d56f0e909e195e3d3ef1b
Instruction Fuzzy Hash: D901DBB566011967CF04EB91CA01EFE77AC9F12340F540417B90173281EAA09F38CA72

Function 0024A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0024A529

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Strings

3y(, xrefs: 0024A545, 0024A54D, 0024A552
,%0, xrefs: 0024A509

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%0$3y(
API String ID: 2551934079-2701437296
Opcode ID: ca6ed3c8556d8b0ad41aefa9ac3f6259c2d062e1599ceda166e91588a4678074
Instruction ID: 8017e00ff2781a81945538b3b165445f928835dd4c32ca5d83d90ea924b50472
Opcode Fuzzy Hash: ca6ed3c8556d8b0ad41aefa9ac3f6259c2d062e1599ceda166e91588a4678074
Instruction Fuzzy Hash: F8019E31BB161087C509F768ED6BB5D7318CB07710F800019F9061B1C3DEA09D658F9B

Function 00291D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 00293CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00293CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00291DD3

Strings

ComboBox, xrefs: 00291D75
ListBox, xrefs: 00291DA0

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7a8cadbc962b4d3a1ef66c68d585033d6b13b54714a4b618cb14fa3efaad11b4
Instruction ID: 7c9501dc2ef5415f6d1e071a03aad404f0fccc895fa617fbc9c2e2e0a697972b
Opcode Fuzzy Hash: 7a8cadbc962b4d3a1ef66c68d585033d6b13b54714a4b618cb14fa3efaad11b4
Instruction Fuzzy Hash: B2F0F4B1A7021966CF08EBA4CD52EFE7768AF03340F040916F922A32C1DAA059388A70

Function 002C8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00303018,0030305C), ref: 002C81BF
CloseHandle.KERNEL32 ref: 002C81D1

Strings

\00, xrefs: 002C818A

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \00
API String ID: 3712363035-1668810905
Opcode ID: 9a755d9617beeae92e3c980bfce754439e981bb85f83ddfd186ffa49f1a5ed02
Instruction ID: 2bc8fb0b6cf3dd87779adc5e5850bce42df09f6fea3a28a86a0d826f80504ca7
Opcode Fuzzy Hash: 9a755d9617beeae92e3c980bfce754439e981bb85f83ddfd186ffa49f1a5ed02
Instruction Fuzzy Hash: 07F05EF1652300BAF3216B65AC59FB73A5CEB05751F0044A2FF0DD61E2D6758A1486F8

Function 002B747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002B7493
_wcslen.LIBCMT ref: 002B74B9

Strings

3, 3, 16, 1, xrefs: 002B7483

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: b9bb0437da4a41708355aff23d3743ea5573cdab41d1c94c5ff9317b039fe7f5
Instruction ID: a2a936619a4c7ee8abf9befe8f3c4a060a4a2674af27544266b8bc6338d1726d
Opcode Fuzzy Hash: b9bb0437da4a41708355aff23d3743ea5573cdab41d1c94c5ff9317b039fe7f5
Instruction Fuzzy Hash: 9EE02B0663426120923126799CC29BF96A9DFC57E2710182BFD81C2266EAA48DF193A4

Function 00290B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00290B23

Strings

AutoIt, xrefs: 00290B17
Error allocating memory., xrefs: 00290B1C

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 9a06cf72f9c8fc3a9aedddd7077566e49ff2695f95acedcfb06e075825301407
Instruction ID: 2afc25971b4fa2590ea417bf6459d05a671f1fc5ec486fc6c9bfbe1bdaeb1709
Opcode Fuzzy Hash: 9a06cf72f9c8fc3a9aedddd7077566e49ff2695f95acedcfb06e075825301407
Instruction Fuzzy Hash: 03E0D8312643183AD2183A947D07FC9BA88CF05F65F20042AFB8C554C38AE124B00AED

Function 00250D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0024F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00250D71,?,?,?,0023100A), ref: 0024F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0023100A), ref: 00250D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0023100A), ref: 00250D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00250D7F

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c55ec67a51afc564009cfe4a8268cc21e4811e789dcf7e5d3fe65432d471e7a7
Instruction ID: 3c7df5fe82c272470b884474a77e767f7eea00b0dec89d6190c52ef4c5ce2cf1
Opcode Fuzzy Hash: c55ec67a51afc564009cfe4a8268cc21e4811e789dcf7e5d3fe65432d471e7a7
Instruction Fuzzy Hash: 94E092742113418BE3709FB8E948B42BBF4EF00741F004E2DE886C6655DBB4E4588FA1

Function 0024E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0024E3D5

Strings

8%0, xrefs: 0024E3CA
0%0, xrefs: 0024E3B5

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%0$8%0
API String ID: 1385522511-139278885
Opcode ID: f6392015eddf017735ed4ee89bf78d10ef8b225ef855e044c7745a86a1359e13
Instruction ID: 565ff734671484dc5f22a264d84439f87d2c09ff152d43528766309350b78d3d
Opcode Fuzzy Hash: f6392015eddf017735ed4ee89bf78d10ef8b225ef855e044c7745a86a1359e13
Instruction Fuzzy Hash: DAE08635436910CBDE0BAF18BCBDEAEB759BB06320F5111E6F512871D19B7028518B5D

Function 002A3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 002A302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 002A3044

Strings

aut, xrefs: 002A3038

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: cc1a669740b5f9103704971f7f20214ae33f2c056a0caecfaa89542f130d2b15
Instruction ID: 45862424dd1e37f3b2bbbb6f23eab620bc9b00b1756cb4db361a57e127746436
Opcode Fuzzy Hash: cc1a669740b5f9103704971f7f20214ae33f2c056a0caecfaa89542f130d2b15
Instruction Fuzzy Hash: EBD05E7250032867DA20E7A4AC0EFDB7A6CDB05750F0002A1BA59E2091DAB09984CAD1

Function 0028D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0028D220

Strings

X64, xrefs: 0028D2A8
%.3d, xrefs: 0028D22B

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 95b6cb8c4ae26872b4261da75a1e05db23e06ea5582fdef77ee0ca5c8bd00d14
Instruction ID: 3479d136be512e5a78463f4080a603683c0f6eefd3036d7240cec87321ef5982
Opcode Fuzzy Hash: 95b6cb8c4ae26872b4261da75a1e05db23e06ea5582fdef77ee0ca5c8bd00d14
Instruction Fuzzy Hash: 3FD0126583A108FACB90A6D0DC49CB9B37CEB09341F608462FD06920C5D6A4D53C6B61

Function 002C2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002C232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002C233F

Part of subcall function 0029E97B: Sleep.KERNEL32 ref: 0029E9F3

Strings

Shell_TrayWnd, xrefs: 002C2325

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6f673295af2373e4a09dd63a60b409348bb12f9abc985b9a4c60e8fd0a8ec823
Instruction ID: f94f3edb1acc50107c73cd6aba79186cb435b260f9871142fb584084f7902797
Opcode Fuzzy Hash: 6f673295af2373e4a09dd63a60b409348bb12f9abc985b9a4c60e8fd0a8ec823
Instruction Fuzzy Hash: 48D022327E0300B7EA68B330EC0FFC6BA08DB00B00F200916B30AEA0D0C8F0A800CB00

Function 002C2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002C236C
PostMessageW.USER32(00000000), ref: 002C2373

Part of subcall function 0029E97B: Sleep.KERNEL32 ref: 0029E9F3

Strings

Shell_TrayWnd, xrefs: 002C2365

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 939aba4dd2ac744b7dbdea140367589ba3886bd7a249d5fb0f33f20d25098b18
Instruction ID: 0bd5a31fdcdc54043daf92025563c94a30a89dd6d092605b95872924759a04a9
Opcode Fuzzy Hash: 939aba4dd2ac744b7dbdea140367589ba3886bd7a249d5fb0f33f20d25098b18
Instruction Fuzzy Hash: 6CD0A9327D03007AEA68B330AC0FFC6A6089B00B00F200916B30AEA0D0C8A0A800CA04

Function 0026BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0026BE93
GetLastError.KERNEL32 ref: 0026BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0026BEFC

Memory Dump Source

Source File: 00000000.00000002.1307776373.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1307694012.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308095259.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308189537.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308269797.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 7c2a7cab147eac1deb9cd0c83d7cfac4e8545bf93a644c650471f734dd04b291
Instruction ID: 15d033c799097074c47ec56a3d2331627c874d4ae947a637de0815ae8b3a5663
Opcode Fuzzy Hash: 7c2a7cab147eac1deb9cd0c83d7cfac4e8545bf93a644c650471f734dd04b291
Instruction Fuzzy Hash: BE41E435624207AFCF228FA5CC44AAABBA5AF51310F244169F959DB5B1DB318CE1CF60

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000012.00000003.1427675639.000027B480503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1427675639.000027B480503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1427555321.000017654C203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1427555321.000017654C203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1427675639.000027B480503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 1(://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1427555321.000017654C203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 1(://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1446800319.000001FFF46DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1407564988.000001FFF4B2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1368946797.000001FFF5425000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1368460908.000001FFF54DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1410896588.000001FFEC649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1368946797.000001FFF5425000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1368460908.000001FFF54DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1410896588.000001FFEC649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1446800319.000001FFF46DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1407564988.000001FFF4B2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1454283398.000001FFF1730000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1454283398.000001FFF1730000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1368946797.000001FFF5425000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1368460908.000001FFF54DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1410896588.000001FFEC649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1427291488.00001A50E7C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1368946797.000001FFF5425000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1368460908.000001FFF54DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1410896588.000001FFEC649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2502999390.0000011DC7E0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2502999390.0000011DC7E0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000003.1414325595.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416425063.000001FFEB446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2502999390.0000011DC7E0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1427291488.00001A50E7C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1407564988.000001FFF4B2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1407564988.000001FFF4B42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1433886496.000001FFF4B42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1446800319.000001FFF46DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1427291488.00001A50E7C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1427555321.000017654C203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1369499844.000001FFF53FE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1407564988.000001FFF4B2E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1444825480.000001FFF53FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1407564988.000001FFF4B42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1433886496.000001FFF4B42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1371203349.000001FFF4B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1427291488.00001A50E7C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: dualstack.reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.7:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49878 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49884 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_73a49bae-d051-417a-a326-ad04d4bcf16a.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_73a49bae-d051-417a-a326-ad04d4bcf16a.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre