Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1564521
MD5:	e95da9c734f70679a829c932bcc05884
SHA1:	5e4b62499d9210732679c2d2c0c861f95d6c57b4
SHA256:	cf8d0ac7e1d03c2bcbee68404434c91f160e5b429ef870fdc1a8b26d9ba1cc96
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6404 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E95DA9C734F70679A829C932BCC05884)

taskkill.exe (PID: 3652 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2676 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2816 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 820 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6644 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 3032 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4636 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6464 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2172 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2240 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20402a76-13c7-4119-b198-c83648ed074d} 6464 "\\.\pipe\gecko-crash-server-pipe.6464" 28618d70110 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7916 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -parentBuildID 20230927232528 -prefsHandle 3172 -prefMapHandle 2984 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85fd3af4-3cda-49f8-9cc1-f485fefb385a} 6464 "\\.\pipe\gecko-crash-server-pipe.6464" 28629e5ea10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7588 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5056 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4976 -prefMapHandle 5004 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6678fa55-ed79-4942-8d95-09ce28502627} 6464 "\\.\pipe\gecko-crash-server-pipe.6464" 286290c4510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6404	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0085EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0085EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0085ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0085EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0084AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0084AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00879576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00879576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9da65c2f-d
Source: file.exe, 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_26dbe027-b
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_018dc19a-8
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a41a638b-a

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_000001F8DBCA34B7 NtQuerySystemInformation,		24_2_000001F8DBCA34B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_000001F8DBCCA632 NtQuerySystemInformation,		24_2_000001F8DBCCA632

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0084D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0084D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00841201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00841201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0084E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0084E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E8060	0_2_007E8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00852046	0_2_00852046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00848298	0_2_00848298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081E4FF	0_2_0081E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081676B	0_2_0081676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00874873	0_2_00874873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080CAA0	0_2_0080CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007ECAF0	0_2_007ECAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007FCC39	0_2_007FCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00816DD9	0_2_00816DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007FB119	0_2_007FB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E91C0	0_2_007E91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00801394	0_2_00801394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00801706	0_2_00801706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080781B	0_2_0080781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F997D	0_2_007F997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008019B0	0_2_008019B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E7920	0_2_007E7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00807A4A	0_2_00807A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00807CA7	0_2_00807CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00801C77	0_2_00801C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00819EEE	0_2_00819EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086BE44	0_2_0086BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00801F32	0_2_00801F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_000001F8DBCA34B7	24_2_000001F8DBCA34B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_000001F8DBCCA632	24_2_000001F8DBCCA632
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_000001F8DBCCAD5C	24_2_000001F8DBCCAD5C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_000001F8DBCCA672	24_2_000001F8DBCCA672

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007FF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00800A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007E9CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008537B5 GetLastError,FormatMessageW,

0_2_008537B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008410BF AdjustTokenPrivileges,CloseHandle,		0_2_008410BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008416C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008551CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008551CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0084D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0084D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0085648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007E42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2004:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user~1\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 00000012.00000003.1444074376.000002862C077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1425646300.00000286352B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 00000012.00000003.1444074376.000002862C077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1425646300.00000286352B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2240 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20402a76-13c7-4119-b198-c83648ed074d} 6464 "\\.\pipe\gecko-crash-server-pipe.6464" 28618d70110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -parentBuildID 20230927232528 -prefsHandle 3172 -prefMapHandle 2984 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85fd3af4-3cda-49f8-9cc1-f485fefb385a} 6464 "\\.\pipe\gecko-crash-server-pipe.6464" 28629e5ea10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5056 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4976 -prefMapHandle 5004 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6678fa55-ed79-4942-8d95-09ce28502627} 6464 "\\.\pipe\gecko-crash-server-pipe.6464" 286290c4510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2240 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20402a76-13c7-4119-b198-c83648ed074d} 6464 "\\.\pipe\gecko-crash-server-pipe.6464" 28618d70110 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -parentBuildID 20230927232528 -prefsHandle 3172 -prefMapHandle 2984 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85fd3af4-3cda-49f8-9cc1-f485fefb385a} 6464 "\\.\pipe\gecko-crash-server-pipe.6464" 28629e5ea10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5056 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4976 -prefMapHandle 5004 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6678fa55-ed79-4942-8d95-09ce28502627} 6464 "\\.\pipe\gecko-crash-server-pipe.6464" 286290c4510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 00000012.00000003.1384236501.00000286328F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdb source: firefox.exe, 00000012.00000003.1398990245.0000028635301000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.18.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 00000012.00000003.1384545970.00000286327EF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 00000012.00000003.1401765196.0000028628580000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 00000012.00000003.1401765196.0000028628580000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdbUGP source: firefox.exe, 00000012.00000003.1404227012.00000286285F1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1404427041.00000286285F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 00000012.00000003.1384236501.00000286328F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 00000012.00000003.1399962514.000002862857A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.18.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 00000012.00000003.1398990245.0000028635301000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 00000012.00000003.1384236501.00000286328F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdb source: firefox.exe, 00000012.00000003.1404227012.00000286285F1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1404427041.00000286285F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 00000012.00000003.1384236501.00000286328F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 00000012.00000003.1399962514.000002862857A000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007E42DE

Source: gmpopenh264.dll.tmp.18.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00800A76 push ecx; ret

0_2_00800A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007FF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_007FF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00871C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00871C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95889

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 24_2_000001F8DBCA34B7 rdtsc

24_2_000001F8DBCA34B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0084DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081C2A2 FindFirstFileExW,	0_2_0081C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008568EE FindFirstFileW,FindClose,	0_2_008568EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0085698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0084D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0084D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00859642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00859642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0085979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00859B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00859B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00855C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00855C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007E42DE

Source: firefox.exe, 00000018.00000002.2508175627.000001F8DBD30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW)
Source: firefox.exe, 00000015.00000002.2503902240.000002A9C4B8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT+
Source: firefox.exe, 00000015.00000002.2503902240.000002A9C4B8A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2502557557.000001F8DB51A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2507490454.000001D45D500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000015.00000002.2507733644.000002A9C4F22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000015.00000002.2508519054.000002A9C5000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: firefox.exe, 00000015.00000002.2508519054.000002A9C5000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: firefox.exe, 00000019.00000002.2501954487.000001D45CFAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp*P]
Source: firefox.exe, 00000015.00000002.2508519054.000002A9C5000000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2508175627.000001F8DBD30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000015.00000002.2508519054.000002A9C5000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 24_2_000001F8DBCA34B7 rdtsc

24_2_000001F8DBCA34B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085EAA2 BlockInput,

0_2_0085EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00812622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00812622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007E42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00804CE8 mov eax, dword ptr fs:[00000030h]

0_2_00804CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00840B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00840B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00812622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00812622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0080083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008009D5 SetUnhandledExceptionFilter,	0_2_008009D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00800C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00800C21

Source: C:\Users\user\Desktop\file.exe

0_2_00841201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00822BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00822BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0084B226 SendInput,keybd_event,

0_2_0084B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008622DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008622DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00840B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00841663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00841663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00800698 cpuid

0_2_00800698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00858195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00858195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0083D27A GetUserNameW,

0_2_0083D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0081B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0081B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007E42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6404, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6404, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00861204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00861204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00861806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00861806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	34%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.65	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.193.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.21.46	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.129.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://youtube.comZ	firefox.exe, 00000012.00000003.1431793327.000004ABF0203000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000019.00000002.2504483445.000001D45D4C3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 00000012.00000003.1428588634.0000028634F89000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 00000012.00000003.1428858619.0000028634ABC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.18.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 00000012.00000003.1327865677.000002862C748000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1350664367.000002862C73E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1425079393.000002862C73E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1405051193.000002862C73E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1325633616.000002862C748000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000018.00000002.2504187418.000001F8DB786000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2504483445.000001D45D48E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 00000012.00000003.1346134138.0000028631034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1450770331.0000028631034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1460521091.0000028631034000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 00000012.00000003.1448763685.00000286327D2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/notes/javascript-escapes#single	firefox.exe, 00000012.00000003.1431352877.00000286351B3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000012.00000003.1345505781.00000286316AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1300455209.0000028628800000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 00000012.00000003.1456163799.0000028629FC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1344680931.0000028632796000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1456163799.0000028629F55000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 00000012.00000003.1333185031.0000028630C1D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 00000012.00000003.1456163799.0000028629F5F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/$	firefox.exe, 00000012.00000003.1437614079.0000396B1AA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1437386463.0000113B8BC03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000012.00000003.1300945078.0000028628A60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1300643321.0000028628A21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1301110904.0000028628A7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1349665003.000002862A4B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1300792037.0000028628A40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1300455209.0000028628800000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/0	firefox.exe, 00000012.00000003.1432017931.0000171F4B404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1431793327.000004ABF0203000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 00000012.00000003.1300945078.0000028628A60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1300643321.0000028628A21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1300792037.0000028628A40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1300455209.0000028628800000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 00000012.00000003.1443222582.000002862C8EF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 00000012.00000003.1433256564.00000286326DF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	firefox.exe, 00000012.00000003.1454051234.000002862C05E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 00000012.00000003.1425646300.000002863522F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 00000012.00000003.1349665003.000002862A4EA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 00000012.00000003.1435847759.0000028631480000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1460521091.0000028631034000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 00000012.00000003.1425290281.0000028624B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1437007350.0000028624B7D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 00000012.00000003.1435847759.0000028631480000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1460521091.0000028631034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2504187418.000001F8DB703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2504483445.000001D45D40C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 00000012.00000003.1356381345.00000286341CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1356300400.00000286341C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1356338490.00000286341A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1356187884.00000286341B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1356187884.00000286341A0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 00000012.00000003.1346134138.0000028631034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1450770331.0000028631034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1460521091.0000028631034000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 00000012.00000003.1458110990.000002863524F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1425646300.000002863522F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000019.00000002.2504483445.000001D45D4C3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 00000012.00000003.1334288508.0000028629E89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1334288508.0000028629E54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 00000012.00000003.1356187884.00000286341B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1356187884.00000286341A0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 00000012.00000003.1459048138.0000028634AD5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://amazon.com	firefox.exe, 00000012.00000003.1431340688.000022D4B3503000.00000004.00000800.00020000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 00000012.00000003.1344680931.0000028632796000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.18.dr	false	high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000015.00000002.2505162992.000002A9C4ECB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2504187418.000001F8DB7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2507684399.000001D45D603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.18.dr	false	high
https://spocs.getpocket.com/	firefox.exe, 00000012.00000003.1448763685.00000286327D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2504187418.000001F8DB712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2504483445.000001D45D413000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 00000012.00000003.1346134138.0000028631034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1450770331.0000028631034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1460521091.0000028631034000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/Z	firefox.exe, 00000012.00000003.1431340688.000022D4B3503000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 00000012.00000003.1385782646.0000028630CE1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 00000012.00000003.1333185031.0000028630C1D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000012.00000003.1346632627.0000028630CD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1308010425.0000028628DD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1438759818.000002862A484000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1385813629.0000028630CD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1454950226.000002862AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1445672005.000002862AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1389355775.000002862AAD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1399580594.000002862A39B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1401847795.0000028628DD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1406589074.000002862A4E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1431079099.0000028628DC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1387114425.000002862BD8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1353848609.0000028629CB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1427222494.000002863514B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1432178427.000002863519A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1453645777.000002862C6E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1432395018.00000286351A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1416247441.0000028635148000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1431756991.0000028635173000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1387114425.000002862BD6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1387858187.000002862B2E9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.18.dr	false	high
https://www.zhihu.com/	firefox.exe, 00000012.00000003.1333185031.0000028630C60000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 00000012.00000003.1333185031.0000028630CD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1346632627.0000028630CD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1386820297.000002862C068000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1385813629.0000028630CD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 00000012.00000003.1333185031.0000028630CD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1346632627.0000028630CD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1386820297.000002862C068000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1385813629.0000028630CD2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 00000012.00000003.1327865677.000002862C748000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1350664367.000002862C73E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1425079393.000002862C73E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1405051193.000002862C73E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 00000012.00000003.1456163799.0000028629F5F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 00000012.00000003.1346134138.0000028631034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1450770331.0000028631034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1459846085.0000028631060000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 00000012.00000003.1456163799.0000028629F5F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 00000012.00000003.1429303339.00000286327F0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 00000012.00000003.1303482852.000002862822D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1303844185.0000028628233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1302751890.0000028628233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1404083975.0000028628233000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 00000012.00000003.1455724797.000002862AA0C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1390265706.000002862AA0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1446245389.000002862AA0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/	firefox.exe, 00000012.00000003.1431352877.00000286351B3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000012.00000003.1454359131.000002862BDDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1387114425.000002862BDDF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 00000012.00000003.1356381345.00000286341CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1356300400.00000286341C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1356338490.00000286341A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1356187884.00000286341B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1356187884.00000286341A0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 00000012.00000003.1303482852.000002862822D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1425290281.0000028624B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1303844185.0000028628233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1302751890.0000028628233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1404083975.0000028628233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1437007350.0000028624B7D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 00000012.00000003.1458110990.000002863524F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1425646300.000002863522F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 00000012.00000003.1385601239.0000028630D81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.co.uk/	firefox.exe, 00000012.00000003.1346134138.0000028631034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1450770331.0000028631034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1460521091.0000028631034000.00000004.00000800.00020000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 00000012.00000003.1458110990.00000286352B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1429227710.0000028634A56000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 00000012.00000003.1300455209.0000028628800000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 00000012.00000003.1442738983.000002863143C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1300455209.0000028628800000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gpuweb.github.io/gpuweb/	firefox.exe, 00000012.00000003.1333185031.0000028630C1D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	firefox.exe, 00000015.00000002.2505162992.000002A9C4ECB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2504187418.000001F8DB7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2507684399.000001D45D603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.18.dr	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000015.00000002.2504449765.000002A9C4D00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2503533020.000001F8DB5B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2503357512.000001D45D140000.00000002.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564521
Start date and time:	2024-11-28 13:09:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@68/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 41 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.32.237.164, 34.209.229.249, 52.27.142.243, 172.217.17.46, 88.221.134.155, 88.221.134.209, 172.217.17.42, 172.217.17.74
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, time.windows.com, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
07:10:16	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Unknown	Browse	34.118.84.150
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.118.84.150
	https://u48396839.ct.sendgrid.net/ls/click?upn=u001.6YeAQ6CJdNBv-2FudCmnBUfnGDeiTDEbkJBDYPt6L9zLs-2FLsak6B-2FHJOeuaA20CRyj4ymcnZhEANFrmmsKVXf7lykKGGim9NKe15FTuMOZuNBEFww2OP8BGALV3hzGu43iFj3whu7ElN-2FNYQWfEnFZNtXik-2Bc8xYTdlDDi-2B43g3xWfoVMN9Dsem2IaNiiX-2B-2BZ0QUoG_EefQjaPBlm3j-2F4SdpslfvAk7fHMHOXJ7LweRGvhfSEmfDfe568-2FY-2BOLHESUZOtre1SJ0b0hpgZyE9nNkk5TdPOPC4tMbl8SiWrItsarfSJPs2UVOaCUP5NH54Bsd5iepHuriwvocK8ytgM3DUdP-2FGahP9TgWP8NK8XkzPu1yHstDO59EN9oezB0Bvcj4q1reEb5SVFPJB790ukEQpDzKhgmB7njVUkFC8cDwRBiYm4JeBTEVj-2FO9L-2B-2B-2FOmACAmxhX3ZwjKn-2F44onZNgScafSE7DBg-2BaKyUPEhIs0htUoWnblk2BMfXpJIrTjI4RRPPL3aYkpTlROjrttDT-2FsPXJXV6Ht5SRUu-2B0FMc-2F6UTXOUHRIAToTaXExoh-2BhOHngBDGdH-2FjIVKS7GHuJm-2FScM7fL8YyMYHIc3ZF3zj-2FrNo1yxz6qQNvNwYKE88E7ss0Of03GH-2FJ0B8fjyNmYGjPzU42L4WTkis-2FCNDcoVJ6gJCIZpmjB42-2FzDW6h-2FUREH0NUo2OPfZ9i8VYJz7QmCHLGmxdxD04Jz41PYtN7DaspcbsjIDanjiifLEQrLEWmHGBUFW4S8xlKCRj6eGsM5ZaDHWshSLBdAzDSyuonhuBxtuYLeNVHermIaoXD85egwdLJYANewTDecNDoTikVJ8mQdl7ZtnugAlt3ha0w0KmdiGihn6nvMrhhJrSgrE-2B65pLabznZrU0JRBQYA244iDFukcakZMIzjlzqr9piWLEWATx3NZaoZsiDxjNPIcS-2BPZq07eqXM1Ulzf-2FqkjGpcDoFG-2FrwE0q08CJl0HkI1XntIga1RDU5EZi756rrs6KbGhi0n0UYyAPMzcKJ1GSCyUZR-2FjEg-2FvBTzHO-2FOloWzctFMjjbt8OJhXkQtpwpSzQ5WMHPnqPpU8mVl6-2F8VDi2j4ulsfLIYkFMQxs-2FFnpoz7jaZyont10-3D	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.118.84.150
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	FACTURE NON PAYEE.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://u48396839.ct.sendgrid.net/ls/click?upn=u001.6YeAQ6CJdNBv-2FudCmnBUfnGDeiTDEbkJBDYPt6L9zLs-2FLsak6B-2FHJOeuaA20CRyj4ymcnZhEANFrmmsKVXf7lykKGGim9NKe15FTuMOZuNBEFww2OP8BGALV3hzGu43iFj3whu7ElN-2FNYQWfEnFZNtXik-2Bc8xYTdlDDi-2B43g3xWfoVMN9Dsem2IaNiiX-2B-2BZ0QUoG_EefQjaPBlm3j-2F4SdpslfvAk7fHMHOXJ7LweRGvhfSEmfDfe568-2FY-2BOLHESUZOtre1SJ0b0hpgZyE9nNkk5TdPOPC4tMbl8SiWrItsarfSJPs2UVOaCUP5NH54Bsd5iepHuriwvocK8ytgM3DUdP-2FGahP9TgWP8NK8XkzPu1yHstDO59EN9oezB0Bvcj4q1reEb5SVFPJB790ukEQpDzKhgmB7njVUkFC8cDwRBiYm4JeBTEVj-2FO9L-2B-2B-2FOmACAmxhX3ZwjKn-2F44onZNgScafSE7DBg-2BaKyUPEhIs0htUoWnblk2BMfXpJIrTjI4RRPPL3aYkpTlROjrttDT-2FsPXJXV6Ht5SRUu-2B0FMc-2F6UTXOUHRIAToTaXExoh-2BhOHngBDGdH-2FjIVKS7GHuJm-2FScM7fL8YyMYHIc3ZF3zj-2FrNo1yxz6qQNvNwYKE88E7ss0Of03GH-2FJ0B8fjyNmYGjPzU42L4WTkis-2FCNDcoVJ6gJCIZpmjB42-2FzDW6h-2FUREH0NUo2OPfZ9i8VYJz7QmCHLGmxdxD04Jz41PYtN7DaspcbsjIDanjiifLEQrLEWmHGBUFW4S8xlKCRj6eGsM5ZaDHWshSLBdAzDSyuonhuBxtuYLeNVHermIaoXD85egwdLJYANewTDecNDoTikVJ8mQdl7ZtnugAlt3ha0w0KmdiGihn6nvMrhhJrSgrE-2B65pLabznZrU0JRBQYA244iDFukcakZMIzjlzqr9piWLEWATx3NZaoZsiDxjNPIcS-2BPZq07eqXM1Ulzf-2FqkjGpcDoFG-2FrwE0q08CJl0HkI1XntIga1RDU5EZi756rrs6KbGhi0n0UYyAPMzcKJ1GSCyUZR-2FjEg-2FvBTzHO-2FOloWzctFMjjbt8OJhXkQtpwpSzQ5WMHPnqPpU8mVl6-2F8VDi2j4ulsfLIYkFMQxs-2FFnpoz7jaZyont10-3D	Get hash	malicious	Unknown	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	https://important-wholesale-dress.glitch.me#clerk@tkbtc.co.uk	Get hash	malicious	Unknown	Browse	151.101.1.229
	https://go-pdf.online/abap-development-for-financial-accounting-custom-enhancements.pdf	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://important-wholesale-dress.glitch.me#clerk@tkbtc.co.uk	Get hash	malicious	Unknown	Browse	151.101.129.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
ATGS-MMD-ASUS	botx.spc.elf	Get hash	malicious	Mirai	Browse	48.82.37.11
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	32.38.0.86
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	57.0.52.241
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.128.228.137
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.180.37.191
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	32.0.157.247
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	32.83.138.21
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	194.194.33.238
ATGS-MMD-ASUS	botx.spc.elf	Get hash	malicious	Mirai	Browse	48.82.37.11
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	32.38.0.86
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	57.0.52.241
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.128.228.137
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.180.37.191
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	32.0.157.247
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	32.83.138.21
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	194.194.33.238

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8d86e050-11a5-4a1b-8e72-1ca38f9723c3.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.177112087147413
Encrypted:	false
SSDEEP:	192:FMvMXkGZcbhbVbTbfbRbObtbyEl7n8rBJA6unSrDtTkd/S9o:FFtcNhnzFSJcr81nSrDhkd/co
MD5:	029DC57CE924F4A237AC1A336E1CFC0B
SHA1:	1335BA460A2B75B6A12EEA8ABFEE68ED719856CD
SHA-256:	5B59D9E8B247F74A5B35DEA46D087D2619094C21F0D81A12915F35543E06A9B6
SHA-512:	710024C982A82402BA49D61C3170EF11AD18F0B4C4E20B81837506CC3937F27C62A04557C343F5B3BB6945E2F026AAA75844C4F3393C27174909210251BFC57A
Malicious:	false
Preview:	{"type":"uninstall","id":"8d86e050-11a5-4a1b-8e72-1ca38f9723c3","creationDate":"2024-11-28T13:30:51.248Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8d86e050-11a5-4a1b-8e72-1ca38f9723c3.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.177112087147413
Encrypted:	false
SSDEEP:	192:FMvMXkGZcbhbVbTbfbRbObtbyEl7n8rBJA6unSrDtTkd/S9o:FFtcNhnzFSJcr81nSrDhkd/co
MD5:	029DC57CE924F4A237AC1A336E1CFC0B
SHA1:	1335BA460A2B75B6A12EEA8ABFEE68ED719856CD
SHA-256:	5B59D9E8B247F74A5B35DEA46D087D2619094C21F0D81A12915F35543E06A9B6
SHA-512:	710024C982A82402BA49D61C3170EF11AD18F0B4C4E20B81837506CC3937F27C62A04557C343F5B3BB6945E2F026AAA75844C4F3393C27174909210251BFC57A
Malicious:	false
Preview:	{"type":"uninstall","id":"8d86e050-11a5-4a1b-8e72-1ca38f9723c3","creationDate":"2024-11-28T13:30:51.248Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.944163942309647
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLP/d8P:8S+Oc+UAOdwiOdKeQjDLnd8P
MD5:	C71CCF782C4B4A44569622442E3FB5AB
SHA1:	354C44BD74CC6B83BE5E41656A42502E17E640BE
SHA-256:	221DA711CEF04512D644C0FC928CAFA77243F1AB0C7D7376C6DCF27E95C78733
SHA-512:	02DDF4621A939269490EB4ED08CFA8C46D42365551280111455F52573CEA9BC1AEB02F957103AAE36772A4CC46957BD096A08642AA1E5E545CD719A692E6BC3B
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.944163942309647
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLP/d8P:8S+Oc+UAOdwiOdKeQjDLnd8P
MD5:	C71CCF782C4B4A44569622442E3FB5AB
SHA1:	354C44BD74CC6B83BE5E41656A42502E17E640BE
SHA-256:	221DA711CEF04512D644C0FC928CAFA77243F1AB0C7D7376C6DCF27E95C78733
SHA-512:	02DDF4621A939269490EB4ED08CFA8C46D42365551280111455F52573CEA9BC1AEB02F957103AAE36772A4CC46957BD096A08642AA1E5E545CD719A692E6BC3B
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07329644596556428
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkii:DLhesh7Owd4+ji
MD5:	D364B7410256A205C35AE7BC382308C2
SHA1:	000CFDA79060B729E176E7E439C3F74DCA341788
SHA-256:	D814CA8AA9EEE76E14935E1257E55C4D9A6F2ABB879C85EA1AA9845C0B93AD8C
SHA-512:	AF215A2A91C72E71EDE1D4705A6BCBF410B82D850FA91BA3DB2BC55101122AD537D15799F49A1F6FC6D9C3D954B5A79D6C621F6C5566CE802E0E9D9B2ABC9705
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstFXEfr/vmGYtlstFXEfr/vmGh89//alEl:GtWt2DHm/tWt2DHmw89XuM
MD5:	53D54AC7DE71CE342BF7D5D30C3F379A
SHA1:	9A3DD5D46FA222CFD8CE55ED89FEA9BFE2E5D465
SHA-256:	1B3A0E6824E4CCD45818EDEFBB542D0D8DD858EA9852FFBC6919D9DDB41E1005
SHA-512:	D9D3F848A2A548457B43D556A8F3E630EF78828333D12261DF103EC8559B8BCC39B52C22769D3D8259E4658B2A1095B445750DCF5B68132C29A077617E3913A4
Malicious:	false
Preview:	..-.....................@7~.VR....A.=.ZY...C..8...-.....................@7~.VR....A.=.ZY...C..8.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03983200694987981
Encrypted:	false
SSDEEP:	3:Ol1J/EEkllgllftIAFClgzvP7l8rEXsxdwhml8XW3R2:KbZklmxmgzvDl8dMhm93w
MD5:	A18A1C44496912CECB255B1E46F4C3F6
SHA1:	006CE48A7D8B165B63F119E1B20D6D7284CAA4E3
SHA-256:	92F7CCF0FB3A81C5A631D6656684C46CD192A4B69DEC8ED529CBE7683481A984
SHA-512:	EB18D61C068DB1618AF453D0E97A498C84B99BC25DF424AF11E9722B05606BC85F6FAF417FE736E93219AA3A8B06A3DA5AF10BD95EECCD0FD7651E4C1C890EA0
Malicious:	false
Preview:	7....-............A.=.ZY.................A.=.ZY.~7@..RV................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.477838829476421
Encrypted:	false
SSDEEP:	192:lOnSRkyYbBp6hqUCaXr6VyIfN/A5RHNBw8d5nSl:le6qUWMIVYPw+0
MD5:	6E26E4AFA95939DDBD54C932B2725150
SHA1:	45DD20B67F13A41916D90B5A5090B350064C1C8F
SHA-256:	AAB4E137ECFAC5280AC0AC49FBD4DF44EB41D9604BB4F31E791312CEFE51FC77
SHA-512:	71C9BDC83538A15C2FD2CF22AAA86CCF8CC0F0402E61DBE2936ECBD6A66B57298496B967B895DE3302EB0358CBA0C1205F4E70FE761D67107F595491B1743B69
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732800621);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732800621);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732800621);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173280

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.477838829476421
Encrypted:	false
SSDEEP:	192:lOnSRkyYbBp6hqUCaXr6VyIfN/A5RHNBw8d5nSl:le6qUWMIVYPw+0
MD5:	6E26E4AFA95939DDBD54C932B2725150
SHA1:	45DD20B67F13A41916D90B5A5090B350064C1C8F
SHA-256:	AAB4E137ECFAC5280AC0AC49FBD4DF44EB41D9604BB4F31E791312CEFE51FC77
SHA-512:	71C9BDC83538A15C2FD2CF22AAA86CCF8CC0F0402E61DBE2936ECBD6A66B57298496B967B895DE3302EB0358CBA0C1205F4E70FE761D67107F595491B1743B69
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732800621);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732800621);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732800621);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173280

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.34323160786372
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMLXnIgNl/pnxQwRlszT5sKhi0qca3eHVVPNZTcamhuj3pOOcUb2mm:GUpOx1lvnR6Ica3etZTc45edHd
MD5:	FBE09D926EE9E6CDB8D69106364E50B1
SHA1:	5948E0A58749C7D354721911181D9E9D084EC7BE
SHA-256:	BD106ADDA11CD0594FFFB6092E8EA833F9672F70332AE531FC3AEE26CD836E71
SHA-512:	3BDB79E827C2BAB19425E80E41CCD28955AD957CE4295D412DB29EC24CB92409B938894C47A05B93470117A0EDC6BB3E11917D48E698B03CA6C415A08D00B472
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5634937b-bf1f-4b32-96da-7e0e92f1064d}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732800624740,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate.....vtartTim..`591190...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry..@5953..xoriginA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.34323160786372
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMLXnIgNl/pnxQwRlszT5sKhi0qca3eHVVPNZTcamhuj3pOOcUb2mm:GUpOx1lvnR6Ica3etZTc45edHd
MD5:	FBE09D926EE9E6CDB8D69106364E50B1
SHA1:	5948E0A58749C7D354721911181D9E9D084EC7BE
SHA-256:	BD106ADDA11CD0594FFFB6092E8EA833F9672F70332AE531FC3AEE26CD836E71
SHA-512:	3BDB79E827C2BAB19425E80E41CCD28955AD957CE4295D412DB29EC24CB92409B938894C47A05B93470117A0EDC6BB3E11917D48E698B03CA6C415A08D00B472
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5634937b-bf1f-4b32-96da-7e0e92f1064d}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732800624740,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate.....vtartTim..`591190...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry..@5953..xoriginA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.34323160786372
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMLXnIgNl/pnxQwRlszT5sKhi0qca3eHVVPNZTcamhuj3pOOcUb2mm:GUpOx1lvnR6Ica3etZTc45edHd
MD5:	FBE09D926EE9E6CDB8D69106364E50B1
SHA1:	5948E0A58749C7D354721911181D9E9D084EC7BE
SHA-256:	BD106ADDA11CD0594FFFB6092E8EA833F9672F70332AE531FC3AEE26CD836E71
SHA-512:	3BDB79E827C2BAB19425E80E41CCD28955AD957CE4295D412DB29EC24CB92409B938894C47A05B93470117A0EDC6BB3E11917D48E698B03CA6C415A08D00B472
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5634937b-bf1f-4b32-96da-7e0e92f1064d}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732800624740,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate.....vtartTim..`591190...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry..@5953..xoriginA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.036860068601598
Encrypted:	false
SSDEEP:	48:YrSAYEeUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAcb5:ycE+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	E100ADB29C1AADD7F1E52A2732D8D7A3
SHA1:	A3DD37E83F9CFFCBE4D603874036A7C8B457A961
SHA-256:	81756F8A9CB99B8663719492888ACC24360BDC490694AB216F516EFA56A80934
SHA-512:	0BB874259385064F506847D5813D8AD26B7454D9561AB051164D00808FC265F12F2A8AD9E6926403954A2E749A8F6A2A6DD28C66CA06BBB8FC9ECDCD6F925F5B
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-28T13:30:05.416Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.036860068601598
Encrypted:	false
SSDEEP:	48:YrSAYEeUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAcb5:ycE+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	E100ADB29C1AADD7F1E52A2732D8D7A3
SHA1:	A3DD37E83F9CFFCBE4D603874036A7C8B457A961
SHA-256:	81756F8A9CB99B8663719492888ACC24360BDC490694AB216F516EFA56A80934
SHA-512:	0BB874259385064F506847D5813D8AD26B7454D9561AB051164D00808FC265F12F2A8AD9E6926403954A2E749A8F6A2A6DD28C66CA06BBB8FC9ECDCD6F925F5B
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-28T13:30:05.416Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.591381667393511
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'112 bytes
MD5:	e95da9c734f70679a829c932bcc05884
SHA1:	5e4b62499d9210732679c2d2c0c861f95d6c57b4
SHA256:	cf8d0ac7e1d03c2bcbee68404434c91f160e5b429ef870fdc1a8b26d9ba1cc96
SHA512:	53722efca75ba3447d74b2858c35b695ef4c585d3261814ced98702e7eef950b9d6889a22514af2d2ecb6c5b612fcc42e73da3b2ac49571a19d5cb2406229968
SSDEEP:	12288:MqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaGTf:MqDEvCTbMWu7rQYlBQcBiT6rprG8aef
TLSH:	D9159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67485838 [Thu Nov 28 11:47:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FAEACAF1673h
jmp 00007FAEACAF0F7Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FAEACAF115Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FAEACAF112Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FAEACAF3D1Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FAEACAF3D68h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FAEACAF3D51h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa7b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa7b8	0xa800	80d2614f15529e670c37efa5084a4679	False	0.3693266369047619	data	5.6114182979548	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1a80	data			1.001621462264151
RT_GROUP_ICON	0xde238	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde2b0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde2c4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde2d8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde2ec	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde3c8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 13:10:14.414063931 CET	49709	443	192.168.2.7	35.190.72.216
Nov 28, 2024 13:10:14.414099932 CET	443	49709	35.190.72.216	192.168.2.7
Nov 28, 2024 13:10:14.416131973 CET	49709	443	192.168.2.7	35.190.72.216
Nov 28, 2024 13:10:14.421837091 CET	49709	443	192.168.2.7	35.190.72.216
Nov 28, 2024 13:10:14.421852112 CET	443	49709	35.190.72.216	192.168.2.7
Nov 28, 2024 13:10:14.422252893 CET	49710	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:14.422382116 CET	49711	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:14.422391891 CET	443	49711	142.250.181.78	192.168.2.7
Nov 28, 2024 13:10:14.422702074 CET	49712	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:14.422729015 CET	443	49712	142.250.181.78	192.168.2.7
Nov 28, 2024 13:10:14.425271034 CET	49711	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:14.425277948 CET	49712	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:14.426939011 CET	49711	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:14.426953077 CET	443	49711	142.250.181.78	192.168.2.7
Nov 28, 2024 13:10:14.428492069 CET	49712	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:14.428505898 CET	443	49712	142.250.181.78	192.168.2.7
Nov 28, 2024 13:10:14.542359114 CET	80	49710	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:14.542486906 CET	49710	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:14.542587042 CET	49710	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:14.662519932 CET	80	49710	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:14.831772089 CET	49713	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:14.831811905 CET	443	49713	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:14.833349943 CET	49713	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:14.834894896 CET	49713	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:14.834913015 CET	443	49713	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:14.866432905 CET	49714	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:14.866458893 CET	443	49714	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:14.866878033 CET	49714	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:14.868364096 CET	49714	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:14.868375063 CET	443	49714	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:14.884512901 CET	49715	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:14.884526968 CET	443	49715	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:14.885103941 CET	49715	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:14.885355949 CET	49715	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:14.885366917 CET	443	49715	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:15.257834911 CET	49716	443	192.168.2.7	34.160.144.191
Nov 28, 2024 13:10:15.257879019 CET	443	49716	34.160.144.191	192.168.2.7
Nov 28, 2024 13:10:15.263829947 CET	49716	443	192.168.2.7	34.160.144.191
Nov 28, 2024 13:10:15.263978958 CET	49716	443	192.168.2.7	34.160.144.191
Nov 28, 2024 13:10:15.263999939 CET	443	49716	34.160.144.191	192.168.2.7
Nov 28, 2024 13:10:15.639244080 CET	443	49709	35.190.72.216	192.168.2.7
Nov 28, 2024 13:10:15.645076036 CET	49709	443	192.168.2.7	35.190.72.216
Nov 28, 2024 13:10:15.653894901 CET	49709	443	192.168.2.7	35.190.72.216
Nov 28, 2024 13:10:15.653913975 CET	443	49709	35.190.72.216	192.168.2.7
Nov 28, 2024 13:10:15.654021978 CET	49709	443	192.168.2.7	35.190.72.216
Nov 28, 2024 13:10:15.654522896 CET	443	49709	35.190.72.216	192.168.2.7
Nov 28, 2024 13:10:15.656132936 CET	49709	443	192.168.2.7	35.190.72.216
Nov 28, 2024 13:10:15.673962116 CET	80	49710	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:15.682239056 CET	49710	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:15.802653074 CET	80	49710	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:15.805277109 CET	49710	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:16.058785915 CET	443	49713	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:16.061321020 CET	49713	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:16.094691992 CET	443	49714	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:16.099329948 CET	443	49714	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:16.109855890 CET	49714	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:16.125694036 CET	49713	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:16.125714064 CET	443	49713	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:16.125859976 CET	49713	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:16.125983000 CET	443	49713	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:16.130084991 CET	49713	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:16.140722990 CET	49714	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:16.140739918 CET	443	49714	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:16.140809059 CET	49714	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:16.140996933 CET	443	49714	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:16.141218901 CET	49714	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:16.175802946 CET	443	49711	142.250.181.78	192.168.2.7
Nov 28, 2024 13:10:16.175890923 CET	49711	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:16.176523924 CET	443	49711	142.250.181.78	192.168.2.7
Nov 28, 2024 13:10:16.177845955 CET	443	49712	142.250.181.78	192.168.2.7
Nov 28, 2024 13:10:16.178103924 CET	49711	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:16.178232908 CET	49712	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:16.178574085 CET	443	49712	142.250.181.78	192.168.2.7
Nov 28, 2024 13:10:16.180278063 CET	49712	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:16.182913065 CET	49711	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:16.182919979 CET	443	49711	142.250.181.78	192.168.2.7
Nov 28, 2024 13:10:16.183005095 CET	49711	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:16.183114052 CET	443	49711	142.250.181.78	192.168.2.7
Nov 28, 2024 13:10:16.184700012 CET	49712	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:16.184711933 CET	443	49712	142.250.181.78	192.168.2.7
Nov 28, 2024 13:10:16.184762955 CET	49712	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:16.184881926 CET	49711	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:16.184952021 CET	443	49712	142.250.181.78	192.168.2.7
Nov 28, 2024 13:10:16.186422110 CET	49712	443	192.168.2.7	142.250.181.78
Nov 28, 2024 13:10:16.196167946 CET	443	49715	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:16.196500063 CET	49715	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:16.199373007 CET	49715	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:16.199382067 CET	443	49715	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:16.199908018 CET	443	49715	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:16.201853991 CET	49715	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:16.201944113 CET	49715	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:16.202008963 CET	443	49715	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:16.202258110 CET	49715	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:16.202276945 CET	49715	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:16.468584061 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:16.468663931 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:16.526413918 CET	443	49716	34.160.144.191	192.168.2.7
Nov 28, 2024 13:10:16.528985977 CET	49716	443	192.168.2.7	34.160.144.191
Nov 28, 2024 13:10:16.531728029 CET	49716	443	192.168.2.7	34.160.144.191
Nov 28, 2024 13:10:16.531734943 CET	443	49716	34.160.144.191	192.168.2.7
Nov 28, 2024 13:10:16.532033920 CET	443	49716	34.160.144.191	192.168.2.7
Nov 28, 2024 13:10:16.534646988 CET	49716	443	192.168.2.7	34.160.144.191
Nov 28, 2024 13:10:16.534714937 CET	49716	443	192.168.2.7	34.160.144.191
Nov 28, 2024 13:10:16.534784079 CET	443	49716	34.160.144.191	192.168.2.7
Nov 28, 2024 13:10:16.534954071 CET	49716	443	192.168.2.7	34.160.144.191
Nov 28, 2024 13:10:16.565943003 CET	49720	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:16.565977097 CET	443	49720	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:16.567681074 CET	49720	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:16.569149971 CET	49720	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:16.569161892 CET	443	49720	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:16.589066982 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:16.589131117 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:16.591308117 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:16.591411114 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:16.597985029 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:16.598098993 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:16.721832037 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:16.722068071 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:17.121227980 CET	49727	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:17.121279955 CET	443	49727	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:17.123687983 CET	49727	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:17.125086069 CET	49727	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:17.125101089 CET	443	49727	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:17.663433075 CET	49728	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:17.663465977 CET	443	49728	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:17.663621902 CET	49728	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:17.663753986 CET	49728	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:17.663765907 CET	443	49728	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:17.687891960 CET	49729	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:17.687918901 CET	443	49729	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:17.688312054 CET	49729	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:17.689723969 CET	49729	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:17.689738989 CET	443	49729	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:17.728674889 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:17.774549961 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:17.796504021 CET	49730	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:17.796541929 CET	443	49730	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:17.804492950 CET	49730	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:17.805941105 CET	49730	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:17.805958986 CET	443	49730	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:17.817883968 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:17.837723970 CET	443	49720	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:17.838624001 CET	49720	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:17.842288971 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:17.843307972 CET	49720	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:17.843322039 CET	443	49720	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:17.843427896 CET	49720	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:17.843476057 CET	443	49720	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:17.843682051 CET	49731	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:17.843727112 CET	443	49731	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:17.848146915 CET	49731	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:17.848198891 CET	49720	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:17.849581003 CET	49731	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:17.849595070 CET	443	49731	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:17.856102943 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:17.937832117 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:17.976130009 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:18.151226044 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:18.180314064 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:18.250389099 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:18.250443935 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:18.922019005 CET	443	49728	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:18.922092915 CET	49728	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:18.924899101 CET	49728	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:18.924906969 CET	443	49728	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:18.925158024 CET	443	49728	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:18.928008080 CET	49728	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:18.928088903 CET	49728	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:18.928164005 CET	443	49728	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:18.928232908 CET	49728	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:18.945167065 CET	443	49727	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:18.945240021 CET	49727	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:18.950089931 CET	49727	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:18.950097084 CET	443	49727	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:18.950187922 CET	49727	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:18.950433016 CET	443	49727	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:18.950612068 CET	49727	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:18.952642918 CET	443	49729	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:18.952709913 CET	49729	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:18.957186937 CET	49729	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:18.957195997 CET	443	49729	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:18.957248926 CET	49729	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:18.957365990 CET	443	49729	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:18.957634926 CET	49729	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:19.114594936 CET	443	49730	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:19.114609957 CET	443	49730	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:19.114670038 CET	49730	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:19.115473986 CET	443	49731	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:19.115535975 CET	49731	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:19.121802092 CET	49730	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:19.121808052 CET	443	49730	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:19.121897936 CET	49730	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:19.121990919 CET	49731	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:19.122004032 CET	443	49731	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:19.122051954 CET	49731	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:19.122169971 CET	443	49731	34.117.188.166	192.168.2.7
Nov 28, 2024 13:10:19.122245073 CET	443	49730	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:19.122260094 CET	49731	443	192.168.2.7	34.117.188.166
Nov 28, 2024 13:10:19.122288942 CET	49730	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:19.702554941 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:19.822566986 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:19.832542896 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:19.852878094 CET	49738	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:19.852905989 CET	443	49738	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:19.854203939 CET	49738	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:19.854465008 CET	49738	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:19.854476929 CET	443	49738	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:19.952635050 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:19.980844021 CET	49739	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:19.980880976 CET	443	49739	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:19.981214046 CET	49739	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:19.982435942 CET	49739	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:19.982450008 CET	443	49739	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:20.039901972 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:20.091330051 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:20.159471035 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:20.163048029 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:20.207271099 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:20.283431053 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:20.497108936 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:20.539321899 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:21.065531015 CET	443	49738	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:21.072071075 CET	49738	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:21.154721022 CET	49738	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:21.154736042 CET	443	49738	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:21.155061007 CET	443	49738	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:21.166929960 CET	49738	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:21.167009115 CET	49738	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:21.167149067 CET	443	49738	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:21.168590069 CET	49738	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:21.168606043 CET	49738	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:21.194456100 CET	443	49739	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:21.199331999 CET	443	49739	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:21.209482908 CET	49739	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:21.303576946 CET	49739	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:21.303584099 CET	443	49739	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:21.303683043 CET	49739	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:21.303817034 CET	443	49739	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:21.309402943 CET	49739	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:24.682529926 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:24.684921980 CET	49752	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:24.684951067 CET	443	49752	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:24.687544107 CET	49752	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:24.688954115 CET	49752	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:24.688966990 CET	443	49752	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:24.802434921 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:24.971270084 CET	49753	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:24.971297026 CET	443	49753	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:24.971369982 CET	49753	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:24.971537113 CET	49753	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:24.971544027 CET	443	49753	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:24.991590977 CET	49754	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:24.991626978 CET	443	49754	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:24.991839886 CET	49754	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:25.006720066 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:25.061153889 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:25.380922079 CET	49754	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:25.380939960 CET	443	49754	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:25.945635080 CET	443	49752	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:25.945713997 CET	49752	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:26.228925943 CET	443	49753	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:26.233423948 CET	49753	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:26.381278038 CET	49753	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:26.381292105 CET	443	49753	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:26.381705046 CET	443	49753	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:26.384026051 CET	49752	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:26.384041071 CET	443	49752	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:26.384109974 CET	49752	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:26.384201050 CET	49753	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:26.384263039 CET	49753	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:26.384268999 CET	443	49752	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:26.384383917 CET	49753	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:26.384399891 CET	49752	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:26.415924072 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:26.418863058 CET	49761	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:26.418879032 CET	443	49761	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:26.425246000 CET	49761	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:26.426697016 CET	49761	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:26.426709890 CET	443	49761	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:26.461242914 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:26.536036015 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:26.581573009 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:26.638474941 CET	443	49754	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:26.638550043 CET	49754	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:26.749243975 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:26.785887957 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:26.803807974 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:26.834512949 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:26.954772949 CET	49754	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:26.954797029 CET	443	49754	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:26.955199003 CET	443	49754	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:26.956934929 CET	49754	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:26.957019091 CET	49754	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:26.957138062 CET	443	49754	34.120.208.123	192.168.2.7
Nov 28, 2024 13:10:26.957731009 CET	49754	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:26.957746983 CET	49754	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:10:26.959440947 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:26.963887930 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:27.082367897 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:27.086215973 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:27.290791988 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:27.295867920 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:27.336544037 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:27.336550951 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:27.429086924 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:27.550087929 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:27.637073040 CET	443	49761	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:27.637146950 CET	49761	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:27.764203072 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:27.822424889 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:27.847104073 CET	49761	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:27.847119093 CET	443	49761	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:27.847170115 CET	49761	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:27.847383022 CET	443	49761	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:27.848897934 CET	49761	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:27.851419926 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:27.971623898 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:28.177217960 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:28.180279016 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:28.223439932 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:28.300373077 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:28.518450022 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:28.571247101 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:37.862912893 CET	49786	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:37.862934113 CET	443	49786	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:37.863243103 CET	49786	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:37.864722967 CET	49786	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:37.864737988 CET	443	49786	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:38.188949108 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:38.308896065 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:38.527667999 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:38.647784948 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:39.173187017 CET	443	49786	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:39.173413038 CET	49786	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:39.178458929 CET	49786	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:39.178467035 CET	443	49786	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:39.178601027 CET	49786	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:39.178622007 CET	443	49786	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:39.178896904 CET	49786	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:39.181814909 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:39.304780960 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:39.509447098 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:39.521933079 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:39.577533007 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:39.642544985 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:39.856028080 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:39.909624100 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:41.678288937 CET	49794	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:41.678329945 CET	443	49794	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:41.683413982 CET	49794	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:41.683588982 CET	49794	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:41.683604002 CET	443	49794	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:41.702214956 CET	49795	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:41.702255011 CET	443	49795	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:41.702872038 CET	49795	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:41.703058958 CET	49795	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:41.703073978 CET	443	49795	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:41.740493059 CET	49796	443	192.168.2.7	35.190.72.216
Nov 28, 2024 13:10:41.740540028 CET	443	49796	35.190.72.216	192.168.2.7
Nov 28, 2024 13:10:41.745094061 CET	49796	443	192.168.2.7	35.190.72.216
Nov 28, 2024 13:10:41.746714115 CET	49796	443	192.168.2.7	35.190.72.216
Nov 28, 2024 13:10:41.746728897 CET	443	49796	35.190.72.216	192.168.2.7
Nov 28, 2024 13:10:41.890691996 CET	49798	443	192.168.2.7	35.201.103.21
Nov 28, 2024 13:10:41.890710115 CET	443	49798	35.201.103.21	192.168.2.7
Nov 28, 2024 13:10:41.891180038 CET	49798	443	192.168.2.7	35.201.103.21
Nov 28, 2024 13:10:41.892745018 CET	49798	443	192.168.2.7	35.201.103.21
Nov 28, 2024 13:10:41.892760992 CET	443	49798	35.201.103.21	192.168.2.7
Nov 28, 2024 13:10:41.945293903 CET	49799	443	192.168.2.7	151.101.193.91
Nov 28, 2024 13:10:41.945305109 CET	443	49799	151.101.193.91	192.168.2.7
Nov 28, 2024 13:10:41.945755005 CET	49799	443	192.168.2.7	151.101.193.91
Nov 28, 2024 13:10:41.945943117 CET	49799	443	192.168.2.7	151.101.193.91
Nov 28, 2024 13:10:41.945954084 CET	443	49799	151.101.193.91	192.168.2.7
Nov 28, 2024 13:10:42.898777962 CET	443	49794	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:42.898888111 CET	49794	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:42.902313948 CET	49794	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:42.902324915 CET	443	49794	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:42.902568102 CET	443	49794	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:42.904722929 CET	49794	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:42.904891968 CET	443	49794	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:42.904907942 CET	49794	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:42.904913902 CET	443	49794	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:42.905006886 CET	49794	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:42.909545898 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:42.964231014 CET	443	49795	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:42.964344978 CET	49795	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:42.967978954 CET	49795	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:42.967989922 CET	443	49795	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:42.968439102 CET	443	49795	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:42.970582962 CET	49795	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:42.970681906 CET	49795	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:42.970841885 CET	443	49795	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:42.971204996 CET	49795	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:43.003654003 CET	443	49796	35.190.72.216	192.168.2.7
Nov 28, 2024 13:10:43.003840923 CET	49796	443	192.168.2.7	35.190.72.216
Nov 28, 2024 13:10:43.008867979 CET	49796	443	192.168.2.7	35.190.72.216
Nov 28, 2024 13:10:43.008883953 CET	443	49796	35.190.72.216	192.168.2.7
Nov 28, 2024 13:10:43.009044886 CET	49796	443	192.168.2.7	35.190.72.216
Nov 28, 2024 13:10:43.009057045 CET	443	49796	35.190.72.216	192.168.2.7
Nov 28, 2024 13:10:43.009622097 CET	49796	443	192.168.2.7	35.190.72.216
Nov 28, 2024 13:10:43.030745029 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:43.154859066 CET	443	49798	35.201.103.21	192.168.2.7
Nov 28, 2024 13:10:43.154969931 CET	49798	443	192.168.2.7	35.201.103.21
Nov 28, 2024 13:10:43.160459995 CET	49798	443	192.168.2.7	35.201.103.21
Nov 28, 2024 13:10:43.160470963 CET	443	49798	35.201.103.21	192.168.2.7
Nov 28, 2024 13:10:43.160562992 CET	49798	443	192.168.2.7	35.201.103.21
Nov 28, 2024 13:10:43.160621881 CET	443	49798	35.201.103.21	192.168.2.7
Nov 28, 2024 13:10:43.161535978 CET	49798	443	192.168.2.7	35.201.103.21
Nov 28, 2024 13:10:43.165345907 CET	49804	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:43.165375948 CET	443	49804	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:43.165462971 CET	49804	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:43.165584087 CET	49804	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:43.165597916 CET	443	49804	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:43.234869957 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:43.238656998 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:43.251187086 CET	443	49799	151.101.193.91	192.168.2.7
Nov 28, 2024 13:10:43.251266956 CET	49799	443	192.168.2.7	151.101.193.91
Nov 28, 2024 13:10:43.254847050 CET	49799	443	192.168.2.7	151.101.193.91
Nov 28, 2024 13:10:43.254852057 CET	443	49799	151.101.193.91	192.168.2.7
Nov 28, 2024 13:10:43.255068064 CET	443	49799	151.101.193.91	192.168.2.7
Nov 28, 2024 13:10:43.257909060 CET	49799	443	192.168.2.7	151.101.193.91
Nov 28, 2024 13:10:43.258022070 CET	49799	443	192.168.2.7	151.101.193.91
Nov 28, 2024 13:10:43.258032084 CET	443	49799	151.101.193.91	192.168.2.7
Nov 28, 2024 13:10:43.258219004 CET	49799	443	192.168.2.7	151.101.193.91
Nov 28, 2024 13:10:43.267222881 CET	49805	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:43.267240047 CET	443	49805	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:43.267575026 CET	49805	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:43.267719030 CET	49805	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:43.267729044 CET	443	49805	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:43.269855976 CET	49806	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:43.269889116 CET	443	49806	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:43.270174026 CET	49806	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:43.270338058 CET	49806	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:43.270349026 CET	443	49806	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:43.272391081 CET	49807	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:43.272406101 CET	443	49807	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:43.272594929 CET	49807	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:43.272713900 CET	49807	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:43.272732973 CET	443	49807	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:43.274467945 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:43.358694077 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:43.394345045 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:43.572313070 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:43.598448038 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:43.601984024 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:43.642798901 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:43.721909046 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:43.936817884 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:43.990521908 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:44.424000978 CET	443	49804	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:44.425472975 CET	49804	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:44.428436995 CET	49804	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:44.428446054 CET	443	49804	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:44.428698063 CET	443	49804	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:44.430387020 CET	49804	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:44.430465937 CET	49804	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:44.430558920 CET	443	49804	34.149.100.209	192.168.2.7
Nov 28, 2024 13:10:44.434304953 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:44.435273886 CET	49804	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:44.435292959 CET	49804	443	192.168.2.7	34.149.100.209
Nov 28, 2024 13:10:44.485378027 CET	443	49806	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:44.485474110 CET	49806	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.488198996 CET	49806	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.488205910 CET	443	49806	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:44.488445044 CET	443	49806	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:44.491221905 CET	49806	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.491295099 CET	49806	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.491370916 CET	443	49806	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:44.491925955 CET	49806	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.525379896 CET	443	49805	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:44.525459051 CET	49805	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.527769089 CET	49805	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.527774096 CET	443	49805	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:44.528037071 CET	443	49805	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:44.529756069 CET	443	49807	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:44.529881001 CET	49807	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.531922102 CET	49807	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.531927109 CET	443	49807	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:44.532175064 CET	443	49807	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:44.532510042 CET	49805	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.532601118 CET	49805	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.532672882 CET	443	49805	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:44.534483910 CET	49807	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.534538031 CET	49807	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.534631968 CET	443	49807	35.244.181.201	192.168.2.7
Nov 28, 2024 13:10:44.536156893 CET	49807	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.536173105 CET	49805	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.536186934 CET	49807	443	192.168.2.7	35.244.181.201
Nov 28, 2024 13:10:44.554219961 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:44.758745909 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:44.765232086 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:44.808433056 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:44.886518002 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:45.100284100 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:45.147043943 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:54.774164915 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:54.894278049 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:55.111434937 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:10:55.238322973 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:10:59.207943916 CET	49843	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:59.207988024 CET	443	49843	34.107.243.93	192.168.2.7
Nov 28, 2024 13:10:59.212219000 CET	49843	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:59.213790894 CET	49843	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:10:59.213807106 CET	443	49843	34.107.243.93	192.168.2.7
Nov 28, 2024 13:11:00.478357077 CET	443	49843	34.107.243.93	192.168.2.7
Nov 28, 2024 13:11:00.478456974 CET	49843	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:11:00.483597994 CET	49843	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:11:00.483607054 CET	443	49843	34.107.243.93	192.168.2.7
Nov 28, 2024 13:11:00.483699083 CET	49843	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:11:00.483752012 CET	443	49843	34.107.243.93	192.168.2.7
Nov 28, 2024 13:11:00.484456062 CET	49843	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:11:00.486470938 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:00.606523991 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:00.810684919 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:00.814133883 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:00.851882935 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:00.934072971 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:01.147978067 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:01.190479040 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:10.818051100 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:10.938311100 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:11.150453091 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:11.270451069 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:11.499321938 CET	49870	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.499365091 CET	443	49870	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:11.500417948 CET	49870	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.500608921 CET	49870	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.500621080 CET	443	49870	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:11.507049084 CET	49871	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.507076025 CET	443	49871	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:11.507177114 CET	49872	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.507196903 CET	443	49872	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:11.507297993 CET	49873	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.507339001 CET	443	49873	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:11.520353079 CET	49873	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.520359039 CET	49872	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.520359039 CET	49871	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.520454884 CET	49871	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.520466089 CET	443	49871	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:11.520555973 CET	49873	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.520571947 CET	443	49873	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:11.520637035 CET	49872	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.520652056 CET	443	49872	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:11.524096012 CET	49874	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.524112940 CET	443	49874	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:11.524456024 CET	49875	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.524478912 CET	443	49875	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:11.525906086 CET	49874	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.525974989 CET	49875	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.526052952 CET	49874	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.526062965 CET	443	49874	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:11.526192904 CET	49875	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:11.526209116 CET	443	49875	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.711642981 CET	443	49870	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.714715958 CET	49870	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.718429089 CET	49870	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.718441010 CET	443	49870	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.718765020 CET	443	49870	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.721297979 CET	49870	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.721467018 CET	443	49870	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.721470118 CET	49870	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.721482038 CET	443	49870	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.722043037 CET	49879	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.722083092 CET	443	49879	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.725084066 CET	49879	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.725423098 CET	49879	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.725455046 CET	443	49879	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.726767063 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:12.736548901 CET	443	49874	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.736641884 CET	49874	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.740132093 CET	49874	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.740156889 CET	443	49874	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.740456104 CET	443	49874	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.743040085 CET	49874	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.743165970 CET	49874	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.743242979 CET	443	49874	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.743669987 CET	49880	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.743719101 CET	443	49880	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.743917942 CET	49874	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.743947983 CET	49880	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.744163036 CET	49880	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.744179964 CET	443	49880	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.779057980 CET	443	49872	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.779074907 CET	443	49872	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.779165030 CET	443	49871	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.779180050 CET	443	49871	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.780200005 CET	443	49873	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.780214071 CET	443	49873	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.784831047 CET	443	49875	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.790860891 CET	49872	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.790921926 CET	49871	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.794143915 CET	49872	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.794167042 CET	443	49872	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.794493914 CET	443	49872	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.796605110 CET	49871	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.796637058 CET	443	49871	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.796828985 CET	49873	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.796853065 CET	49875	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.796910048 CET	443	49871	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.799561977 CET	49875	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.799590111 CET	443	49875	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.800517082 CET	443	49875	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.801806927 CET	49873	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.801817894 CET	443	49873	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.802730083 CET	443	49873	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.807173014 CET	49872	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.807343960 CET	49872	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.807410002 CET	443	49872	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.807672024 CET	49871	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.807849884 CET	443	49871	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.807899952 CET	49871	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.807913065 CET	443	49871	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.808434963 CET	49875	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.808506012 CET	49875	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.808885098 CET	49873	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.808913946 CET	443	49875	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.808964014 CET	49873	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.809308052 CET	443	49873	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.809752941 CET	49872	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.809777021 CET	49875	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.809792995 CET	49873	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:12.846693993 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:12.927377939 CET	443	49870	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:12.929055929 CET	49870	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:13.031325102 CET	443	49871	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:13.031382084 CET	49871	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:13.051203966 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:13.070080042 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:13.107285976 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:13.190185070 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:13.404249907 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:13.446079016 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:14.002168894 CET	443	49880	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:14.002264023 CET	49880	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:14.005776882 CET	49880	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:14.005798101 CET	443	49880	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:14.006077051 CET	443	49880	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:14.008521080 CET	49880	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:14.008671045 CET	49880	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:14.008691072 CET	443	49880	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:14.009984970 CET	49880	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:14.012255907 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:14.028387070 CET	443	49879	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:14.030503035 CET	49879	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:14.031857967 CET	49879	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:14.031866074 CET	443	49879	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:14.032155991 CET	443	49879	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:14.034678936 CET	49879	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:14.034678936 CET	49879	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:14.034831047 CET	443	49879	34.120.208.123	192.168.2.7
Nov 28, 2024 13:11:14.036350012 CET	49879	443	192.168.2.7	34.120.208.123
Nov 28, 2024 13:11:14.132232904 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:14.336499929 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:14.340485096 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:14.379709959 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:14.460397005 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:14.673670053 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:14.733573914 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:15.995841026 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:16.115895033 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:16.320631027 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:16.323932886 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:16.368957043 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:16.444034100 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:16.657641888 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:16.701016903 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:26.328144073 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:26.448160887 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:26.666912079 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:26.787091017 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:36.462090969 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:36.582488060 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:36.794234037 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:36.914550066 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:40.916758060 CET	49943	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:11:40.916807890 CET	443	49943	34.107.243.93	192.168.2.7
Nov 28, 2024 13:11:40.917160034 CET	49943	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:11:40.918659925 CET	49943	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:11:40.918670893 CET	443	49943	34.107.243.93	192.168.2.7
Nov 28, 2024 13:11:42.789033890 CET	443	49943	34.107.243.93	192.168.2.7
Nov 28, 2024 13:11:42.789225101 CET	49943	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:11:42.794136047 CET	49943	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:11:42.794143915 CET	443	49943	34.107.243.93	192.168.2.7
Nov 28, 2024 13:11:42.794250965 CET	49943	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:11:42.794265032 CET	443	49943	34.107.243.93	192.168.2.7
Nov 28, 2024 13:11:42.794358969 CET	49943	443	192.168.2.7	34.107.243.93
Nov 28, 2024 13:11:42.797236919 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:42.917249918 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:43.121637106 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:43.125168085 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:43.165851116 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:43.245181084 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:43.459007978 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:43.507657051 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:53.125616074 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:53.245575905 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:11:53.463331938 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:11:53.583615065 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:12:03.252906084 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:12:03.373233080 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:12:03.591583967 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:12:03.712706089 CET	80	49718	34.107.221.82	192.168.2.7
Nov 28, 2024 13:12:13.373440981 CET	49719	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:12:13.495390892 CET	80	49719	34.107.221.82	192.168.2.7
Nov 28, 2024 13:12:13.721852064 CET	49718	80	192.168.2.7	34.107.221.82
Nov 28, 2024 13:12:13.842143059 CET	80	49718	34.107.221.82	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 13:10:14.274286985 CET	55655	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:14.275305986 CET	49890	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:14.414679050 CET	61452	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:14.417136908 CET	53	49890	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:14.417293072 CET	58074	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:14.418195009 CET	51668	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:14.553343058 CET	53	61452	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:14.554601908 CET	53	58074	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:14.555248976 CET	53	51668	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:14.557967901 CET	54790	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:14.558221102 CET	63954	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:14.558633089 CET	59464	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:14.687527895 CET	56862	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:14.698438883 CET	53	63954	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:14.698726892 CET	53	54790	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:14.719587088 CET	50773	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:14.805934906 CET	53	59464	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:14.829437971 CET	53	56862	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:14.832283020 CET	64979	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:14.854162931 CET	52724	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:14.863127947 CET	53	50773	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:14.866811991 CET	55994	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:14.885010004 CET	55510	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:14.970993996 CET	53	64979	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:14.971507072 CET	63300	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:14.993346930 CET	53	52724	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:15.005328894 CET	53	55994	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:15.006567955 CET	52658	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:15.109931946 CET	53	63300	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:15.130825043 CET	53	55510	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:15.131603956 CET	54910	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:15.145526886 CET	53	52658	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:15.259167910 CET	52094	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:15.273978949 CET	53	54910	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:15.399981976 CET	53	52094	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:15.400707960 CET	62718	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:15.542301893 CET	53	62718	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:15.594875097 CET	53858	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:15.733375072 CET	57360	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:15.733772993 CET	63253	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:15.872391939 CET	53	63253	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:15.872731924 CET	53	57360	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:16.183614969 CET	53	55823	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:16.194046974 CET	58024	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:16.566414118 CET	58236	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:16.793643951 CET	53	58236	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:16.809329987 CET	60772	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:16.951498032 CET	53	60772	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:16.954248905 CET	53497	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:17.099551916 CET	53	53497	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:17.527038097 CET	61431	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:17.664819956 CET	53	61431	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:17.688097000 CET	54867	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:17.818098068 CET	59166	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:17.826630116 CET	53	54867	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:17.827545881 CET	63302	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:17.956501961 CET	53	59166	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:17.957256079 CET	49374	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:17.965823889 CET	53	63302	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:18.095597029 CET	53	49374	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:19.686341047 CET	64774	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:19.824726105 CET	53	64774	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:19.825464964 CET	56088	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:19.969531059 CET	53	56088	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:19.972053051 CET	55468	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:20.112366915 CET	53	55468	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:24.830683947 CET	62592	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:24.970520973 CET	53	62592	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:25.709357023 CET	60387	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:25.847963095 CET	53	60387	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:25.848922968 CET	60925	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:25.986646891 CET	53	60925	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:26.424451113 CET	59746	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:26.427144051 CET	62286	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:26.427676916 CET	61231	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:26.563184023 CET	53	59746	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:26.565304041 CET	53	62286	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:26.565332890 CET	53	61231	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:26.951750040 CET	50163	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:26.951750040 CET	57521	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:26.951997042 CET	57954	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:27.094588041 CET	53	50163	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:27.094767094 CET	53	57954	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:27.095216990 CET	61198	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:27.095253944 CET	61468	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:27.095448017 CET	53	57521	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:27.095889091 CET	61101	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:27.233019114 CET	53	61468	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:27.233095884 CET	53	61198	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:27.233279943 CET	53	61101	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:27.426249027 CET	51243	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:27.426547050 CET	63438	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:27.572242975 CET	53	51243	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:27.572941065 CET	53	63438	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:27.843168020 CET	61671	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:27.844502926 CET	56028	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:27.988708019 CET	53	61671	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:27.988769054 CET	53	56028	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:27.989439011 CET	61071	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:27.989483118 CET	59639	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:28.127504110 CET	53	61071	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:28.130285978 CET	53	59639	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:37.863169909 CET	63161	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:38.004019976 CET	53	63161	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:40.797285080 CET	57506	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:40.944185972 CET	53	57506	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:41.678536892 CET	57474	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:41.701677084 CET	57648	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:41.745986938 CET	57441	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:41.826955080 CET	53	57474	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:41.889375925 CET	53	57441	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:41.891096115 CET	63239	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:41.944128036 CET	53	57648	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:41.945679903 CET	51667	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:42.029556036 CET	53	63239	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:42.030361891 CET	57266	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:42.085484982 CET	53	51667	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:42.086292982 CET	62127	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:42.168447018 CET	53	57266	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:42.225264072 CET	53	62127	1.1.1.1	192.168.2.7
Nov 28, 2024 13:10:59.208270073 CET	59189	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:10:59.354945898 CET	53	59189	1.1.1.1	192.168.2.7
Nov 28, 2024 13:11:00.486692905 CET	55545	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:11:11.499677896 CET	53821	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:11:11.638422966 CET	53	53821	1.1.1.1	192.168.2.7
Nov 28, 2024 13:11:13.071638107 CET	62242	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:11:13.211560965 CET	53	62242	1.1.1.1	192.168.2.7
Nov 28, 2024 13:11:40.778235912 CET	65047	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:11:40.915725946 CET	53	65047	1.1.1.1	192.168.2.7
Nov 28, 2024 13:11:40.917119026 CET	57194	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:11:41.054666042 CET	53	57194	1.1.1.1	192.168.2.7
Nov 28, 2024 13:11:42.798352003 CET	57065	53	192.168.2.7	1.1.1.1
Nov 28, 2024 13:11:42.936129093 CET	53	57065	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 28, 2024 13:10:14.274286985 CET	192.168.2.7	1.1.1.1	0x3b7d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.275305986 CET	192.168.2.7	1.1.1.1	0xcef2	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.414679050 CET	192.168.2.7	1.1.1.1	0xdace	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.417293072 CET	192.168.2.7	1.1.1.1	0x66c2	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.418195009 CET	192.168.2.7	1.1.1.1	0x9645	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.557967901 CET	192.168.2.7	1.1.1.1	0x339e	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 28, 2024 13:10:14.558221102 CET	192.168.2.7	1.1.1.1	0xbf42	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 28, 2024 13:10:14.558633089 CET	192.168.2.7	1.1.1.1	0x8b49	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 28, 2024 13:10:14.687527895 CET	192.168.2.7	1.1.1.1	0x431	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.719587088 CET	192.168.2.7	1.1.1.1	0x994b	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.832283020 CET	192.168.2.7	1.1.1.1	0x17ba	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.854162931 CET	192.168.2.7	1.1.1.1	0x3b10	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.866811991 CET	192.168.2.7	1.1.1.1	0x3bdf	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.885010004 CET	192.168.2.7	1.1.1.1	0x43df	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.971507072 CET	192.168.2.7	1.1.1.1	0xa231	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 28, 2024 13:10:15.006567955 CET	192.168.2.7	1.1.1.1	0xa6a5	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 28, 2024 13:10:15.131603956 CET	192.168.2.7	1.1.1.1	0x8d2b	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 28, 2024 13:10:15.259167910 CET	192.168.2.7	1.1.1.1	0x4aa6	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:15.400707960 CET	192.168.2.7	1.1.1.1	0xe422	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 28, 2024 13:10:15.594875097 CET	192.168.2.7	1.1.1.1	0xce14	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:15.733375072 CET	192.168.2.7	1.1.1.1	0x7054	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:15.733772993 CET	192.168.2.7	1.1.1.1	0x7fa0	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:16.194046974 CET	192.168.2.7	1.1.1.1	0x3089	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:16.566414118 CET	192.168.2.7	1.1.1.1	0x98ae	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:16.809329987 CET	192.168.2.7	1.1.1.1	0xca5c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:16.954248905 CET	192.168.2.7	1.1.1.1	0x4f4e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 28, 2024 13:10:17.527038097 CET	192.168.2.7	1.1.1.1	0x9090	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:17.688097000 CET	192.168.2.7	1.1.1.1	0x5945	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:17.818098068 CET	192.168.2.7	1.1.1.1	0xfad8	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:17.827545881 CET	192.168.2.7	1.1.1.1	0x7b00	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 28, 2024 13:10:17.957256079 CET	192.168.2.7	1.1.1.1	0x7b3d	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 28, 2024 13:10:19.686341047 CET	192.168.2.7	1.1.1.1	0xeeac	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:19.825464964 CET	192.168.2.7	1.1.1.1	0xa96d	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:19.972053051 CET	192.168.2.7	1.1.1.1	0x70af	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 28, 2024 13:10:24.830683947 CET	192.168.2.7	1.1.1.1	0xb5bb	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 28, 2024 13:10:25.709357023 CET	192.168.2.7	1.1.1.1	0x429c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:25.848922968 CET	192.168.2.7	1.1.1.1	0xa8f1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 28, 2024 13:10:26.424451113 CET	192.168.2.7	1.1.1.1	0xb08a	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.427144051 CET	192.168.2.7	1.1.1.1	0xb699	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.427676916 CET	192.168.2.7	1.1.1.1	0x9987	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.951750040 CET	192.168.2.7	1.1.1.1	0xbf9f	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.951750040 CET	192.168.2.7	1.1.1.1	0x631d	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.951997042 CET	192.168.2.7	1.1.1.1	0x2d8d	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.095216990 CET	192.168.2.7	1.1.1.1	0x3439	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 28, 2024 13:10:27.095253944 CET	192.168.2.7	1.1.1.1	0xcb63	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 28, 2024 13:10:27.095889091 CET	192.168.2.7	1.1.1.1	0xfbb4	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 28, 2024 13:10:27.426249027 CET	192.168.2.7	1.1.1.1	0x54da	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.426547050 CET	192.168.2.7	1.1.1.1	0x31bc	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.843168020 CET	192.168.2.7	1.1.1.1	0x5e8	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.844502926 CET	192.168.2.7	1.1.1.1	0x369b	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.989439011 CET	192.168.2.7	1.1.1.1	0x4a4c	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 28, 2024 13:10:27.989483118 CET	192.168.2.7	1.1.1.1	0xcfbd	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 28, 2024 13:10:37.863169909 CET	192.168.2.7	1.1.1.1	0x6cef	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 28, 2024 13:10:40.797285080 CET	192.168.2.7	1.1.1.1	0xef52	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:41.678536892 CET	192.168.2.7	1.1.1.1	0xf37d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 28, 2024 13:10:41.701677084 CET	192.168.2.7	1.1.1.1	0xf9f3	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:41.745986938 CET	192.168.2.7	1.1.1.1	0x1b0e	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:41.891096115 CET	192.168.2.7	1.1.1.1	0x2b91	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:41.945679903 CET	192.168.2.7	1.1.1.1	0xd74f	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:42.030361891 CET	192.168.2.7	1.1.1.1	0xa4b5	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 28, 2024 13:10:42.086292982 CET	192.168.2.7	1.1.1.1	0xd239	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 28, 2024 13:10:59.208270073 CET	192.168.2.7	1.1.1.1	0x65db	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 28, 2024 13:11:00.486692905 CET	192.168.2.7	1.1.1.1	0x4c7f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:11:11.499677896 CET	192.168.2.7	1.1.1.1	0xcf7a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 28, 2024 13:11:13.071638107 CET	192.168.2.7	1.1.1.1	0x8262	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 28, 2024 13:11:40.778235912 CET	192.168.2.7	1.1.1.1	0x9a04	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:11:40.917119026 CET	192.168.2.7	1.1.1.1	0xa62d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 28, 2024 13:11:42.798352003 CET	192.168.2.7	1.1.1.1	0xa96a	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 28, 2024 13:10:14.411858082 CET	1.1.1.1	192.168.2.7	0x7587	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.414381981 CET	1.1.1.1	192.168.2.7	0x3b7d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:14.414381981 CET	1.1.1.1	192.168.2.7	0x3b7d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.417136908 CET	1.1.1.1	192.168.2.7	0xcef2	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.553343058 CET	1.1.1.1	192.168.2.7	0xdace	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.554601908 CET	1.1.1.1	192.168.2.7	0x66c2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.555248976 CET	1.1.1.1	192.168.2.7	0x9645	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.698438883 CET	1.1.1.1	192.168.2.7	0xbf42	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 28, 2024 13:10:14.805934906 CET	1.1.1.1	192.168.2.7	0x8b49	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 28, 2024 13:10:14.829437971 CET	1.1.1.1	192.168.2.7	0x431	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.863127947 CET	1.1.1.1	192.168.2.7	0x994b	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:14.863127947 CET	1.1.1.1	192.168.2.7	0x994b	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.880254984 CET	1.1.1.1	192.168.2.7	0xf9be	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:14.880254984 CET	1.1.1.1	192.168.2.7	0xf9be	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.970993996 CET	1.1.1.1	192.168.2.7	0x17ba	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:14.993346930 CET	1.1.1.1	192.168.2.7	0x3b10	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:14.993346930 CET	1.1.1.1	192.168.2.7	0x3b10	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:14.993346930 CET	1.1.1.1	192.168.2.7	0x3b10	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:15.005328894 CET	1.1.1.1	192.168.2.7	0x3bdf	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:15.130825043 CET	1.1.1.1	192.168.2.7	0x43df	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:15.399981976 CET	1.1.1.1	192.168.2.7	0x4aa6	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:15.542301893 CET	1.1.1.1	192.168.2.7	0xe422	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 28, 2024 13:10:15.805318117 CET	1.1.1.1	192.168.2.7	0xce14	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:15.872391939 CET	1.1.1.1	192.168.2.7	0x7fa0	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:15.872391939 CET	1.1.1.1	192.168.2.7	0x7fa0	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:15.872731924 CET	1.1.1.1	192.168.2.7	0x7054	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:16.340430975 CET	1.1.1.1	192.168.2.7	0x3089	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:16.340430975 CET	1.1.1.1	192.168.2.7	0x3089	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:16.793643951 CET	1.1.1.1	192.168.2.7	0x98ae	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:16.951498032 CET	1.1.1.1	192.168.2.7	0xca5c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:17.662475109 CET	1.1.1.1	192.168.2.7	0xc3e9	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:17.662475109 CET	1.1.1.1	192.168.2.7	0xc3e9	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:17.664819956 CET	1.1.1.1	192.168.2.7	0x9090	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:17.664819956 CET	1.1.1.1	192.168.2.7	0x9090	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:17.795469999 CET	1.1.1.1	192.168.2.7	0xa426	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:17.826630116 CET	1.1.1.1	192.168.2.7	0x5945	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:17.956501961 CET	1.1.1.1	192.168.2.7	0xfad8	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:19.824726105 CET	1.1.1.1	192.168.2.7	0xeeac	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:19.824726105 CET	1.1.1.1	192.168.2.7	0xeeac	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:19.824726105 CET	1.1.1.1	192.168.2.7	0xeeac	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:19.969531059 CET	1.1.1.1	192.168.2.7	0xa96d	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:19.978697062 CET	1.1.1.1	192.168.2.7	0x432c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:24.823839903 CET	1.1.1.1	192.168.2.7	0x8344	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:25.847963095 CET	1.1.1.1	192.168.2.7	0x429c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.563184023 CET	1.1.1.1	192.168.2.7	0xb08a	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:26.563184023 CET	1.1.1.1	192.168.2.7	0xb08a	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.563184023 CET	1.1.1.1	192.168.2.7	0xb08a	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.563184023 CET	1.1.1.1	192.168.2.7	0xb08a	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.563184023 CET	1.1.1.1	192.168.2.7	0xb08a	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.563184023 CET	1.1.1.1	192.168.2.7	0xb08a	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.563184023 CET	1.1.1.1	192.168.2.7	0xb08a	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.563184023 CET	1.1.1.1	192.168.2.7	0xb08a	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.563184023 CET	1.1.1.1	192.168.2.7	0xb08a	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.563184023 CET	1.1.1.1	192.168.2.7	0xb08a	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.563184023 CET	1.1.1.1	192.168.2.7	0xb08a	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.565304041 CET	1.1.1.1	192.168.2.7	0xb699	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:26.565304041 CET	1.1.1.1	192.168.2.7	0xb699	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:26.565332890 CET	1.1.1.1	192.168.2.7	0x9987	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:26.565332890 CET	1.1.1.1	192.168.2.7	0x9987	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.094588041 CET	1.1.1.1	192.168.2.7	0xbf9f	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.094588041 CET	1.1.1.1	192.168.2.7	0xbf9f	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.094588041 CET	1.1.1.1	192.168.2.7	0xbf9f	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.094588041 CET	1.1.1.1	192.168.2.7	0xbf9f	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.094588041 CET	1.1.1.1	192.168.2.7	0xbf9f	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.094588041 CET	1.1.1.1	192.168.2.7	0xbf9f	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.094588041 CET	1.1.1.1	192.168.2.7	0xbf9f	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.094588041 CET	1.1.1.1	192.168.2.7	0xbf9f	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.094588041 CET	1.1.1.1	192.168.2.7	0xbf9f	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.094588041 CET	1.1.1.1	192.168.2.7	0xbf9f	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.094767094 CET	1.1.1.1	192.168.2.7	0x2d8d	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.095448017 CET	1.1.1.1	192.168.2.7	0x631d	No error (0)	star-mini.c10r.facebook.com		157.240.195.35	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.233019114 CET	1.1.1.1	192.168.2.7	0xcb63	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 28, 2024 13:10:27.233095884 CET	1.1.1.1	192.168.2.7	0x3439	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 28, 2024 13:10:27.233095884 CET	1.1.1.1	192.168.2.7	0x3439	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 28, 2024 13:10:27.233095884 CET	1.1.1.1	192.168.2.7	0x3439	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 28, 2024 13:10:27.233095884 CET	1.1.1.1	192.168.2.7	0x3439	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 28, 2024 13:10:27.233279943 CET	1.1.1.1	192.168.2.7	0xfbb4	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 28, 2024 13:10:27.572242975 CET	1.1.1.1	192.168.2.7	0x54da	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:27.572242975 CET	1.1.1.1	192.168.2.7	0x54da	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.572242975 CET	1.1.1.1	192.168.2.7	0x54da	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.572242975 CET	1.1.1.1	192.168.2.7	0x54da	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.572242975 CET	1.1.1.1	192.168.2.7	0x54da	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.572941065 CET	1.1.1.1	192.168.2.7	0x31bc	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.988708019 CET	1.1.1.1	192.168.2.7	0x5e8	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.988708019 CET	1.1.1.1	192.168.2.7	0x5e8	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.988708019 CET	1.1.1.1	192.168.2.7	0x5e8	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.988708019 CET	1.1.1.1	192.168.2.7	0x5e8	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:27.988769054 CET	1.1.1.1	192.168.2.7	0x369b	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:40.944185972 CET	1.1.1.1	192.168.2.7	0xef52	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:40.944185972 CET	1.1.1.1	192.168.2.7	0xef52	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:40.944185972 CET	1.1.1.1	192.168.2.7	0xef52	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:40.944185972 CET	1.1.1.1	192.168.2.7	0xef52	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:41.889375925 CET	1.1.1.1	192.168.2.7	0x1b0e	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:41.889375925 CET	1.1.1.1	192.168.2.7	0x1b0e	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:41.944128036 CET	1.1.1.1	192.168.2.7	0xf9f3	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:41.944128036 CET	1.1.1.1	192.168.2.7	0xf9f3	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:41.944128036 CET	1.1.1.1	192.168.2.7	0xf9f3	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:41.944128036 CET	1.1.1.1	192.168.2.7	0xf9f3	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:42.029556036 CET	1.1.1.1	192.168.2.7	0x2b91	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:42.085484982 CET	1.1.1.1	192.168.2.7	0xd74f	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:42.085484982 CET	1.1.1.1	192.168.2.7	0xd74f	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:42.085484982 CET	1.1.1.1	192.168.2.7	0xd74f	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:42.085484982 CET	1.1.1.1	192.168.2.7	0xd74f	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:10:42.225264072 CET	1.1.1.1	192.168.2.7	0xd239	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 28, 2024 13:10:42.225264072 CET	1.1.1.1	192.168.2.7	0xd239	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 28, 2024 13:10:42.225264072 CET	1.1.1.1	192.168.2.7	0xd239	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 28, 2024 13:10:42.225264072 CET	1.1.1.1	192.168.2.7	0xd239	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 28, 2024 13:10:45.034423113 CET	1.1.1.1	192.168.2.7	0xef0f	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:10:45.034423113 CET	1.1.1.1	192.168.2.7	0xef0f	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:11:00.632647038 CET	1.1.1.1	192.168.2.7	0x4c7f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 13:11:00.632647038 CET	1.1.1.1	192.168.2.7	0x4c7f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:11:13.211560965 CET	1.1.1.1	192.168.2.7	0x8262	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 28, 2024 13:11:40.915725946 CET	1.1.1.1	192.168.2.7	0x9a04	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:11:42.936129093 CET	1.1.1.1	192.168.2.7	0xa96a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49710	34.107.221.82	80	6464	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:10:14.542587042 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:10:15.673962116 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39834 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49718	34.107.221.82	80	6464	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:10:16.597985029 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:10:17.774549961 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79840 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:10:17.817883968 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:10:18.151226044 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79840 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:10:19.702554941 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:10:20.039901972 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79842 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:10:20.163048029 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:10:20.497108936 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79843 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:10:26.415924072 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:10:26.749243975 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79849 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:10:26.959440947 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:10:27.295867920 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79850 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:10:27.429086924 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:10:27.764203072 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79850 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:10:28.180279016 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:10:28.518450022 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79851 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:10:38.527667999 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 28, 2024 13:10:39.521933079 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:10:39.856028080 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79862 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:10:43.238656998 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:10:43.572313070 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79866 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:10:43.601984024 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:10:43.936817884 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79866 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:10:44.765232086 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:10:45.100284100 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79867 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:10:55.111434937 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 28, 2024 13:11:00.814133883 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:11:01.147978067 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79883 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:11:11.150453091 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 28, 2024 13:11:13.070080042 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:11:13.404249907 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79896 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:11:14.340485096 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:11:14.673670053 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79897 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:11:16.323932886 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:11:16.657641888 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79899 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:11:26.666912079 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 28, 2024 13:11:36.794234037 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 28, 2024 13:11:43.125168085 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 28, 2024 13:11:43.459007978 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 27 Nov 2024 13:59:37 GMT Age: 79926 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 28, 2024 13:11:53.463331938 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 28, 2024 13:12:03.591583967 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 28, 2024 13:12:13.721852064 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49719	34.107.221.82	80	6464	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:10:16.598098993 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:10:17.728674889 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39836 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:10:17.856102943 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:10:18.180314064 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39837 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:10:19.832542896 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:10:20.159471035 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39839 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:10:24.682529926 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:10:25.006720066 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39843 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:10:26.461242914 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:10:26.785887957 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39845 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:10:26.963887930 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:10:27.290791988 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39846 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:10:27.851419926 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:10:28.177217960 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39847 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:10:38.188949108 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 28, 2024 13:10:39.181814909 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:10:39.509447098 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39858 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:10:42.909545898 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:10:43.234869957 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39862 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:10:43.274467945 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:10:43.598448038 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39862 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:10:44.434304953 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:10:44.758745909 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39863 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:10:54.774164915 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 28, 2024 13:11:00.486470938 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:11:00.810684919 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39879 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:11:10.818051100 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 28, 2024 13:11:12.726767063 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:11:13.051203966 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39891 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:11:14.012255907 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:11:14.336499929 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39893 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:11:15.995841026 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:11:16.320631027 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39895 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:11:26.328144073 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 28, 2024 13:11:36.462090969 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 28, 2024 13:11:42.797236919 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 28, 2024 13:11:43.121637106 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 28 Nov 2024 01:06:21 GMT Age: 39921 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 28, 2024 13:11:53.125616074 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 28, 2024 13:12:03.252906084 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 28, 2024 13:12:13.373440981 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	07:10:05
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7e0000
File size:	922'112 bytes
MD5 hash:	E95DA9C734F70679A829C932BCC05884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:10:05
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x190000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:10:05
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:10:07
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x190000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:10:07
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:10:07
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x190000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:10:07
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:10:07
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x190000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:10:07
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:10:07
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x190000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:10:07
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:10:08
Start date:	28/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:10:08
Start date:	28/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:10:08
Start date:	28/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	07:10:10
Start date:	28/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2240 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20402a76-13c7-4119-b198-c83648ed074d} 6464 "\\.\pipe\gecko-crash-server-pipe.6464" 28618d70110 socket
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	07:10:13
Start date:	28/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -parentBuildID 20230927232528 -prefsHandle 3172 -prefMapHandle 2984 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85fd3af4-3cda-49f8-9cc1-f485fefb385a} 6464 "\\.\pipe\gecko-crash-server-pipe.6464" 28629e5ea10 rdd
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	07:10:16
Start date:	28/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5056 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4976 -prefMapHandle 5004 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6678fa55-ed79-4942-8d95-09ce28502627} 6464 "\\.\pipe\gecko-crash-server-pipe.6464" 286290c4510 utility
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1641
Total number of Limit Nodes:	48

Executed Functions

Function 007E42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 007E430D

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

GetCurrentProcess.KERNEL32(?,0087CB64,00000000,?,?), ref: 007E4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 007E4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 007E4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007E4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 007E4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 007E447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007E44A0

Strings

GetNativeSystemInfo, xrefs: 007E4460
|O, xrefs: 008236F8
kernel32.dll, xrefs: 007E444F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 68d9b1d9cdf80bd109707d1efd9231897d30dee1c6ca497e9732f4b108aae783
Instruction ID: 541ad2c2b37a67a4cab5b3da3a3a85b91130fe5008f1f5bf3433ccc32283cba1
Opcode Fuzzy Hash: 68d9b1d9cdf80bd109707d1efd9231897d30dee1c6ca497e9732f4b108aae783
Instruction Fuzzy Hash: A8A19461A1A3D0DFCF21C7697C6D19A7FE4BB3E300B984AADD0419BB65F62C4548CB21

Function 007E42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007E50AA,?,?,00000000,00000000), ref: 007E42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007E50AA,?,?,00000000,00000000), ref: 007E42C9
LoadResource.KERNEL32(?,00000000,?,?,007E50AA,?,?,00000000,00000000,?,?,?,?,?,?,007E4F20), ref: 008235BE
SizeofResource.KERNEL32(?,00000000,?,?,007E50AA,?,?,00000000,00000000,?,?,?,?,?,?,007E4F20), ref: 008235D3
LockResource.KERNEL32(007E50AA,?,?,007E50AA,?,?,00000000,00000000,?,?,?,?,?,?,007E4F20,?), ref: 008235E6

Strings

SCRIPT, xrefs: 007E42BF

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8faef803457e3ba536dff089ea8627783f987ade3a9446519d58054bd49c54ae
Instruction ID: 3b3107bd53a39afdd3a56dd65c805e8c8d1c73ca1bb126f2e86b402c9c278d41
Opcode Fuzzy Hash: 8faef803457e3ba536dff089ea8627783f987ade3a9446519d58054bd49c54ae
Instruction Fuzzy Hash: 38117C71201700BFDB218B66DC48F277BBEFBC9B51F14816DB51AD7264DB71D8408620

Function 00822BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 007E2B6B

Part of subcall function 007E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008B1418,?,007E2E7F,?,?,?,00000000), ref: 007E3A78

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,008A2224), ref: 00822C10
ShellExecuteW.SHELL32(00000000,?,?,008A2224), ref: 00822C17

Strings

runas, xrefs: 00822C0B

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 798e4daf28b672aaa4896dffffdf533b29447e87539bf1a9a215f482f6b4d2a0
Instruction ID: 70d47ed85d024eb737c02a1c436fbb9b2f12555587ecec0da79f4eed429f1b10
Opcode Fuzzy Hash: 798e4daf28b672aaa4896dffffdf533b29447e87539bf1a9a215f482f6b4d2a0
Instruction Fuzzy Hash: C3113A3110A3C0EAC714FF61D85DDAEBBA9FB99340F44042CF186471A3DF2C898A8312

Function 0084D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0084D501
Process32FirstW.KERNEL32(00000000,?), ref: 0084D50F
Process32NextW.KERNEL32(00000000,?), ref: 0084D52F
CloseHandle.KERNELBASE(00000000), ref: 0084D5DC

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e7ce63fa33ee531faf1a8692cde4110dbde9e428e5af7de0e03421e22d32602b
Instruction ID: 9d42c52cbf934100c661350597156cd01ab6e598aaa1c06b5afda5cb8eee6448
Opcode Fuzzy Hash: e7ce63fa33ee531faf1a8692cde4110dbde9e428e5af7de0e03421e22d32602b
Instruction Fuzzy Hash: DE31AF72108344DFD300EF54C889AAFBBE8FF99344F50092DF585871A1EB71A985CBA2

Function 0084DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00825222), ref: 0084DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0084DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0084DBEE
FindClose.KERNEL32(00000000), ref: 0084DBFA

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 768d82b9e3a0f6e7a36898582dd2df228c0786097aa1c7371ad1d814cb75e819
Instruction ID: dd5071457e6e2e9db440c082d23877d8689b07ec48f65c9808563de5304d26c5
Opcode Fuzzy Hash: 768d82b9e3a0f6e7a36898582dd2df228c0786097aa1c7371ad1d814cb75e819
Instruction Fuzzy Hash: 8DF0A030820A185782216BB8AC4D8AA376CFF02334B50471AF83AC22E0FBB099D48695

Function 00804CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008128E9,?,00804CBE,008128E9,008A88B8,0000000C,00804E15,008128E9,00000002,00000000,?,008128E9), ref: 00804D09
TerminateProcess.KERNEL32(00000000,?,00804CBE,008128E9,008A88B8,0000000C,00804E15,008128E9,00000002,00000000,?,008128E9), ref: 00804D10
ExitProcess.KERNEL32 ref: 00804D22

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f2f714481d220fccb74adbdd4cacb14c5e1f354f175cc92f26fc79ab474cce97
Instruction ID: 003aeb17a5a0926621ea2ac8c4ff4eb408cbc565e8c94bd868e8bb4ecf97a1e8
Opcode Fuzzy Hash: f2f714481d220fccb74adbdd4cacb14c5e1f354f175cc92f26fc79ab474cce97
Instruction Fuzzy Hash: 42E09271040248AFCF51AF54DD09A583B69FB51785B104018FD09DB276CB35D982DA90

Function 0086AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0086B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0086B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0086B1D4
_wcslen.LIBCMT ref: 0086B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0086B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0086B236
_wcslen.LIBCMT ref: 0086B332

Part of subcall function 008505A7: GetStdHandle.KERNEL32(000000F6), ref: 008505C6

_wcslen.LIBCMT ref: 0086B34B
_wcslen.LIBCMT ref: 0086B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0086B3B6
GetLastError.KERNEL32(00000000), ref: 0086B407
CloseHandle.KERNEL32(?), ref: 0086B439
CloseHandle.KERNEL32(00000000), ref: 0086B44A
CloseHandle.KERNEL32(00000000), ref: 0086B45C
CloseHandle.KERNEL32(00000000), ref: 0086B46E
CloseHandle.KERNEL32(?), ref: 0086B4E3

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 3201d876dd99e9680f6396c77f5671dd0c51e539ef49c6abf92c4cc3dd154133
Instruction ID: f6c4d3901c71da7898da98624ceaf2fe05f400766f5bed980cc1ac9ff228ec6c
Opcode Fuzzy Hash: 3201d876dd99e9680f6396c77f5671dd0c51e539ef49c6abf92c4cc3dd154133
Instruction Fuzzy Hash: 99F17831604240DFCB14EF25C895A2ABBE1FF89318F15845DF999DB2A2DB35EC84CB52

Function 007ED730 Relevance: 21.6, APIs: 14, Instructions: 625sleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007ED807
timeGetTime.WINMM ref: 007EDA07
Sleep.KERNELBASE(0000000A), ref: 007EDBB1
Sleep.KERNEL32(0000000A), ref: 00832B76

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Sleep$InputStateTimetime
String ID:
API String ID: 2764417729-0
Opcode ID: 5a3d7d90a1173278a7996d3822872468a79d24fe79ffa4ccbf01cd7ee3842fac
Instruction ID: 9cd8f372199b501ea9c0fc5ea31b3ce29ebb5a2dd16ed8d1ac62b53017faed76
Opcode Fuzzy Hash: 5a3d7d90a1173278a7996d3822872468a79d24fe79ffa4ccbf01cd7ee3842fac
Instruction Fuzzy Hash: BB42CF70609281DFDB34CF25C898B6AB7A1FF89314F14862DE565CB2A1D778EC44CB92

Function 007E2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007E2D07
RegisterClassExW.USER32(00000030), ref: 007E2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007E2D42
InitCommonControlsEx.COMCTL32(?), ref: 007E2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007E2D6F
LoadIconW.USER32(000000A9), ref: 007E2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007E2D94

Strings

0, xrefs: 007E2CE9
+, xrefs: 007E2CF0
TaskbarCreated, xrefs: 007E2D37
AutoIt v3 GUI, xrefs: 007E2D23

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e476f0b9c255d6f47818ccef87f3aa643a9e68617af94020754bd8b68a0f3c25
Instruction ID: a510e73f21f1c78e9f7b0ca81a2752e8ca61f9d0047992b69963fca87d58226f
Opcode Fuzzy Hash: e476f0b9c255d6f47818ccef87f3aa643a9e68617af94020754bd8b68a0f3c25
Instruction Fuzzy Hash: FF21F0B0901248AFDB00DFA4E89DB9DBFB4FB08701F40821AE615AB2A4D7B495848F90

Function 0082065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0082039A: CreateFileW.KERNELBASE(00000000,00000000,?,00820704,?,?,00000000,?,00820704,00000000,0000000C), ref: 008203B7

GetLastError.KERNEL32 ref: 0082076F
__dosmaperr.LIBCMT ref: 00820776
GetFileType.KERNELBASE(00000000), ref: 00820782
GetLastError.KERNEL32 ref: 0082078C
__dosmaperr.LIBCMT ref: 00820795
CloseHandle.KERNEL32(00000000), ref: 008207B5
CloseHandle.KERNEL32(?), ref: 008208FF
GetLastError.KERNEL32 ref: 00820931
__dosmaperr.LIBCMT ref: 00820938

Strings

H, xrefs: 008208BD

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: c55ca764c76533830dc92436ad2ec68941748cca8def8eea21da6ded4e11587a
Instruction ID: 0985f18bc6ab79ae78ed342786fbde715454f6d26745bebd54474d5adf02ae9e
Opcode Fuzzy Hash: c55ca764c76533830dc92436ad2ec68941748cca8def8eea21da6ded4e11587a
Instruction Fuzzy Hash: 10A1F132A041189FDF19AF68EC55BAE7BA0FB06324F144159F815DB3D2DA319892CF92

Function 007E344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008B1418,?,007E2E7F,?,?,?,00000000), ref: 007E3A78

Part of subcall function 007E3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007E3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007E356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0082318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008231CE
RegCloseKey.ADVAPI32(?), ref: 00823210
_wcslen.LIBCMT ref: 00823277
_wcslen.LIBCMT ref: 00823286

Strings

\, xrefs: 0082328C
\Include\, xrefs: 007E3527
Include, xrefs: 00823184, 008231C5
Software\AutoIt v3\AutoIt, xrefs: 007E3560

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 8357f69b89f7db53df4724942ebbf7dfc3fbec905dbe5367d9c040e481ee56aa
Instruction ID: fc45468fdcfc8085793178cd9b079a4ce516fcb35860ecd3b1c0a73c3ab2fe03
Opcode Fuzzy Hash: 8357f69b89f7db53df4724942ebbf7dfc3fbec905dbe5367d9c040e481ee56aa
Instruction Fuzzy Hash: 79717C71405340EEC314EF65EC8596BBBE8FF99740B504A2EF555C32B0EB389A48CB62

Function 007E2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007E2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 007E2B9D
LoadIconW.USER32(00000063), ref: 007E2BB3
LoadIconW.USER32(000000A4), ref: 007E2BC5
LoadIconW.USER32(000000A2), ref: 007E2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007E2BEF
RegisterClassExW.USER32(?), ref: 007E2C40

Part of subcall function 007E2CD4: GetSysColorBrush.USER32(0000000F), ref: 007E2D07
Part of subcall function 007E2CD4: RegisterClassExW.USER32(00000030), ref: 007E2D31
Part of subcall function 007E2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007E2D42
Part of subcall function 007E2CD4: InitCommonControlsEx.COMCTL32(?), ref: 007E2D5F
Part of subcall function 007E2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007E2D6F
Part of subcall function 007E2CD4: LoadIconW.USER32(000000A9), ref: 007E2D85
Part of subcall function 007E2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007E2D94

Strings

#, xrefs: 007E2C16
AutoIt v3, xrefs: 007E2C2F
0, xrefs: 007E2C0F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b47427c0f9e2db9a2269bb11fbca932284ea4dfdbeda137303a114043213a359
Instruction ID: 711b651b5e6a460bf4ed31ddf0fce95faccbf215dbec674039e66bc15f5b2742
Opcode Fuzzy Hash: b47427c0f9e2db9a2269bb11fbca932284ea4dfdbeda137303a114043213a359
Instruction Fuzzy Hash: 95213C71E00354ABDB109FA5EC6DA997FF4FB0CB50F50411AE504AB7A0E7B95540CF90

Function 007E3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,007E316A,?,?), ref: 007E31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,007E316A,?,?), ref: 007E3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007E3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,007E316A,?,?), ref: 007E3232
CreatePopupMenu.USER32 ref: 007E3246
PostQuitMessage.USER32(00000000), ref: 007E3267

Strings

TaskbarCreated, xrefs: 007E322D

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f6c4ac5c9275cc340676654fc847ada14b1c7ed377a458d38b306acb2ce9d2f6
Instruction ID: beafb216a539388238e8c68a88fed263501ec90d917caec26616658b9f248a69
Opcode Fuzzy Hash: f6c4ac5c9275cc340676654fc847ada14b1c7ed377a458d38b306acb2ce9d2f6
Instruction Fuzzy Hash: 89414935245288B7DF141B799C1EBB93B59F70D380F84022DF656CB2A1DB7DCA8097A1

Function 007E1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007E1459
CoUninitialize.COMBASE ref: 007E14F8
UnregisterHotKey.USER32(?), ref: 007E16DD
DestroyWindow.USER32(?), ref: 008224B9
FreeLibrary.KERNEL32(?), ref: 0082251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0082254B

Strings

close all, xrefs: 007E1454

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: fe48bc875a0855db134b1d65106d2e3dd8cb6da96b0a0b74843316e18410a315
Instruction ID: 2fceb338cb67d12b97911cd6802946be65769e87776f8a5b69096edbac285b01
Opcode Fuzzy Hash: fe48bc875a0855db134b1d65106d2e3dd8cb6da96b0a0b74843316e18410a315
Instruction Fuzzy Hash: 52D1BE31702262DFCB29EF15D49AA29F7A0FF09710F5481ADE54AAB251CB34ED52CF50

Function 007E2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007E2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007E2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,007E1CAD,?), ref: 007E2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,007E1CAD,?), ref: 007E2CCF

Strings

AutoIt v3, xrefs: 007E2C89, 007E2C8E, 007E2C8F
edit, xrefs: 007E2CAC

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 68917fe9deb8d269a3ad916079b88fb198054c79900edd4b136132e2def51bc6
Instruction ID: 152537d47a46145c3be8b6e76155938b6b7d3974d2b9f63bf4da0963ed32af2d
Opcode Fuzzy Hash: 68917fe9deb8d269a3ad916079b88fb198054c79900edd4b136132e2def51bc6
Instruction Fuzzy Hash: 44F017755402907AEB300727AC1CE772FFDF7CAF50B54411EFA04AB2A0E6695880DBB0

Function 007E3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,007E3B0F,SwapMouseButtons,00000004,?), ref: 007E3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,007E3B0F,SwapMouseButtons,00000004,?), ref: 007E3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,007E3B0F,SwapMouseButtons,00000004,?), ref: 007E3B83

Strings

Control Panel\Mouse, xrefs: 007E3B3E

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 89816b19118708a6b749aac7084e46af06c6ccd81beecd8eefff1254b4c2f82d
Instruction ID: 31ad54e80d7347292377dd0a37ed444a112e9fb876ea1610bc5bef05401c4ee4
Opcode Fuzzy Hash: 89816b19118708a6b749aac7084e46af06c6ccd81beecd8eefff1254b4c2f82d
Instruction Fuzzy Hash: A6112AB5511248FFDB208FAADC48AAEB7B8EF48744B104559E806D7110E235DE4097A0

Function 007E3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008233A2

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 007E3A04

Strings

Line: , xrefs: 008233EB

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 12a4144f8adc6598c62de4fc9ae2fd43ba526d350abca73317e6fefe2ae45f80
Instruction ID: dcff8fa67d5970a9aee772a158b860d32ca91ee640075cda6ba1440e42651708
Opcode Fuzzy Hash: 12a4144f8adc6598c62de4fc9ae2fd43ba526d350abca73317e6fefe2ae45f80
Instruction Fuzzy Hash: 4131C771409380AAC721EB15DC5DBDBB7D8BF48714F10452EF59987291EB78A644C7C2

Function 007FFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00800668

Part of subcall function 008032A4: RaiseException.KERNEL32(?,?,?,0080068A,?,008B1444,?,?,?,?,?,?,0080068A,007E1129,008A8738,007E1129), ref: 00803304

__CxxThrowException@8.LIBVCRUNTIME ref: 00800685

Strings

Unknown exception, xrefs: 00800692

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 66339989080279b23f5bea573905bc0da37ea83a0f22dfed7d00bfe824e1e46a
Instruction ID: 1e5b253c5be72c0a75d77e1dbf82d7bdf5617cc3f2e0f30831ac6dd73806e3c1
Opcode Fuzzy Hash: 66339989080279b23f5bea573905bc0da37ea83a0f22dfed7d00bfe824e1e46a
Instruction Fuzzy Hash: 99F0283490030CB7CB40B6A8DC46E5E776DFE10310F604131FA24D26D1EF71DA25C982

Function 007E10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 007E1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007E1BF4
Part of subcall function 007E1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 007E1BFC
Part of subcall function 007E1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007E1C07
Part of subcall function 007E1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007E1C12
Part of subcall function 007E1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 007E1C1A
Part of subcall function 007E1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 007E1C22

Part of subcall function 007E1B4A: RegisterWindowMessageW.USER32(00000004,?,007E12C4), ref: 007E1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007E136A
OleInitialize.OLE32 ref: 007E1388
CloseHandle.KERNEL32(00000000,00000000), ref: 008224AB

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 70590121c7b364c7c96eb8bb22a69a76be8a621c7323af1407d478c0cd1c3ee0
Instruction ID: d5e587492e373fb391548e04aa0bf2ba90b90b7e99debc99f296c403b9525165
Opcode Fuzzy Hash: 70590121c7b364c7c96eb8bb22a69a76be8a621c7323af1407d478c0cd1c3ee0
Instruction Fuzzy Hash: F471ADB49122408ECBA4DFBAA86D6953BE1FB893403E4833ED51ACF361EB349445CF55

Function 0084C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 007E3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0084C259
KillTimer.USER32(?,00000001,?,?), ref: 0084C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0084C270

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 3ce219d1603a9247664016bff03447c5476a10237f27b7bbd13cf2b92a8c8267
Instruction ID: 554524ac4d37c9c24a30ba1204bdcb972d6735f242c822a3fac76d7b5eadc61a
Opcode Fuzzy Hash: 3ce219d1603a9247664016bff03447c5476a10237f27b7bbd13cf2b92a8c8267
Instruction Fuzzy Hash: F4319370905358AFEB629F648859BE7BBECFB06308F00049ED6DEE7241C7B45A84CB51

Function 008186AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008185CC,?,008A8CC8,0000000C), ref: 00818704
GetLastError.KERNEL32(?,008185CC,?,008A8CC8,0000000C), ref: 0081870E
__dosmaperr.LIBCMT ref: 00818739

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 35fb58c6fc6206adfab3615e6b0173da6e36cf1212dfa015e3cc5563de3f08c6
Instruction ID: 45aa7a8a79894daaea30bdff1b8ad47fa8588e1eaa7a751d923671019e4b5c2a
Opcode Fuzzy Hash: 35fb58c6fc6206adfab3615e6b0173da6e36cf1212dfa015e3cc5563de3f08c6
Instruction Fuzzy Hash: D3010832605620D6D66462386C4BBFF674DFF92778F29021EE828DB2D2DEA0CCC18151

Function 007EDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 007EDB7B
DispatchMessageW.USER32(?), ref: 007EDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007EDB9F
Sleep.KERNELBASE(0000000A), ref: 007EDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00831CC9

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 611981030f050ebc863e9224b53c4afc9966c42c1853ff5fbea9744663dafa43
Instruction ID: 6b7d7bb56d03ba7634c83706694f1873cb03947b818b0fd78425907849329620
Opcode Fuzzy Hash: 611981030f050ebc863e9224b53c4afc9966c42c1853ff5fbea9744663dafa43
Instruction Fuzzy Hash: A4F054306053849BEB34C7A5DC9DFEA73ACFB88750F504519E619C70D0EB3494888B15

Function 007F1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007F17F6

Strings

CALL, xrefs: 007F17C6

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 5923c30000aba9aae0acf81d5cd6c083575579a8798cfaf6bdbd255c2cb67a24
Instruction ID: 48bb7752d3b5d1fcb46b2ae2e36e7e06e1fec5c3546577ff3325b2c8a625d68b
Opcode Fuzzy Hash: 5923c30000aba9aae0acf81d5cd6c083575579a8798cfaf6bdbd255c2cb67a24
Instruction Fuzzy Hash: B5228A70608245DFC714DF18C484A3ABBE1FF89314F54892DF6968B361E739E855CB92

Function 007E2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00822C8C

Part of subcall function 007E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007E3A97,?,?,007E2E7F,?,?,?,00000000), ref: 007E3AC2

Part of subcall function 007E2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007E2DC4

Strings

X, xrefs: 00822C5A

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: f4e27e5aa214c41c94122a4ec3add1a18ff304ea4a196e9e18bf74e587d65e52
Instruction ID: 537a852b36f242651ea3e9109aa24d0b41d826041662c562169109a98358454b
Opcode Fuzzy Hash: f4e27e5aa214c41c94122a4ec3add1a18ff304ea4a196e9e18bf74e587d65e52
Instruction Fuzzy Hash: 4021D171A00298AADB01DF95C809BEE7BFCFF4D304F008059E504E7241EBB85A898BA1

Function 007E3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 007E3908

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: aa089121fb05a471ec6151feab93dcc0cd9566c78ab5aaa66899d1a00907c63a
Instruction ID: 8fffee27fc19f8edcbb4b8e294abadd1c10d8e139f1531365beb4672ba579ffa
Opcode Fuzzy Hash: aa089121fb05a471ec6151feab93dcc0cd9566c78ab5aaa66899d1a00907c63a
Instruction Fuzzy Hash: 7A319C705053408FD720DF25D8987A7BBE8FB4D308F00092EF69987340E779AA44CB62

Function 007FF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 007FF661

Part of subcall function 007ED730: GetInputState.USER32 ref: 007ED807

Sleep.KERNEL32(00000000), ref: 0083F2DE

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: b8375dce83163e5524f41bebc68f6abb9dfd6d432432c959f9098217c014a3e5
Instruction ID: f191c423063de0b958330c74238d2729e6f4a6b4dba3486e7d20d6593eaed08c
Opcode Fuzzy Hash: b8375dce83163e5524f41bebc68f6abb9dfd6d432432c959f9098217c014a3e5
Instruction Fuzzy Hash: 85F0F831240645DFD324EB6AD449B6ABBE8FF49761F004069E95AC7361DBA0A850CB91

Function 007E4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 007E4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007E4EDD,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4E9C
Part of subcall function 007E4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007E4EAE
Part of subcall function 007E4E90: FreeLibrary.KERNEL32(00000000,?,?,007E4EDD,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4EFD

Part of subcall function 007E4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00823CDE,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4E62
Part of subcall function 007E4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007E4E74
Part of subcall function 007E4E59: FreeLibrary.KERNEL32(00000000,?,?,00823CDE,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4E87

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ee88a0450938a480e96e735c51e2e188cb5e8832b9a37055e01132baa909a9c6
Instruction ID: 9eafe50f99d022fd4435be046a32d736543ee8517bfde2eea005f450ff7185c2
Opcode Fuzzy Hash: ee88a0450938a480e96e735c51e2e188cb5e8832b9a37055e01132baa909a9c6
Instruction Fuzzy Hash: C1112332601205EACB14BB66DC0AFAD77A5AF48B10F10882DF542EA1C1EE789A449750

Function 00818402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00818440

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f9bd3050e37edf60df424c3e7fe9adae9c220c30b9bfd717ccb3aa67be82b711
Instruction ID: 4423537485bedb0c7d933f4be672eaa8f91982d2b0782909a1cc671aefc06c7d
Opcode Fuzzy Hash: f9bd3050e37edf60df424c3e7fe9adae9c220c30b9bfd717ccb3aa67be82b711
Instruction Fuzzy Hash: E211487190410AEFCB05DF58E9419DA7BF9FF48314F104059F808EB312DA30DA11CBA5

Function 00815000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00814C7D: RtlAllocateHeap.NTDLL(00000008,007E1129,00000000,?,00812E29,00000001,00000364,?,?,?,0080F2DE,00813863,008B1444,?,007FFDF5,?), ref: 00814CBE

_free.LIBCMT ref: 0081506C

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 7d327fe2ece2610c5b94af8b907a99863702e464d45f921fde6347d2a49e040b
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: CB012B72204B049BE321CE599841ADAFBECFFC9370F25051DE184C3280E6306845C6B4

Function 0080E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: cb657b78a55407ef3b2be6c35da502bacf772e2bf3f3250935414a2fd1bdc55e
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: BDF0D132510A1496D6712A6DAC05B9B379CFF62335F100B15F435D22D2CB719841C6A7

Function 00814C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,007E1129,00000000,?,00812E29,00000001,00000364,?,?,?,0080F2DE,00813863,008B1444,?,007FFDF5,?), ref: 00814CBE

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d91a3684ad778890b731e14eb211079805ab21e884b8d3b6d598921507ab568d
Instruction ID: e30b8ff145729d490d4be8bc79221624cc6435827dc5efc3fa890c0dfafee8db
Opcode Fuzzy Hash: d91a3684ad778890b731e14eb211079805ab21e884b8d3b6d598921507ab568d
Instruction Fuzzy Hash: 4CF0E93160222467DB215F6A9C09BDA378CFF517B0B146125BD19EB2D1CA70D88086E1

Function 00813820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,008B1444,?,007FFDF5,?,?,007EA976,00000010,008B1440,007E13FC,?,007E13C6,?,007E1129), ref: 00813852

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d1547a40acdd43e7f40f5e4c8753a5b1094f082f4e8926b9c03be5a8a96b50f6
Instruction ID: 0b5baedd07481e6df07b0bc23c26cf45baa4b78ad6ceca9ce131a8601a88c11e
Opcode Fuzzy Hash: d1547a40acdd43e7f40f5e4c8753a5b1094f082f4e8926b9c03be5a8a96b50f6
Instruction Fuzzy Hash: 23E0E53110022497E631276A9C04BDA374CFF427B0F054130BD19D69D1DB50DE8181E1

Function 007E4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4F6D

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a6a70988c4803af7b783ee19a053a28a26f9da9fd43ebcf182effa625c29e585
Instruction ID: 07dc40df446358120e784e1df22ad3956b96a5dfe4a555885300d682a95dfad3
Opcode Fuzzy Hash: a6a70988c4803af7b783ee19a053a28a26f9da9fd43ebcf182effa625c29e585
Instruction Fuzzy Hash: 4DF03071106791CFDB349F66D494812B7E4FF18719318897EE1EA83511C7399C44DF50

Function 00872A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00872A66

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: d119cbae92dc402fa25a617ff7c76052b48ed43033de93deca22819eb23f1970
Instruction ID: 0db3dd34f64c293bb678b6ae8eda5985959d9f1ce767b87fd74dd0e113e5dab2
Opcode Fuzzy Hash: d119cbae92dc402fa25a617ff7c76052b48ed43033de93deca22819eb23f1970
Instruction Fuzzy Hash: EFE04F3635412AAAC714EA34EC849FAB75CFB60395B10953AAC1AD2144DB30D99586A0

Function 007E30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 007E314E

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 19537249316af98e68e69920b97c52be6876cc7889c062871d4b8847a5c11230
Instruction ID: c23ca2c7eb1ff46d0e52bc2edf05b95d85ae17aed4c63d5964bba1a366f61a18
Opcode Fuzzy Hash: 19537249316af98e68e69920b97c52be6876cc7889c062871d4b8847a5c11230
Instruction Fuzzy Hash: AAF0A7709043089FEB529B24DC4D7D57BFCB705708F0001E9A24897292E7745788CF41

Function 007E2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007E2DC4

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: aed1dcad9d738354cd7b6226ee5d71ae3f1cfec4f67211c7109cdeb7d42b83f9
Instruction ID: 9b1339b55ab0d12b0929130e97bd6b26f2d31eff9265a05f2350550505370058
Opcode Fuzzy Hash: aed1dcad9d738354cd7b6226ee5d71ae3f1cfec4f67211c7109cdeb7d42b83f9
Instruction Fuzzy Hash: E4E0CD726001245BCB1092589C09FDA77DDEFC87D0F040075FD09D725CDA74EDC08551

Function 007E2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007E3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007E3908

Part of subcall function 007ED730: GetInputState.USER32 ref: 007ED807

SetCurrentDirectoryW.KERNEL32(?), ref: 007E2B6B

Part of subcall function 007E30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 007E314E

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f42b0c1757c0510e892ddf008ccd9bb88199dc5200b344b9f7c9010fdc9211f9
Instruction ID: 01f3ae4134e145042feb6ce0ceed7803ca7ec53c5fb191fada3eb14c6ec58e09
Opcode Fuzzy Hash: f42b0c1757c0510e892ddf008ccd9bb88199dc5200b344b9f7c9010fdc9211f9
Instruction Fuzzy Hash: 6EE026223022C483CA04BB72A86E4ADB34AABD9311F80053EF14287263CE2D89894351

Function 0082039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00820704,?,?,00000000,?,00820704,00000000,0000000C), ref: 008203B7

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: facfe5b52aa9af365b373d7ce033994944bcbf3b276d71aa38f413de5ba20fe6
Instruction ID: 7055d264f4943dcea85f14f5a7c4407507182a4cda878a22c22820687d117437
Opcode Fuzzy Hash: facfe5b52aa9af365b373d7ce033994944bcbf3b276d71aa38f413de5ba20fe6
Instruction Fuzzy Hash: 9FD06C3204010DBBDF028F84DD06EDA3BAAFB48714F014050BE1856020C732E861AB90

Function 007E1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 007E1CBC

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 9c33efa6aee021c0790d9d2f14d5468f492f60cba7de359e5be2c83c79aa1ed7
Instruction ID: a98c48159406eb6bff9e328df3283d8d61da4f0bd6440c550e25c445db30174b
Opcode Fuzzy Hash: 9c33efa6aee021c0790d9d2f14d5468f492f60cba7de359e5be2c83c79aa1ed7
Instruction Fuzzy Hash: 86C09236280304AFF6248B80BC5EF1077A4B34CB00F488201F60DAA6E3D3A27860EB50

Non-executed Functions

Function 00879576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0087961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0087965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0087969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008796C9
SendMessageW.USER32 ref: 008796F2
GetKeyState.USER32(00000011), ref: 0087978B
GetKeyState.USER32(00000009), ref: 00879798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008797AE
GetKeyState.USER32(00000010), ref: 008797B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008797E9
SendMessageW.USER32 ref: 00879810
SendMessageW.USER32(?,00001030,?,00877E95), ref: 00879918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0087992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00879941
SetCapture.USER32(?), ref: 0087994A
ClientToScreen.USER32(?,?), ref: 008799AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008799BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008799D6
ReleaseCapture.USER32 ref: 008799E1
GetCursorPos.USER32(?), ref: 00879A19
ScreenToClient.USER32(?,?), ref: 00879A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00879A80
SendMessageW.USER32 ref: 00879AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00879AEB
SendMessageW.USER32 ref: 00879B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00879B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00879B4A
GetCursorPos.USER32(?), ref: 00879B68
ScreenToClient.USER32(?,?), ref: 00879B75
GetParent.USER32(?), ref: 00879B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00879BFA
SendMessageW.USER32 ref: 00879C2B
ClientToScreen.USER32(?,?), ref: 00879C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00879CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00879CDE
SendMessageW.USER32 ref: 00879D01
ClientToScreen.USER32(?,?), ref: 00879D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00879D82

Part of subcall function 007F9944: GetWindowLongW.USER32(?,000000EB), ref: 007F9952

GetWindowLongW.USER32(?,000000F0), ref: 00879E05

Strings

@GUI_DRAGID, xrefs: 0087997D
F, xrefs: 00879D07

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 626ce367de7374cff5bf9d273a668ad03f0cd4da9d74db15db4f7ae927869b7f
Instruction ID: 17d8c49fd58535784c4cb4af7d8c77f7e77ea34ba1e71e820d512b84970cb679
Opcode Fuzzy Hash: 626ce367de7374cff5bf9d273a668ad03f0cd4da9d74db15db4f7ae927869b7f
Instruction Fuzzy Hash: D042AB71204241AFDB24CF68CC88AAABBE5FF59314F14861DF69DC72A9E731E850CB51

Function 00874873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008748F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00874908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00874927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0087494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0087495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0087497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008749AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008749D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00874A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00874A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00874A7E
IsMenu.USER32(?), ref: 00874A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00874AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00874B20
GetWindowLongW.USER32(?,000000F0), ref: 00874B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00874BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00874C82
wsprintfW.USER32 ref: 00874CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00874CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00874CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00874D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00874D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00874D5A

Strings

%d/%02d/%02d, xrefs: 00874CA8

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: fa250292129617f172222ad3380b5268487e5cbf865db0d0ccfd2abded33999b
Instruction ID: 2e93e39ad450717d0c3a9a4858ab67ea61e1bf8092267ae1e13c140a62ea5376
Opcode Fuzzy Hash: fa250292129617f172222ad3380b5268487e5cbf865db0d0ccfd2abded33999b
Instruction Fuzzy Hash: 0312DE71600218ABEB258F28CC49FAE7BA8FF45714F14912DF51AEB2E9DB74D940CB50

Function 007FF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 007FF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0083F474
IsIconic.USER32(00000000), ref: 0083F47D
ShowWindow.USER32(00000000,00000009), ref: 0083F48A
SetForegroundWindow.USER32(00000000), ref: 0083F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0083F4AA
GetCurrentThreadId.KERNEL32 ref: 0083F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0083F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0083F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0083F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0083F4DE
SetForegroundWindow.USER32(00000000), ref: 0083F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0083F4F6
keybd_event.USER32(00000012,00000000), ref: 0083F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0083F50B
keybd_event.USER32(00000012,00000000), ref: 0083F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0083F519
keybd_event.USER32(00000012,00000000), ref: 0083F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0083F528
keybd_event.USER32(00000012,00000000), ref: 0083F52D
SetForegroundWindow.USER32(00000000), ref: 0083F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0083F557

Strings

Shell_TrayWnd, xrefs: 0083F46F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 984549b74b25289a7f8c93719d1c6d67371365dffbec5c6c304bf00244610bde
Instruction ID: 61d269ad259b24e3552a45905239a95b50c06b32bfc23322bb84f02aee551666
Opcode Fuzzy Hash: 984549b74b25289a7f8c93719d1c6d67371365dffbec5c6c304bf00244610bde
Instruction Fuzzy Hash: 3F312371E40218BBEB216BB55C4AFBF7E6CFB84B50F140069F705EB1D1D6B19D40AAA0

Function 00841201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0084170D
Part of subcall function 008416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0084173A
Part of subcall function 008416C3: GetLastError.KERNEL32 ref: 0084174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00841286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008412A8
CloseHandle.KERNEL32(?), ref: 008412B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008412D1
GetProcessWindowStation.USER32 ref: 008412EA
SetProcessWindowStation.USER32(00000000), ref: 008412F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00841310

Part of subcall function 008410BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008411FC), ref: 008410D4
Part of subcall function 008410BF: CloseHandle.KERNEL32(?,?,008411FC), ref: 008410E9

Strings

default, xrefs: 0084130B
, xrefs: 0084125A
winsta0, xrefs: 008412CC

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 2ac26e9bf32abdb6629b44054e13c64d6955bdd53a9c9e08960e79beaeeef3c6
Instruction ID: 75dc57bb95c441c0babb58e7eb55f21dd793d165814fb949ec84dc86123c3404
Opcode Fuzzy Hash: 2ac26e9bf32abdb6629b44054e13c64d6955bdd53a9c9e08960e79beaeeef3c6
Instruction Fuzzy Hash: 51817A7190020DABDF219FA8DC8DBEE7BBAFF04704F144129FA14E62A0D7749984CB65

Function 00840B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00841114
Part of subcall function 008410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 00841120
Part of subcall function 008410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 0084112F
Part of subcall function 008410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 00841136
Part of subcall function 008410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0084114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00840BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00840C00
GetLengthSid.ADVAPI32(?), ref: 00840C17
GetAce.ADVAPI32(?,00000000,?), ref: 00840C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00840C6D
GetLengthSid.ADVAPI32(?), ref: 00840C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00840C8C
HeapAlloc.KERNEL32(00000000), ref: 00840C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00840CB4
CopySid.ADVAPI32(00000000), ref: 00840CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00840CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00840D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00840D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00840D45
HeapFree.KERNEL32(00000000), ref: 00840D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00840D55
HeapFree.KERNEL32(00000000), ref: 00840D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00840D65
HeapFree.KERNEL32(00000000), ref: 00840D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00840D78
HeapFree.KERNEL32(00000000), ref: 00840D7F

Part of subcall function 00841193: GetProcessHeap.KERNEL32(00000008,00840BB1,?,00000000,?,00840BB1,?), ref: 008411A1
Part of subcall function 00841193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00840BB1,?), ref: 008411A8
Part of subcall function 00841193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00840BB1,?), ref: 008411B7

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4ec09b96a37e0ac444d0a7edb0827d97844c7b2fde1bb93c7a04f27c591ef1e5
Instruction ID: c162e846ad4e868e9d7b2ee621b344ca79af4030767892b8dcd8e11d121e4275
Opcode Fuzzy Hash: 4ec09b96a37e0ac444d0a7edb0827d97844c7b2fde1bb93c7a04f27c591ef1e5
Instruction Fuzzy Hash: C8712A7290020AABDF109FA4DC48BAFBBB8FF44310F144629EA19E7191D775E945CFA0

Function 0085EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0087CC08), ref: 0085EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0085EB37
GetClipboardData.USER32(0000000D), ref: 0085EB43
CloseClipboard.USER32 ref: 0085EB4F
GlobalLock.KERNEL32(00000000), ref: 0085EB87
CloseClipboard.USER32 ref: 0085EB91
GlobalUnlock.KERNEL32(00000000), ref: 0085EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0085EBC9
GetClipboardData.USER32(00000001), ref: 0085EBD1
GlobalLock.KERNEL32(00000000), ref: 0085EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0085EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0085EC38
GetClipboardData.USER32(0000000F), ref: 0085EC44
GlobalLock.KERNEL32(00000000), ref: 0085EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0085EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0085EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0085ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0085ECF3
CountClipboardFormats.USER32 ref: 0085ED14
CloseClipboard.USER32 ref: 0085ED59

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 81c56480f42bd87d9b3c46c80a06f92d0237a5a58ae9f9b491423cb8eeb302da
Instruction ID: 464086f9759e87eb900c9b79ef56ebbd23fde302c9072a1c1eb9c206203b255b
Opcode Fuzzy Hash: 81c56480f42bd87d9b3c46c80a06f92d0237a5a58ae9f9b491423cb8eeb302da
Instruction Fuzzy Hash: D661AC352082059FD314EF24CC89F2AB7A4FF88715F14455DF85AD72A2CB31DA49CB62

Function 0085698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008569BE
FindClose.KERNEL32(00000000), ref: 00856A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00856A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00856A75

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00856AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00856ADF

Strings

%02d, xrefs: 00856C00, 00856C0A, 00856C5A, 00856CAA, 00856CFA, 00856D4A
%03d, xrefs: 00856DA2
%4d, xrefs: 00856BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00856B32
%4d%02d%02d%02d%02d%02d, xrefs: 00856B6A

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 6e5a4b95ae6f890a87bda06f7c5a2e811720ffc8fe759dd004e416f77e762e0c
Instruction ID: 4ca981e3c88b29339211b18ac8e6640620e2ea0f3b68f66a2eaaf53a5ab1ff85
Opcode Fuzzy Hash: 6e5a4b95ae6f890a87bda06f7c5a2e811720ffc8fe759dd004e416f77e762e0c
Instruction Fuzzy Hash: F0D16172509340AEC714EBA1C885EABB7ECFF98704F44491DF985D7191EB38DA48C762

Function 00859642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00859663
GetFileAttributesW.KERNEL32(?), ref: 008596A1
SetFileAttributesW.KERNEL32(?,?), ref: 008596BB
FindNextFileW.KERNEL32(00000000,?), ref: 008596D3
FindClose.KERNEL32(00000000), ref: 008596DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008596FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0085974A
SetCurrentDirectoryW.KERNEL32(008A6B7C), ref: 00859768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00859772
FindClose.KERNEL32(00000000), ref: 0085977F
FindClose.KERNEL32(00000000), ref: 0085978F

Strings

*.*, xrefs: 008596F5

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e68efb3e91abda4cf15701f9aabd70b2400c0233674c822005cf7c47c4629e07
Instruction ID: 30b936de6a094e46828a0f4f100a29c57876318577948d6cad1360957c533bb8
Opcode Fuzzy Hash: e68efb3e91abda4cf15701f9aabd70b2400c0233674c822005cf7c47c4629e07
Instruction Fuzzy Hash: B931D532501619AEDB14AFB4DC49ADE77ACFF49321F14415AF859E3190EB34DE888E20

Function 0085979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 008597BE
FindNextFileW.KERNEL32(00000000,?), ref: 00859819
FindClose.KERNEL32(00000000), ref: 00859824
FindFirstFileW.KERNEL32(*.*,?), ref: 00859840
SetCurrentDirectoryW.KERNEL32(?), ref: 00859890
SetCurrentDirectoryW.KERNEL32(008A6B7C), ref: 008598AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008598B8
FindClose.KERNEL32(00000000), ref: 008598C5
FindClose.KERNEL32(00000000), ref: 008598D5

Part of subcall function 0084DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0084DB00

Strings

*.*, xrefs: 0085983B

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 7bb1c64409bee816630abf562e60a36d7e935a3dc592c4ee191fc6b673ae6c79
Instruction ID: f8b328eed1e0022ecb782948b88670bf927e8b035ea6cc398ccd2c6550fe7719
Opcode Fuzzy Hash: 7bb1c64409bee816630abf562e60a36d7e935a3dc592c4ee191fc6b673ae6c79
Instruction Fuzzy Hash: D131C331501219AAEF10EFB4DC49ADE77ACFF06321F144169E894E31D5EB35DA898B20

Function 0086BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0086C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0086B6AE,?,?), ref: 0086C9B5
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086C9F1
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA68
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0086BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0086BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0086BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0086C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0086C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0086C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0086C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0086C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0086C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0086C382
RegCloseKey.ADVAPI32(00000000), ref: 0086C38F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: e70a52bbb5b30fc5b6a21a7045e3b2a0790efd4126b172acb834bfc6b000ea13
Instruction ID: 51b195aeeb0a5a77ae09cd0a23428d022dfaa330b88000081c4a8ac4a1ec85d2
Opcode Fuzzy Hash: e70a52bbb5b30fc5b6a21a7045e3b2a0790efd4126b172acb834bfc6b000ea13
Instruction Fuzzy Hash: 9E022A716042409FD714DF28C895E2ABBE5FF89318F19849DE88ACB3A2DB31ED45CB51

Function 00858195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00858257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00858267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00858273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00858310
SetCurrentDirectoryW.KERNEL32(?), ref: 00858324
SetCurrentDirectoryW.KERNEL32(?), ref: 00858356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0085838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00858395

Strings

*.*, xrefs: 0085839B

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 5de97e73282dfdadda1147c284edd9a339250a760d40e2127450b9c0e5a3bc38
Instruction ID: 0414f12fd1256f552e22caa9932924045b1194b9fc8c8a15e2b8b82a4f521c19
Opcode Fuzzy Hash: 5de97e73282dfdadda1147c284edd9a339250a760d40e2127450b9c0e5a3bc38
Instruction Fuzzy Hash: 9F6185B21043459FCB10EF24C8449AEB3E8FF88315F04882EF999D7251EB35E949CB92

Function 0084D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007E3A97,?,?,007E2E7F,?,?,?,00000000), ref: 007E3AC2

Part of subcall function 0084E199: GetFileAttributesW.KERNEL32(?,0084CF95), ref: 0084E19A

FindFirstFileW.KERNEL32(?,?), ref: 0084D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0084D1DD
MoveFileW.KERNEL32(?,?), ref: 0084D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0084D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0084D237

Part of subcall function 0084D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0084D21C,?,?), ref: 0084D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0084D253
FindClose.KERNEL32(00000000), ref: 0084D264

Strings

\*.*, xrefs: 0084D0CD, 0084D0D6, 0084D0EB

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 782e3dc6ef2fdc5c3f061ea5cd721098a9f0411c1c8c80607fefeefb27d858f5
Instruction ID: 90b901fbcc68e7fda0343b53454aac36161d0962d4b43da6b45c5e38381f2b2e
Opcode Fuzzy Hash: 782e3dc6ef2fdc5c3f061ea5cd721098a9f0411c1c8c80607fefeefb27d858f5
Instruction Fuzzy Hash: 48617C3180225DEACF15EBE1C9969EDB7B5FF59300F204069E405B71A2EB34AF49CB61

Function 0085ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0085ED91
EmptyClipboard.USER32 ref: 0085ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0085EDAC
CloseClipboard.USER32 ref: 0085EEA3

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1bc53411e8c3ca67738050f78596ab30455fb320ed9d08d88bd08c173659e709
Instruction ID: 58fe384a1104195ca41373eba100dc8d6245d9aad2be4fd104ee5fdfe837ff91
Opcode Fuzzy Hash: 1bc53411e8c3ca67738050f78596ab30455fb320ed9d08d88bd08c173659e709
Instruction Fuzzy Hash: 73417B35208611AFE724DF19D88DB19BBE5FF44319F14809DE829CB6A2C735ED86CB90

Function 0084E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0084170D
Part of subcall function 008416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0084173A
Part of subcall function 008416C3: GetLastError.KERNEL32 ref: 0084174A

ExitWindowsEx.USER32(?,00000000), ref: 0084E932

Strings

SeShutdownPrivilege, xrefs: 0084E902
@, xrefs: 0084E925
, xrefs: 0084E920
, xrefs: 0084E95C

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 142ffc1ddb8c029a466c549637a3c71529a0e1d4ff9f39187a24f8a8999ce8f6
Instruction ID: 1ded507ee2f7e5dc2c8b0467359786ed31957a342bf7ead6e88403488a3277e8
Opcode Fuzzy Hash: 142ffc1ddb8c029a466c549637a3c71529a0e1d4ff9f39187a24f8a8999ce8f6
Instruction Fuzzy Hash: 5701FE7371021DABEB5426B89C89FBF7E9CF714754F150425FC13E31D1D6619C808290

Function 00861204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00861276
WSAGetLastError.WSOCK32 ref: 00861283
bind.WSOCK32(00000000,?,00000010), ref: 008612BA
WSAGetLastError.WSOCK32 ref: 008612C5
closesocket.WSOCK32(00000000), ref: 008612F4
listen.WSOCK32(00000000,00000005), ref: 00861303
WSAGetLastError.WSOCK32 ref: 0086130D
closesocket.WSOCK32(00000000), ref: 0086133C

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 802ff29d6f8da0c2371a997adcda9c207ab3690552f2c3fad393ef8ff9d88a99
Instruction ID: 8d14a953bfe6984189ca0d2d695a3e74a285e138a20825e28f9936d0a0647784
Opcode Fuzzy Hash: 802ff29d6f8da0c2371a997adcda9c207ab3690552f2c3fad393ef8ff9d88a99
Instruction Fuzzy Hash: 8E415C316001409FDB10DF24C499A2ABBE5FF46318F19819CD8568B397C775EC81CBA1

Function 0081B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0081B9D4
_free.LIBCMT ref: 0081B9F8
_free.LIBCMT ref: 0081BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00883700), ref: 0081BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008B121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0081BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008B1270,000000FF,?,0000003F,00000000,?), ref: 0081BC36
_free.LIBCMT ref: 0081BD4B

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 12e38dd3bbf3efa891e5775234ac50190b7484173da9cdf259d0fdf7a529c07e
Instruction ID: bf6609f5ebf70d48865f4cdd325f6599ff04e92447efa0e1e4b0c0969faf607b
Opcode Fuzzy Hash: 12e38dd3bbf3efa891e5775234ac50190b7484173da9cdf259d0fdf7a529c07e
Instruction Fuzzy Hash: 32C12671904209AFCB24DF68DC55BEABBECFF41320F1441AAE494DB291EB308E81C791

Function 0084D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007E3A97,?,?,007E2E7F,?,?,?,00000000), ref: 007E3AC2

Part of subcall function 0084E199: GetFileAttributesW.KERNEL32(?,0084CF95), ref: 0084E19A

FindFirstFileW.KERNEL32(?,?), ref: 0084D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0084D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0084D481
FindClose.KERNEL32(00000000), ref: 0084D498
FindClose.KERNEL32(00000000), ref: 0084D4A1

Strings

\*.*, xrefs: 0084D3F2

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c10bda950af08c815655b71d018335185d3b8abb7431228270cff3c5b89888c0
Instruction ID: 755c45ac132dc3bf5a6ab61b09121e58fc6d26316bb0997caf757da8b00e8772
Opcode Fuzzy Hash: c10bda950af08c815655b71d018335185d3b8abb7431228270cff3c5b89888c0
Instruction Fuzzy Hash: 83318071009385ABC301EF65C8998AFB7A8FE95304F444A1DF4D593192EB34EA49C767

Function 0081E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0081E645

Strings

1#SNAN, xrefs: 0081F844
1#QNAN, xrefs: 0081F84B
1#IND, xrefs: 0081F83D
1#INF, xrefs: 0081F852

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: b18ebd1570e59f85a37044ef991678694ce0d2cf657453da50db1fa9bb1938c4
Instruction ID: a5df80bd80490f150277707903dc265c3bb86a525d5af300a70fb09d3b297f37
Opcode Fuzzy Hash: b18ebd1570e59f85a37044ef991678694ce0d2cf657453da50db1fa9bb1938c4
Instruction Fuzzy Hash: ABC22971E086298BDB65CE289D447EAB7B9FF48304F1441EAD94DE7281E774AEC18F40

Function 0085648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008564DC
CoInitialize.OLE32(00000000), ref: 00856639
CoCreateInstance.OLE32(0087FCF8,00000000,00000001,0087FB68,?), ref: 00856650
CoUninitialize.OLE32 ref: 008568D4

Strings

.lnk, xrefs: 008564BA, 00856524, 008565E0

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 906557885aabf9b74a090bccec311fadd030d87aec1265b298e3f9554c12e3e1
Instruction ID: 5b30d5eb31f84a332b48b6b021f472b16386baddfb39f67b30d155eceade28fc
Opcode Fuzzy Hash: 906557885aabf9b74a090bccec311fadd030d87aec1265b298e3f9554c12e3e1
Instruction Fuzzy Hash: DBD159715082419FC314EF25C885A6BB7E8FF98704F54496DF595CB2A1EB30EE09CBA2

Function 008622DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008622E8

Part of subcall function 0085E4EC: GetWindowRect.USER32(?,?), ref: 0085E504

GetDesktopWindow.USER32 ref: 00862312
GetWindowRect.USER32(00000000), ref: 00862319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00862355
GetCursorPos.USER32(?), ref: 00862381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008623DF

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9f7360a4472622b9a04a593503ed2b5cb9d726dfe11529c824983dd3e7558ff0
Instruction ID: dbb864c62591725efa6826a3f6d8dfe8747d8550a84a7c5d7811fd9728fd9a6b
Opcode Fuzzy Hash: 9f7360a4472622b9a04a593503ed2b5cb9d726dfe11529c824983dd3e7558ff0
Instruction Fuzzy Hash: 0B31CD72505715ABC720DF58C849A5BBBA9FF84314F00091DF989D7291DB34EA48CB92

Function 00859B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00859B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00859C8B

Part of subcall function 00853874: GetInputState.USER32 ref: 008538CB
Part of subcall function 00853874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00853966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00859BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00859C75

Strings

*.*, xrefs: 00859B5D

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: d93ccbf3d0f27c7bbd3f6dcad382e6815a4d986103f8f1ad1922898a069faf3a
Instruction ID: 1127300c0987def0af8b713c619168397e390c917657ef8696b17e05996be8c2
Opcode Fuzzy Hash: d93ccbf3d0f27c7bbd3f6dcad382e6815a4d986103f8f1ad1922898a069faf3a
Instruction Fuzzy Hash: 0D415E7190120ADBDF14DF64C849AEEBBB8FF09311F644059E859E3291EB349E88CF61

Function 007F997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 007F9A4E
GetSysColor.USER32(0000000F), ref: 007F9B23
SetBkColor.GDI32(?,00000000), ref: 007F9B36

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 3d9764873cb280fa24029131fb4726f8b01028be6fa50b149b362569c2444044
Instruction ID: 46572ad162eaca3397a2c01d030a4868fcf2e2b49facff7c2ffbf4a730572e6a
Opcode Fuzzy Hash: 3d9764873cb280fa24029131fb4726f8b01028be6fa50b149b362569c2444044
Instruction Fuzzy Hash: B1A10BB010844CBEE739AA2C8C5DF7B2A9DFBC2340F158219F712D6795DA29DD05D2B2

Function 00861806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0086304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0086307A
Part of subcall function 0086304E: _wcslen.LIBCMT ref: 0086309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0086185D
WSAGetLastError.WSOCK32 ref: 00861884
bind.WSOCK32(00000000,?,00000010), ref: 008618DB
WSAGetLastError.WSOCK32 ref: 008618E6
closesocket.WSOCK32(00000000), ref: 00861915

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: e7fe843c678026280861f615285d40cced43d58d5998b6434743e22b80336ee3
Instruction ID: 7cf960425596f5b9f9a80cc77e2941a5d3be090040dd0f7329659c2a1f38e66a
Opcode Fuzzy Hash: e7fe843c678026280861f615285d40cced43d58d5998b6434743e22b80336ee3
Instruction Fuzzy Hash: 16519175A00240AFDB10AF24C88AF3A77E5EB49718F08845CF91A9F393C775AD41CBA1

Function 00871C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00871CC0
IsWindowEnabled.USER32 ref: 00871CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00871CDB
IsIconic.USER32 ref: 00871CE9
IsZoomed.USER32 ref: 00871CF7

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2d324555146abc269e2f96974290d5626896ca662d9992816813802ad2b906fc
Instruction ID: 0ae887e2954d36058c97290347bfb8a9b640e71ceabee984fa936aa7b479625b
Opcode Fuzzy Hash: 2d324555146abc269e2f96974290d5626896ca662d9992816813802ad2b906fc
Instruction Fuzzy Hash: 54219E317402109FDB218F5EC888B2A7BA5FF95314B19C05CE84ECB659CB71D842CB90

Function 007E8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 007E83E8
VUUU, xrefs: 007E83FA
VUUU, xrefs: 00825DF0
ERCP, xrefs: 007E813C
VUUU, xrefs: 007E843C

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 49b097ad854c968b6fc01f6d589a352b4c828d134946fea4590d954d0a5abff3
Instruction ID: f7a9fcdb4e265865ed2e87cf21368bc3dddcefe902a67eb9b5e661aa5ff0970b
Opcode Fuzzy Hash: 49b097ad854c968b6fc01f6d589a352b4c828d134946fea4590d954d0a5abff3
Instruction Fuzzy Hash: DDA2AE70A0126ACBDF64CF59D8407ADB7B2FF58310F2481AAD819E7285EB349DD1CB91

Function 0084AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0084AAAC
SetKeyboardState.USER32(00000080), ref: 0084AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0084AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0084AB88

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 485150d01e3c88fdfe22ae8e4a34dbb35f28a1254a72ce0f5f3690a78f14417c
Instruction ID: 10338f41841a3775a891a8b0a8a30456fc122d25cf3015a6db7a29124661459c
Opcode Fuzzy Hash: 485150d01e3c88fdfe22ae8e4a34dbb35f28a1254a72ce0f5f3690a78f14417c
Instruction Fuzzy Hash: A131E570AC025CAEFB39CA688C49BFA7BA6FB54320F04421AF595DA1D1D375C981C763

Function 0085CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0085CE89
GetLastError.KERNEL32(?,00000000), ref: 0085CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0085CEFE

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 122407b261aee71d6360d1ac5f2e0f53549770c4402583ace5f705feaa708f25
Instruction ID: 144d1bc7029fe37b6602b3f56d740c19086657784f269aaba029b560861bccb1
Opcode Fuzzy Hash: 122407b261aee71d6360d1ac5f2e0f53549770c4402583ace5f705feaa708f25
Instruction Fuzzy Hash: 5D218CB15007059FE7209FA5C94ABA77BF8FB50359F10481EE946E2151EBB4EE488F60

Function 00848298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008482AA

Strings

|, xrefs: 008482DA
(, xrefs: 008482F0

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 3726fe005defbb0a9eaf731512dfc721fb0add211830e20a24713617697998d2
Instruction ID: 0a3c4c19ae227dbc52bad57773323a0238fdd29a06dadf173332894daa0e8f20
Opcode Fuzzy Hash: 3726fe005defbb0a9eaf731512dfc721fb0add211830e20a24713617697998d2
Instruction Fuzzy Hash: 88323475A00609DFCB28CF59C481A6AB7F0FF48710B15C56EE59ADB3A1EB70E981CB44

Function 00855C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00855CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00855D17
FindClose.KERNEL32(?), ref: 00855D5F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 3525d1b1c40c9ce1e5603c110147794daaab1462aa514342cd5b1f056f5e8db3
Instruction ID: 383a1e909e442131ef7800e7ae608a0e43b790fe7b36ee401419bb90101d6592
Opcode Fuzzy Hash: 3525d1b1c40c9ce1e5603c110147794daaab1462aa514342cd5b1f056f5e8db3
Instruction Fuzzy Hash: 0C5169756046019FC714CF28C4A8A9AB7F4FF49314F14856DE96ACB3A2DB30ED49CB91

Function 00812622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0081271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00812724
UnhandledExceptionFilter.KERNEL32(?), ref: 00812731

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8a422175310799e9db7462365f67ee0cf283dc4c2a66114c8d18a4611685b8bf
Instruction ID: ad5a80862a79cddb78a5cde9b3b583407f2b2e4939107967365c1919b0da0e89
Opcode Fuzzy Hash: 8a422175310799e9db7462365f67ee0cf283dc4c2a66114c8d18a4611685b8bf
Instruction Fuzzy Hash: D431C4759112289BCB61DF68DC887D9B7B8FF08310F5045EAE40CA72A1E7709F818F45

Function 008551CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008551DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00855238
SetErrorMode.KERNEL32(00000000), ref: 008552A1

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 20e800b2178aa173a456de3b5ecc6ae059705496e4125ed869592ab38853df03
Instruction ID: 6efe840885d1cb0892e9b4644a51bf0dd5425ec42a4bf819e558b6822e160f84
Opcode Fuzzy Hash: 20e800b2178aa173a456de3b5ecc6ae059705496e4125ed869592ab38853df03
Instruction Fuzzy Hash: 4F318135A00508DFDB00DF54D888EADBBB5FF08318F088099E8099B362DB35EC5ACB60

Function 008416C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 007FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00800668
Part of subcall function 007FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00800685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0084170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0084173A
GetLastError.KERNEL32 ref: 0084174A

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: bcab9685d18ebb94b255b57f906d206f5b31d81dd06b9969dd4ae4b62744e8b3
Instruction ID: fe989f0c2a72e6dd002f1624a80e06fce5e25e503ff595e2927111f7ba794d3c
Opcode Fuzzy Hash: bcab9685d18ebb94b255b57f906d206f5b31d81dd06b9969dd4ae4b62744e8b3
Instruction Fuzzy Hash: 1F1191B2514308AFD7189F54DC8AD6AB7F9FF44714B20852EE05A97255EB70FC818A60

Function 0084D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0084D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0084D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0084D650

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 798d909805eaabc18f7bb980361b2613eda3b6debadb72845539dfb0ae2749f2
Instruction ID: 30e35524f9f492bbb38e2bec34441e0f4a3b2b6370165c8dc826a16f9afdbf18
Opcode Fuzzy Hash: 798d909805eaabc18f7bb980361b2613eda3b6debadb72845539dfb0ae2749f2
Instruction Fuzzy Hash: 17113C75E05228BBDB108F999C49FAFBBBCFB45B50F108165F908E7294D6704A058BA1

Function 00841663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0084168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008416A1
FreeSid.ADVAPI32(?), ref: 008416B1

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8ecd86a5432a02c3295e92c652c8d2c844aba5334b5d177b30bbaf39cada1dbb
Instruction ID: ea7b432809dd4c763b6f13f9e2284bc5cf974ebfea8693327b07005009bf831c
Opcode Fuzzy Hash: 8ecd86a5432a02c3295e92c652c8d2c844aba5334b5d177b30bbaf39cada1dbb
Instruction Fuzzy Hash: FBF0F47195030DFBDF00DFE49C89EAEBBBCFB08604F504565E501E2181E774EA848BA0

Function 0081C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0081C36C

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 4b5b617ec1f250d398fa9b8ef8b91a394beb6ff10cbd5c67f1f270bc6be4df4a
Instruction ID: 929bb3c45948f8c5acdb2497733d3a80999ecaeb5dac3b49c8b25479c02c6dfd
Opcode Fuzzy Hash: 4b5b617ec1f250d398fa9b8ef8b91a394beb6ff10cbd5c67f1f270bc6be4df4a
Instruction Fuzzy Hash: 5E410272940219ABCB249EB9CC89EEB77BCFF84714F5042A9F915D7280E6709D818B50

Function 0083D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0083D28C

Strings

X64, xrefs: 0083D2A8

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 7175645fb2f355e0269aca7315639c7dc72608761dc92d3534817552e6321a6b
Instruction ID: bbc92bd3153f5cb0fc3aac5d6a321fa9b605d7292918ab786e7de768dfa78316
Opcode Fuzzy Hash: 7175645fb2f355e0269aca7315639c7dc72608761dc92d3534817552e6321a6b
Instruction Fuzzy Hash: F5D0C9B480111DEACF90CB90EC88DDAB37CBB14305F100155F506E2100DB7495489F50

Function 0080CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 077a239a27aa962e5209a539ce3bf758a933cc806e2f31b0267ecfbc7e00e1a2
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 62021D71E002199FDF54CFA9D8806ADFBF1FF48314F25826AE819E7384D731AA418B94

Function 008568EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00856918
FindClose.KERNEL32(00000000), ref: 00856961

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 86dc60d9b5b12071c7518c2da2541a439fe1d7f6095aa681fefb8299f957b11d
Instruction ID: 40c820d1c2ae7e12eaee8a7270cd692f15277472a2f1eb7e5e0da2159a4e7b01
Opcode Fuzzy Hash: 86dc60d9b5b12071c7518c2da2541a439fe1d7f6095aa681fefb8299f957b11d
Instruction Fuzzy Hash: 8611D0356142009FC710CF2AD488A16BBE0FF88329F44C69DE8698F2A2DB34EC45CB91

Function 008537B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00864891,?,?,00000035,?), ref: 008537E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00864891,?,?,00000035,?), ref: 008537F4

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 36b9f5cdc5024152588110460a029efe519055c073100c97c231ee5d8933a7a6
Instruction ID: 7cf843e7c4c665b1ef276d9c155e9501f86e17ad331a45dd77959a7767f8f424
Opcode Fuzzy Hash: 36b9f5cdc5024152588110460a029efe519055c073100c97c231ee5d8933a7a6
Instruction Fuzzy Hash: DDF0EC716052286AE71017765C4DFDB369DFFC8761F000175F509D3295D9609944C7B0

Function 0084B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0084B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0084B270

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 04a46aea55bb48c28077f3d9d5358c703544957f3c9dc31bd3eb8e08ae3ab350
Instruction ID: b4f19aa099e8ddb42a62c020facabc272144224eadd64857d404f9f63cc2d28f
Opcode Fuzzy Hash: 04a46aea55bb48c28077f3d9d5358c703544957f3c9dc31bd3eb8e08ae3ab350
Instruction Fuzzy Hash: 1CF01D7180424EABDB059FA4C805BAE7BB4FF04309F008009F955A6191D779C6519F94

Function 008410BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008411FC), ref: 008410D4
CloseHandle.KERNEL32(?,?,008411FC), ref: 008410E9

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d32d1abf316f81f1679f3750bcef16ddef006b28f3de12707f0b3876af0b699f
Instruction ID: 8a7d62d83ac26e74cb32a7a1d4c88eaed18ee345705cc9a66158037469b92281
Opcode Fuzzy Hash: d32d1abf316f81f1679f3750bcef16ddef006b28f3de12707f0b3876af0b699f
Instruction Fuzzy Hash: 67E04F32004A00EEF7252B11FC0DE7377A9FF04320B10882DF5A9815B5DB62ACD0DB50

Function 007ECAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00830C40

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 23c3006d0fce190a24cad745b7ff1161c23377d6e136793316daf2b3cbd55e7f
Instruction ID: b6e42193384b3dedefc2ccbbac90b419cd7d45887deadea8fb9ea14142f84221
Opcode Fuzzy Hash: 23c3006d0fce190a24cad745b7ff1161c23377d6e136793316daf2b3cbd55e7f
Instruction Fuzzy Hash: D232DF78A01258DFCF15DF95C895BEDB7B5FF48304F244059E806AB292C739AE46CBA0

Function 0081676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00816766,?,?,00000008,?,?,0081FEFE,00000000), ref: 00816998

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fe068044b41415b7b8a2ebb119997012df1cea8e0deedd71521e6b61feb0f722
Instruction ID: 8a9afc1d323184f1f848444284e89d668533c93d42226338aeb3380b03bdf3bd
Opcode Fuzzy Hash: fe068044b41415b7b8a2ebb119997012df1cea8e0deedd71521e6b61feb0f722
Instruction Fuzzy Hash: AEB14C31610609DFD715CF28C48ABA57BE4FF45368F298658E8D9CF2A2D335E9A1CB40

Function 007FB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0083851F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: abed6d7762589a6e70ccba8731ee62e5556cb9389c9ec99ad0d2e33c28c3fb30
Instruction ID: d6f0efe4600d3f19cb5a2b72ca39dafb75a21b2544772b9a574de0b3d24b25fc
Opcode Fuzzy Hash: abed6d7762589a6e70ccba8731ee62e5556cb9389c9ec99ad0d2e33c28c3fb30
Instruction Fuzzy Hash: E5124D71A00229DFCB14DF58C980ABEB7B5FF48710F14819AE949EB355EB349A81CF90

Function 0085EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0085EABD

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: a3d067be208f5edc9e03b9d5aa31ac7cc46c2bf949e2c3e4c0ca4e16c0de058e
Instruction ID: 7e3f6a5dfe5c6edc58790e53eb902a3498678d84f3ba1d90e5878513541d2f0d
Opcode Fuzzy Hash: a3d067be208f5edc9e03b9d5aa31ac7cc46c2bf949e2c3e4c0ca4e16c0de058e
Instruction Fuzzy Hash: C4E012352002149FC710DF6AD848D5AB7DDFF68760F00841AFD49C7251D674E9458B90

Function 008009D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008003EE), ref: 008009DA

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1dd8d928e2385aa07a170b77be7b8067b5c5db13c29e4f20a7ec184f4e48bb1d
Instruction ID: ad557c10b0d22d89e7664099dfaf15f5735a327b9e532266a9a244bbf693dc6a
Opcode Fuzzy Hash: 1dd8d928e2385aa07a170b77be7b8067b5c5db13c29e4f20a7ec184f4e48bb1d
Instruction Fuzzy Hash:

Function 0080781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0080798B

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e12d4a1f2c4efeb71ee1e80b3dbe49af3918bf2e340f92685bb9866892de6424
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 47516861F0C6499BDBF8852C8C5D7BE2B85FB52304F188539D882C72D2CA19FE41D36A

Function 00816DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2117dee7d94df1f0ce5fe3752f34bac5c90ab932553b8524c4f6bd28a1c92d50
Instruction ID: 7199afbfc3963731c37f9d75f186c157c2ff0bca2ca6b15ae371a2ce9c18eeaa
Opcode Fuzzy Hash: 2117dee7d94df1f0ce5fe3752f34bac5c90ab932553b8524c4f6bd28a1c92d50
Instruction Fuzzy Hash: 4C32E131D29F014DD7239638D822365A69DBFB73C5F15D73BE81AB59A6EB29C4C34200

Function 007FCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c2969b92cb426e591de7db69d5a65f0c77f97a6afbf492e540e78e63adbc9d
Instruction ID: 55ff59a4e6aceed4afdf76b0416b250f4065381f232a200d09b0053c9c8a92d2
Opcode Fuzzy Hash: 27c2969b92cb426e591de7db69d5a65f0c77f97a6afbf492e540e78e63adbc9d
Instruction Fuzzy Hash: 22324732A0015D8BDF29CF29C59067DBBA1FBC5314F28812AD94AEB391E334DD81DB90

Function 007E7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2b82f7540c9a9d81cb4395fe42cc5aadec166ef09875b9269dfe6d8da449fd
Instruction ID: 6661ba2833a28949274c4e3d0d0126887fc3438e66b692055e41a3f48bd6eedb
Opcode Fuzzy Hash: 4d2b82f7540c9a9d81cb4395fe42cc5aadec166ef09875b9269dfe6d8da449fd
Instruction Fuzzy Hash: 5622B3B0A04659DFDF18CF69D985AAEB3F5FF48300F104529E816EB291EB39AD50CB50

Function 007E91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dca07547413d6a931f999d358ea473dfeb14913b7ade8a2f576e5e9d1fe495c
Instruction ID: 157916b012ac2538c4a5c32a1481b27dbf4ed34894825aa9a30887b56a120bc0
Opcode Fuzzy Hash: 6dca07547413d6a931f999d358ea473dfeb14913b7ade8a2f576e5e9d1fe495c
Instruction Fuzzy Hash: A802D6B1E00219EBDF04DF55E885AAEB7B5FF54300F108169E906DB391EB35AE50CB85

Function 00819EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db48e34b8015a9a356737feec80cb9ce94780ac12ae5716c5351749696b05d0
Instruction ID: aef65c18f0358bc6cbb754b25e1a9c0e04ea43e90eea24b891005d5940828084
Opcode Fuzzy Hash: 6db48e34b8015a9a356737feec80cb9ce94780ac12ae5716c5351749696b05d0
Instruction Fuzzy Hash: 43B1CF30D2AF414DD2239639D825336B65CBFBB6D5F91D71BFC2674E62EB2286834240

Function 00801C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: bbfafb76e796cb20bf4a2027fe21f65eb2b21cfdf779055359a8e0255bd3cf43
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: DD9168722090A349EFA94639897C03EFFE1FA523B535A079DD8F2CA1C5FE14D554D620

Function 00801F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 65a265286ac18350a97781130d606e4f578ec4721ad889a375838a5146442af2
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: AF9155722091A349EBA942398D7C43EFFE1EA923B131A079DD4F2CB1C5EE64D554E620

Function 008019B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: f9a5d24fc462bf9e01e1647b225a526d4a08f6caeb3ab1fcf495547d80768a91
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 1F9122722090A34EEFA9467A897C03EFFE1EA923B535A079DD4F2CA1C1FE14D554D620

Function 00807A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcff08c3557746cfe7a48bdd5dc0cba97c561025b12ccac3609404be3442cd1
Instruction ID: 42a6cd199ef40d380872b008430ee872e71694b1330e3983a440532c9b6932ac
Opcode Fuzzy Hash: ddcff08c3557746cfe7a48bdd5dc0cba97c561025b12ccac3609404be3442cd1
Instruction Fuzzy Hash: 17616B31F08759A6EEF4592C8CB5BBE3394FF41764F100919E982DB2C1DA51BE82C356

Function 00807CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b9c6e8c96c208f7ab10e2e4ffe6bacf8e3b57384a699a4412cc10018b8c5cd
Instruction ID: 424192a364dd91e1af257e0258fca0e79fc0fbbc8666afe539cca7c56b6806b4
Opcode Fuzzy Hash: 52b9c6e8c96c208f7ab10e2e4ffe6bacf8e3b57384a699a4412cc10018b8c5cd
Instruction Fuzzy Hash: C8614971F0870DA6DEF85A2C8C55BBF2394FF52B04F100959ED82DB6C5EA12FD828256

Function 00801706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: f8738c5524010a718c926ff9806895f4097dcd6b62f43e2049d5423f0ffffee4
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: EB8169335090A349DFAD4279897C43EFFE1FA923B135A47ADD4F2CA1C5EE148654D620

Function 00852046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38e5257db7a5132202ac9d520ca012cb21740dc7b8fa4424aa6033816645a3f
Instruction ID: d4bb5c3b8e04f5e1d9a8d2b503db810325acd07c79fd4109b1d532ba9e481074
Opcode Fuzzy Hash: d38e5257db7a5132202ac9d520ca012cb21740dc7b8fa4424aa6033816645a3f
Instruction Fuzzy Hash: 0A21A8326616118BDB28CE79C81267E73E5F765310F15862EE4A7C77D0DE35A904CB40

Function 00862ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00862B30
DeleteObject.GDI32(00000000), ref: 00862B43
DestroyWindow.USER32 ref: 00862B52
GetDesktopWindow.USER32 ref: 00862B6D
GetWindowRect.USER32(00000000), ref: 00862B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00862CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00862CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862CF8
GetClientRect.USER32(00000000,?), ref: 00862D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00862D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862D80
GlobalLock.KERNEL32(00000000), ref: 00862D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862D98
GlobalUnlock.KERNEL32(00000000), ref: 00862DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862DA8
GlobalFree.KERNEL32(00000000), ref: 00862DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0087FC38,00000000), ref: 00862DDB
GlobalFree.KERNEL32(00000000), ref: 00862DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00862E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00862E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0086303F

Strings

static, xrefs: 00862D3A, 00862E91
DISPLAY, xrefs: 00862EA2
AutoIt v3, xrefs: 00862CF2
, xrefs: 00862FC5

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 4a203d25e07e31f275b2a622d9a8bbe513c8fce1c237f104a967afae6743e36d
Instruction ID: 09c8bf8c4eaca8f38e94d6ca0b47b8551dab95a3c5fc38ef0333d0860fb48b95
Opcode Fuzzy Hash: 4a203d25e07e31f275b2a622d9a8bbe513c8fce1c237f104a967afae6743e36d
Instruction Fuzzy Hash: 28023771A00209EFDB14DF64CC8DEAE7BB9FB48710F148158F919AB2A5DB74E941CB60

Function 008770D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0087712F
GetSysColorBrush.USER32(0000000F), ref: 00877160
GetSysColor.USER32(0000000F), ref: 0087716C
SetBkColor.GDI32(?,000000FF), ref: 00877186
SelectObject.GDI32(?,?), ref: 00877195
InflateRect.USER32(?,000000FF,000000FF), ref: 008771C0
GetSysColor.USER32(00000010), ref: 008771C8
CreateSolidBrush.GDI32(00000000), ref: 008771CF
FrameRect.USER32(?,?,00000000), ref: 008771DE
DeleteObject.GDI32(00000000), ref: 008771E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00877230
FillRect.USER32(?,?,?), ref: 00877262
GetWindowLongW.USER32(?,000000F0), ref: 00877284

Part of subcall function 008773E8: GetSysColor.USER32(00000012), ref: 00877421
Part of subcall function 008773E8: SetTextColor.GDI32(?,?), ref: 00877425
Part of subcall function 008773E8: GetSysColorBrush.USER32(0000000F), ref: 0087743B
Part of subcall function 008773E8: GetSysColor.USER32(0000000F), ref: 00877446
Part of subcall function 008773E8: GetSysColor.USER32(00000011), ref: 00877463
Part of subcall function 008773E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00877471
Part of subcall function 008773E8: SelectObject.GDI32(?,00000000), ref: 00877482
Part of subcall function 008773E8: SetBkColor.GDI32(?,00000000), ref: 0087748B
Part of subcall function 008773E8: SelectObject.GDI32(?,?), ref: 00877498
Part of subcall function 008773E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008774B7
Part of subcall function 008773E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008774CE
Part of subcall function 008773E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008774DB

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: b032e2a8d1c4ef8c8a0ec37a5c0ef801955e5b2140840a9a237be8efc67983c5
Instruction ID: f650494eed841eef67acb9f936fdb083f53a4936e992434ea83899a513911acc
Opcode Fuzzy Hash: b032e2a8d1c4ef8c8a0ec37a5c0ef801955e5b2140840a9a237be8efc67983c5
Instruction Fuzzy Hash: 13A19072008301AFD7109F60DC4CA6B7BA9FB49320F504A2DF96AD71E5D771E984CB61

Function 007F8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 007F8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00836AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00836AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00836F43

Part of subcall function 007F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007F8BE8,?,00000000,?,?,?,?,007F8BBA,00000000,?), ref: 007F8FC5

SendMessageW.USER32(?,00001053), ref: 00836F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00836F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00836FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00836FB7

Strings

0, xrefs: 00836DCF

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 3da564dc42c759cf6e04ce2255d2b2f4ec2a5559776088f10b7e371047a93a1c
Instruction ID: 6271a8b144c266907542f991677129917c28acec520b768d5374cba6514a0b38
Opcode Fuzzy Hash: 3da564dc42c759cf6e04ce2255d2b2f4ec2a5559776088f10b7e371047a93a1c
Instruction Fuzzy Hash: FE12AF30200645EFDB65CF28C858BB5BBE1FF85310F548569E589CB261DB36ECA1CB91

Function 00862711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0086273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0086286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008628A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008628B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00862900
GetClientRect.USER32(00000000,?), ref: 0086290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00862955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00862964
GetStockObject.GDI32(00000011), ref: 00862974
SelectObject.GDI32(00000000,00000000), ref: 00862978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00862988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00862991
DeleteDC.GDI32(00000000), ref: 0086299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008629C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008629DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00862A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00862A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00862A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00862A77
GetStockObject.GDI32(00000011), ref: 00862A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00862A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00862A97

Strings

static, xrefs: 0086294F, 00862A71
msctls_progress32, xrefs: 00862A13
DISPLAY, xrefs: 0086295A
AutoIt v3, xrefs: 008628F8

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 0e432f99cc05730cd0a4af0e24cd84f275866740c6fca832ed38a29406515772
Instruction ID: de86a6dc0556fdc22dd40c354aed284d757b76639e42890bce012e7b3cc9e272
Opcode Fuzzy Hash: 0e432f99cc05730cd0a4af0e24cd84f275866740c6fca832ed38a29406515772
Instruction Fuzzy Hash: 3AB14D71A00615AFEB14DF69DC89FAE7BA9FB08714F104258F915EB290D774ED40CBA0

Function 00854ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00854AED
GetDriveTypeW.KERNEL32(?,0087CB68,?,\\.\,0087CC08), ref: 00854BCA
SetErrorMode.KERNEL32(00000000,0087CB68,?,\\.\,0087CC08), ref: 00854D36

Strings

MMC, xrefs: 00854CDE
Removable, xrefs: 00854C10, 00854C15
FileBackedVirtual, xrefs: 00854CEC
SCSI, xrefs: 00854C8A
Unknown, xrefs: 00854BED, 00854C83
1394, xrefs: 00854C9F
PhysicalDrive, xrefs: 00854B76
SSA, xrefs: 00854CA6
Virtual, xrefs: 00854CE5
SSD, xrefs: 00854C4A
ATA, xrefs: 00854C98
RAMDisk, xrefs: 00854BF4
CDROM, xrefs: 00854BFB
iSCSI, xrefs: 00854CC2
\\.\, xrefs: 00854B3F
RAID, xrefs: 00854CBB
Network, xrefs: 00854C02
SAS, xrefs: 00854CC9
USB, xrefs: 00854CB4
ATAPI, xrefs: 00854C91
Fixed, xrefs: 00854C09
SATA, xrefs: 00854CD0
Fibre, xrefs: 00854CAD

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ea00c08d27bd1f621cfc87244abdec5be51d5b7fb66bfcdb2bc8605c1d1c7d4e
Instruction ID: efd330362d168ec73a22a197b23fde5e9da76bea4dbe150208029c2323a31910
Opcode Fuzzy Hash: ea00c08d27bd1f621cfc87244abdec5be51d5b7fb66bfcdb2bc8605c1d1c7d4e
Instruction Fuzzy Hash: 8561F330205209EBDB04DF24C98596877B0FB8538EB286015FC16EBB95EB3ADDD9DB41

Function 008773E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00877421
SetTextColor.GDI32(?,?), ref: 00877425
GetSysColorBrush.USER32(0000000F), ref: 0087743B
GetSysColor.USER32(0000000F), ref: 00877446
CreateSolidBrush.GDI32(?), ref: 0087744B
GetSysColor.USER32(00000011), ref: 00877463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00877471
SelectObject.GDI32(?,00000000), ref: 00877482
SetBkColor.GDI32(?,00000000), ref: 0087748B
SelectObject.GDI32(?,?), ref: 00877498
InflateRect.USER32(?,000000FF,000000FF), ref: 008774B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008774CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008774DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0087752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00877554
InflateRect.USER32(?,000000FD,000000FD), ref: 00877572
DrawFocusRect.USER32(?,?), ref: 0087757D
GetSysColor.USER32(00000011), ref: 0087758E
SetTextColor.GDI32(?,00000000), ref: 00877596
DrawTextW.USER32(?,008770F5,000000FF,?,00000000), ref: 008775A8
SelectObject.GDI32(?,?), ref: 008775BF
DeleteObject.GDI32(?), ref: 008775CA
SelectObject.GDI32(?,?), ref: 008775D0
DeleteObject.GDI32(?), ref: 008775D5
SetTextColor.GDI32(?,?), ref: 008775DB
SetBkColor.GDI32(?,?), ref: 008775E5

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c0724d57e638a592d39c81f42c33bd9e1d886f5d6489698476da28ac53767a86
Instruction ID: f8c449cfc56d7a713514f588a4f42a87a442efbb5333efb02476b40dd9603725
Opcode Fuzzy Hash: c0724d57e638a592d39c81f42c33bd9e1d886f5d6489698476da28ac53767a86
Instruction Fuzzy Hash: FE614072900218AFDF119FA4DC49AAE7F79FB09320F118125F919AB2A5D775D980CFA0

Function 00870FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00871128
GetDesktopWindow.USER32 ref: 0087113D
GetWindowRect.USER32(00000000), ref: 00871144
GetWindowLongW.USER32(?,000000F0), ref: 00871199
DestroyWindow.USER32(?), ref: 008711B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008711ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0087120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0087121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00871232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00871245
IsWindowVisible.USER32(00000000), ref: 008712A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008712BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008712D0
GetWindowRect.USER32(00000000,?), ref: 008712E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0087130E
GetMonitorInfoW.USER32(00000000,?), ref: 00871328
CopyRect.USER32(?,?), ref: 0087133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008713AA

Strings

0, xrefs: 008710D3
tooltips_class32, xrefs: 008711E6
(, xrefs: 0087131B

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 5f4e86d2cbbd00796ccd77a564ffcb35a882f4cf2f4757ec96864524276eae13
Instruction ID: 91bdc857130f3346c89d5349ec9d62aad57a0f04a12f19fb3bc07efc4e2dbff5
Opcode Fuzzy Hash: 5f4e86d2cbbd00796ccd77a564ffcb35a882f4cf2f4757ec96864524276eae13
Instruction Fuzzy Hash: 40B17B71604341AFDB14DF69C888B6ABBE4FF88354F00891CF999DB265C731E844CBA1

Function 00870241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008702E5
_wcslen.LIBCMT ref: 0087031F
_wcslen.LIBCMT ref: 00870389
_wcslen.LIBCMT ref: 008703F1
_wcslen.LIBCMT ref: 00870475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008704C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00870504

Part of subcall function 007FF9F2: _wcslen.LIBCMT ref: 007FF9FD

Part of subcall function 0084223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00842258
Part of subcall function 0084223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0084228A

Strings

DESELECT, xrefs: 0087059C
VIEWCHANGE, xrefs: 00870675
GETSUBITEMCOUNT, xrefs: 00870384, 0087039F
SELECTALL, xrefs: 00870515
GETTEXT, xrefs: 008703EC, 00870407
ISSELECTED, xrefs: 008704DD
SELECTCLEAR, xrefs: 0087052D
SELECTINVERT, xrefs: 0087057E
SELECT, xrefs: 00870548
GETSELECTEDCOUNT, xrefs: 00870470, 0087048B
GETITEMCOUNT, xrefs: 00870316, 00870337
GETSELECTED, xrefs: 008705E1
FINDITEM, xrefs: 00870627

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 5745da6a04a3d9d89576c80a1891b39659642e681894bd50cbd92ae00819ba6e
Instruction ID: 99cacdc51631cbbd9e50586d7e22fe5143f3fbe8fb866358551d88816239efea
Opcode Fuzzy Hash: 5745da6a04a3d9d89576c80a1891b39659642e681894bd50cbd92ae00819ba6e
Instruction Fuzzy Hash: 04E18D31208245DBC714DF28C89082AB7E5FF98318F14895CF99AEB7A9DB34ED45CB42

Function 007F8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007F8968
GetSystemMetrics.USER32(00000007), ref: 007F8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007F899B
GetSystemMetrics.USER32(00000008), ref: 007F89A3
GetSystemMetrics.USER32(00000004), ref: 007F89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007F89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007F89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 007F8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 007F8A3C
GetClientRect.USER32(00000000,000000FF), ref: 007F8A5A
GetStockObject.GDI32(00000011), ref: 007F8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 007F8A81

Part of subcall function 007F912D: GetCursorPos.USER32(?), ref: 007F9141
Part of subcall function 007F912D: ScreenToClient.USER32(00000000,?), ref: 007F915E
Part of subcall function 007F912D: GetAsyncKeyState.USER32(00000001), ref: 007F9183
Part of subcall function 007F912D: GetAsyncKeyState.USER32(00000002), ref: 007F919D

SetTimer.USER32(00000000,00000000,00000028,007F90FC), ref: 007F8AA8

Strings

AutoIt v3 GUI, xrefs: 007F8A20

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b4ad47e73e3088a1aa9ea173148a45ff3f28a417ee1345ea092f6dd69d9c2100
Instruction ID: cfe5d75562dfccd401fec10e450baf2de4c51b0595bf4dcd4a5c6fd98a98f196
Opcode Fuzzy Hash: b4ad47e73e3088a1aa9ea173148a45ff3f28a417ee1345ea092f6dd69d9c2100
Instruction Fuzzy Hash: F6B14E71A00209AFDF14DFA8CC59BAE7BB5FB48314F508229FA15EB290DB74E950CB51

Function 00840D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00841114
Part of subcall function 008410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 00841120
Part of subcall function 008410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 0084112F
Part of subcall function 008410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 00841136
Part of subcall function 008410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0084114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00840DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00840E29
GetLengthSid.ADVAPI32(?), ref: 00840E40
GetAce.ADVAPI32(?,00000000,?), ref: 00840E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00840E96
GetLengthSid.ADVAPI32(?), ref: 00840EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00840EB5
HeapAlloc.KERNEL32(00000000), ref: 00840EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00840EDD
CopySid.ADVAPI32(00000000), ref: 00840EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00840F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00840F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00840F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00840F6E
HeapFree.KERNEL32(00000000), ref: 00840F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00840F7E
HeapFree.KERNEL32(00000000), ref: 00840F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00840F8E
HeapFree.KERNEL32(00000000), ref: 00840F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00840FA1
HeapFree.KERNEL32(00000000), ref: 00840FA8

Part of subcall function 00841193: GetProcessHeap.KERNEL32(00000008,00840BB1,?,00000000,?,00840BB1,?), ref: 008411A1
Part of subcall function 00841193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00840BB1,?), ref: 008411A8
Part of subcall function 00841193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00840BB1,?), ref: 008411B7

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7e316f0157d1662149d88cc297bc06e8c337c575f49969d411ff71f3be8fccc8
Instruction ID: ef156a85607528efee8cd6a1039f93e6e7d2aca2f1e99e096bf1b8d01f23ebd2
Opcode Fuzzy Hash: 7e316f0157d1662149d88cc297bc06e8c337c575f49969d411ff71f3be8fccc8
Instruction Fuzzy Hash: 84712C7290020AABDF209FA4DC48FAFBBB8FF05310F144129EA59E7191DB759945CFA0

Function 0086C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0086C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0087CC08,00000000,?,00000000,?,?), ref: 0086C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0086C5A4
_wcslen.LIBCMT ref: 0086C5F4
_wcslen.LIBCMT ref: 0086C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0086C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0086C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0086C84D
RegCloseKey.ADVAPI32(?), ref: 0086C881
RegCloseKey.ADVAPI32(00000000), ref: 0086C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0086C960

Strings

REG_DWORD, xrefs: 0086C804
REG_EXPAND_SZ, xrefs: 0086C5CD
REG_SZ, xrefs: 0086C644
REG_MULTI_SZ, xrefs: 0086C6F5
REG_BINARY, xrefs: 0086C913
REG_QWORD, xrefs: 0086C8C3

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 19c48a0c1f029b84c3db63f1c76982a9e1e5366ad1581b07140ae122398a4892
Instruction ID: d669df238cc02f5e33e2a484f1a85790a3d36787e86240f1d557d7b86ea9ef23
Opcode Fuzzy Hash: 19c48a0c1f029b84c3db63f1c76982a9e1e5366ad1581b07140ae122398a4892
Instruction Fuzzy Hash: 6F126735204600DFDB14DF29C885A2AB7E5FF88714F05889CF99A9B3A2DB35ED41CB81

Function 0087091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008709C6
_wcslen.LIBCMT ref: 00870A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00870A54
_wcslen.LIBCMT ref: 00870A8A
_wcslen.LIBCMT ref: 00870B06
_wcslen.LIBCMT ref: 00870B81

Part of subcall function 007FF9F2: _wcslen.LIBCMT ref: 007FF9FD

Part of subcall function 00842BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00842BFA

Strings

COLLAPSE, xrefs: 00870B01, 00870B1C
EXPAND, xrefs: 00870BF8
GETITEMCOUNT, xrefs: 00870C1E
CHECK, xrefs: 00870A85, 00870AA0
GETSELECTED, xrefs: 00870C4E
GETTEXT, xrefs: 00870C97
EXISTS, xrefs: 00870B7C, 00870B97
ISCHECKED, xrefs: 00870CE1
GETTOTALCOUNT, xrefs: 008709F2, 00870A17
SELECT, xrefs: 00870D11
UNCHECK, xrefs: 00870D3E

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 5aeea50b84af30f7b7ba64bf1bd172d3ab1d41d8251d60a77cf974691dda064c
Instruction ID: 4a48eb5c4f094e4c246a20b3354ee5302ba65d303ae8bdab4e51bd1ec288721f
Opcode Fuzzy Hash: 5aeea50b84af30f7b7ba64bf1bd172d3ab1d41d8251d60a77cf974691dda064c
Instruction Fuzzy Hash: CAE15631208745DFC714DF29C45092AB7E2FF98318F148958F89A9B3A6DB34EE45CB82

Function 0086C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0086B6AE,?,?), ref: 0086C9B5
_wcslen.LIBCMT ref: 0086C9F1
_wcslen.LIBCMT ref: 0086CA68
_wcslen.LIBCMT ref: 0086CA9E
_wcslen.LIBCMT ref: 0086CAF9
_wcslen.LIBCMT ref: 0086CB2F
_wcslen.LIBCMT ref: 0086CB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 0086CAF3, 0086CAF8
HKEY_CURRENT_CONFIG, xrefs: 0086CB79, 0086CB7E
HKLM, xrefs: 0086CA98, 0086CA9D
HKEY_LOCAL_MACHINE, xrefs: 0086CA62, 0086CA67
HKCU, xrefs: 0086CBCE
HKU, xrefs: 0086CBF0
HKCR, xrefs: 0086CB29, 0086CB2E
HKCC, xrefs: 0086CBAC
HKEY_CURRENT_USER, xrefs: 0086CBBD
HKEY_USERS, xrefs: 0086CBDF

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: b6e848b1e150d7fbee545d49f82e56a5688dd0d89ce52f1cbb1f4a87066ff6b1
Instruction ID: 7e00c37187a95fce9ac984899b75f0f2a00d80164db25773f3c16b268216f2c1
Opcode Fuzzy Hash: b6e848b1e150d7fbee545d49f82e56a5688dd0d89ce52f1cbb1f4a87066ff6b1
Instruction Fuzzy Hash: E071057260016A8BCB20DEBCCD516BE3391FF65764F160128FDA6DB294EA35DD44D3A0

Function 0087833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0087835A
_wcslen.LIBCMT ref: 0087836E
_wcslen.LIBCMT ref: 00878391
_wcslen.LIBCMT ref: 008783B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008783F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00875BF2), ref: 0087844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00878487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008784CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00878501
FreeLibrary.KERNEL32(?), ref: 0087850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0087851D
DestroyIcon.USER32(?,?,?,?,?,00875BF2), ref: 0087852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00878549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00878555

Strings

.exe, xrefs: 00878388
.icl, xrefs: 00878368
.dll, xrefs: 008783AB

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a68fcb6da99944faecd09b22b39b9e92b40b4927b065bed45881c24bdf02cd08
Instruction ID: bc1ff0c42ef99c4131400d5f132cc8f652332ce9f19f60a35e633ddbc16fd401
Opcode Fuzzy Hash: a68fcb6da99944faecd09b22b39b9e92b40b4927b065bed45881c24bdf02cd08
Instruction Fuzzy Hash: 8661D2B1580215FEEB14DF68CC49BBE7BA8FB08B11F108509F919D61D1DBB4E990DBA0

Function 007E7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

', xrefs: 00825169
#ce, xrefs: 007E78ED
#OnAutoItStartRegister, xrefs: 007E7817
", xrefs: 00825153
#notrayicon, xrefs: 007E77E7
#cs, xrefs: 007E7873, 007E78C5
Bad directive syntax error, xrefs: 0082519A
#comments-start, xrefs: 007E785F, 007E78B1
Cannot parse #include, xrefs: 00825279
#requireadmin, xrefs: 007E77FF
#pragma compile, xrefs: 007E77D3
#include-once, xrefs: 007E782F
#comments-end, xrefs: 007E78D9
Unterminated group of comments, xrefs: 0082528C
#include, xrefs: 007E7847

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: e2f0e4ac2774082d9215babdc3bcedba5f99c5802d315843bd8a94e23cc290a6
Instruction ID: e410a2be3ed957e26fa123a152a2df12efeb3a807d83837eea5423ca9b036052
Opcode Fuzzy Hash: e2f0e4ac2774082d9215babdc3bcedba5f99c5802d315843bd8a94e23cc290a6
Instruction Fuzzy Hash: 9F81F171645215FBDB24AF65DC46FAF37A8FF19300F044024F908EA296EB78DA91C7A1

Function 00853E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00853EF8
_wcslen.LIBCMT ref: 00853F03
_wcslen.LIBCMT ref: 00853F5A
_wcslen.LIBCMT ref: 00853F98
GetDriveTypeW.KERNEL32(?), ref: 00853FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0085401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00854059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00854087

Strings

type cdaudio alias cd wait, xrefs: 00854001
close, xrefs: 00853EFE, 00853F18
closed, xrefs: 00853F08, 00853F2D, 00853F46, 00853F7E, 00853F97
set cd door , xrefs: 00854028
wait, xrefs: 00854044
open , xrefs: 00853FE5
close cd wait, xrefs: 00854072
open, xrefs: 00853F54, 00853F59

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: e8b15870c71c377f343c523053e2064b9e0689da865bee16e57afe6d2e9de112
Instruction ID: c661fda0c7f9fa58799f373886ad22e69f6e373459f512d653b5fd7a58c51236
Opcode Fuzzy Hash: e8b15870c71c377f343c523053e2064b9e0689da865bee16e57afe6d2e9de112
Instruction Fuzzy Hash: E471F2726042019FC310EF24C88086AB7F4FF987A8F14492DF9A5D72A5EB35ED49CB91

Function 00845A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00845A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00845A40
SetWindowTextW.USER32(?,?), ref: 00845A57
GetDlgItem.USER32(?,000003EA), ref: 00845A6C
SetWindowTextW.USER32(00000000,?), ref: 00845A72
GetDlgItem.USER32(?,000003E9), ref: 00845A82
SetWindowTextW.USER32(00000000,?), ref: 00845A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00845AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00845AC3
GetWindowRect.USER32(?,?), ref: 00845ACC
_wcslen.LIBCMT ref: 00845B33
SetWindowTextW.USER32(?,?), ref: 00845B6F
GetDesktopWindow.USER32 ref: 00845B75
GetWindowRect.USER32(00000000), ref: 00845B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00845BD3
GetClientRect.USER32(?,?), ref: 00845BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00845C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00845C2F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 614d9418947767c785911f29459dff3385b27531bc3ee28c333398be001d3a41
Instruction ID: 8643b082377d9739ca1c6484ac79867d95885142cb107a56c859c99e9578e42c
Opcode Fuzzy Hash: 614d9418947767c785911f29459dff3385b27531bc3ee28c333398be001d3a41
Instruction Fuzzy Hash: 07713831900B09AFDB20DFA8CE89AAEBBF5FB48714F10491CE546E35A1D775E944CB50

Function 0085FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0085FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0085FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0085FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0085FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0085FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0085FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0085FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0085FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0085FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0085FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0085FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0085FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0085FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0085FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0085FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0085FECC
GetCursorInfo.USER32(?), ref: 0085FEDC
GetLastError.KERNEL32 ref: 0085FF1E

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 9d2f91b5b153747df47aabc116e8c9dfd3131426489f6b38667f7f7e3fc7ea8a
Instruction ID: e09a6cffb4ea05f9a02cb306ab50c0818e54b6cf0b5db476c1d9e40126c4c2d4
Opcode Fuzzy Hash: 9d2f91b5b153747df47aabc116e8c9dfd3131426489f6b38667f7f7e3fc7ea8a
Instruction Fuzzy Hash: 794172B0D04319AADB109FBA8C8985EBFE8FF04354B50452AF51DE7281DB78E901CF90

Function 008000C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008000C6

Part of subcall function 008000ED: InitializeCriticalSectionAndSpinCount.KERNEL32(008B070C,00000FA0,E89FEBB4,?,?,?,?,008223B3,000000FF), ref: 0080011C
Part of subcall function 008000ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008223B3,000000FF), ref: 00800127
Part of subcall function 008000ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008223B3,000000FF), ref: 00800138
Part of subcall function 008000ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0080014E
Part of subcall function 008000ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0080015C
Part of subcall function 008000ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0080016A
Part of subcall function 008000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00800195
Part of subcall function 008000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008001A0

___scrt_fastfail.LIBCMT ref: 008000E7

Part of subcall function 008000A3: __onexit.LIBCMT ref: 008000A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00800122
SleepConditionVariableCS, xrefs: 00800154
InitializeConditionVariable, xrefs: 00800148
kernel32.dll, xrefs: 00800133
WakeAllConditionVariable, xrefs: 00800162

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 39200d1b95b2fe56549275d85ddb216450d3c2e355f31f175447717cc3e1065f
Instruction ID: 640ba0c8cd71f4a7ebf46701e8baaf5d536e04456e6765375544b826c2d0b3ad
Opcode Fuzzy Hash: 39200d1b95b2fe56549275d85ddb216450d3c2e355f31f175447717cc3e1065f
Instruction Fuzzy Hash: C4210432A44710ABE7605B64AC0EB6E7794FB06B60F00413AF919E33D6DF78D8008EA5

Function 008430F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0084318D
_wcslen.LIBCMT ref: 008431F8

Strings

CLASS, xrefs: 00843188, 008431A5
INSTANCE, xrefs: 00843453
CLASSNN, xrefs: 008431F3, 00843204
NAME, xrefs: 00843335, 00843346
REGEXPCLASS, xrefs: 00843255, 00843266
TEXT, xrefs: 0084347C

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: b625a102be8a02b69e088cc17f57687c099c5394542f81f4fbabfac7599c4cb5
Instruction ID: 64e2c57503d0167a7082d45a32986939414e0016ad156ca77ab423198eb44d75
Opcode Fuzzy Hash: b625a102be8a02b69e088cc17f57687c099c5394542f81f4fbabfac7599c4cb5
Instruction Fuzzy Hash: C4E1D432A0051EEBCB18DFA8C8516EDFBB0FF54714F558129E556F7280EB70AE8587A0

Function 008544C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0087CC08), ref: 00854527
_wcslen.LIBCMT ref: 0085453B
_wcslen.LIBCMT ref: 00854599
_wcslen.LIBCMT ref: 008545F4
_wcslen.LIBCMT ref: 0085463F
_wcslen.LIBCMT ref: 008546A7

Part of subcall function 007FF9F2: _wcslen.LIBCMT ref: 007FF9FD

GetDriveTypeW.KERNEL32(?,008A6BF0,00000061), ref: 00854743

Strings

removable, xrefs: 008545EA, 008545EF
fixed, xrefs: 00854635, 0085463A
all, xrefs: 00854531, 00854536
network, xrefs: 0085469D, 008546A2
unknown, xrefs: 00854708
ramdisk, xrefs: 008546F1
cdrom, xrefs: 0085458F, 00854594

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 3b20afcb533e956be005fb54d79a28eb5b87f4884d6fbca59e24bdd5eefa7ed4
Instruction ID: e123e69304046c8d477b7cd57ea434b609413a10a70b9800cb84497cb222099b
Opcode Fuzzy Hash: 3b20afcb533e956be005fb54d79a28eb5b87f4884d6fbca59e24bdd5eefa7ed4
Instruction Fuzzy Hash: 80B125316083029FC710DF28C890A6AB7E5FFA9769F50591DF996C7291E730D889CB62

Function 00863FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0087CC08), ref: 008640BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008640CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0087CC08), ref: 008640F2
FreeLibrary.KERNEL32(00000000,?,0087CC08), ref: 0086413E
StringFromGUID2.OLE32(?,?,00000028,?,0087CC08), ref: 008641A8
SysFreeString.OLEAUT32(00000009), ref: 00864262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008642C8
SysFreeString.OLEAUT32(?), ref: 008642F2

Strings

GetModuleHandleExW, xrefs: 008640C7
kernel32.dll, xrefs: 008640B6

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 908f85f260ded3212395e91a2c08565807de76d582daff7f269e866998363188
Instruction ID: 4723cd5d1386fc7207046c6d3f72b64fdc985048c6922c31583f444e5dc8c524
Opcode Fuzzy Hash: 908f85f260ded3212395e91a2c08565807de76d582daff7f269e866998363188
Instruction Fuzzy Hash: 6D124D75A00119EFDB14DF54C888EAEB7B5FF45318F259098E906DB251CB31ED86CBA0

Function 007E326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(008B1990), ref: 00822F8D
GetMenuItemCount.USER32(008B1990), ref: 0082303D
GetCursorPos.USER32(?), ref: 00823081
SetForegroundWindow.USER32(00000000), ref: 0082308A
TrackPopupMenuEx.USER32(008B1990,00000000,?,00000000,00000000,00000000), ref: 0082309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008230A9

Strings

0, xrefs: 007E327D

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5eefdcc32615ea1e66af65009d054a5205b3478b95bc0fcb92ccd2baeb260908
Instruction ID: e771a4a0e76b886e2dd357f9bd2d2ffc85e4e6327ff0694a9207d57e7662d3f8
Opcode Fuzzy Hash: 5eefdcc32615ea1e66af65009d054a5205b3478b95bc0fcb92ccd2baeb260908
Instruction Fuzzy Hash: A2712930644255BEEB318F29DC8DF9ABF68FF04324F204216F628AB1E0C7B5A990D751

Function 00876CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00876DEB

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00876E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00876E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00876E94
DestroyWindow.USER32(?), ref: 00876EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007E0000,00000000), ref: 00876EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00876EFD
GetDesktopWindow.USER32 ref: 00876F16
GetWindowRect.USER32(00000000), ref: 00876F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00876F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00876F4D

Part of subcall function 007F9944: GetWindowLongW.USER32(?,000000EB), ref: 007F9952

Strings

tooltips_class32, xrefs: 00876E58, 00876EDD
0, xrefs: 00876D98

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 0f2711ff5aa438a8df288190de25b6dce43c35b3a711089a874e82fb55d85162
Instruction ID: 989a42019e7c4e07edccd39f4f2b0431b77edb7940a7920c99561d0f0fae4e6f
Opcode Fuzzy Hash: 0f2711ff5aa438a8df288190de25b6dce43c35b3a711089a874e82fb55d85162
Instruction Fuzzy Hash: DB719771104244AFDB21DF28DC88FAABBE9FB88304F64851DF989C7265DB70E959CB11

Function 0087911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

DragQueryPoint.SHELL32(?,?), ref: 00879147

Part of subcall function 00877674: ClientToScreen.USER32(?,?), ref: 0087769A
Part of subcall function 00877674: GetWindowRect.USER32(?,?), ref: 00877710
Part of subcall function 00877674: PtInRect.USER32(?,?,00878B89), ref: 00877720

SendMessageW.USER32(?,000000B0,?,?), ref: 008791B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008791BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008791DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00879225
SendMessageW.USER32(?,000000B0,?,?), ref: 0087923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00879255
SendMessageW.USER32(?,000000B1,?,?), ref: 00879277
DragFinish.SHELL32(?), ref: 0087927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00879371

Strings

@GUI_DRAGFILE, xrefs: 00879320
@GUI_DROPID, xrefs: 0087929E
@GUI_DRAGID, xrefs: 008792E9

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 036ad532a9567cc0f2743839e8889f3067468608e87231bf4a9557930cce787c
Instruction ID: 4c9f32257da8a351ff5ddf8bf57441f5f34db66f228d09d5cc27bace47a0c254
Opcode Fuzzy Hash: 036ad532a9567cc0f2743839e8889f3067468608e87231bf4a9557930cce787c
Instruction Fuzzy Hash: A7615872108340AFD701EF65CC89DABBBE8FB99350F40091DF6A5922A1DB30DA49CB52

Function 0085C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0085C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0085C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0085C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0085C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0085C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0085C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0085C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0085C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0085C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0085C5F0
InternetCloseHandle.WININET(00000000), ref: 0085C5FB

Strings

, xrefs: 0085C575

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 06dcd59b610ee993537639bf023c08a12e5eb8ae3b6601b38d74a8077e49f6f9
Instruction ID: 9601407974eab3e95e6b2b79c406f267798abe948641efb824c4e6ac67b7656f
Opcode Fuzzy Hash: 06dcd59b610ee993537639bf023c08a12e5eb8ae3b6601b38d74a8077e49f6f9
Instruction Fuzzy Hash: 00512CB1500708BFDB219FA4C988AAB7BBCFB04795F00451DF949D7250EB74EA489F61

Function 0087856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00878592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008785A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008785AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008785BA
GlobalLock.KERNEL32(00000000), ref: 008785C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008785D7
GlobalUnlock.KERNEL32(00000000), ref: 008785E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008785E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008785F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0087FC38,?), ref: 00878611
GlobalFree.KERNEL32(00000000), ref: 00878621
GetObjectW.GDI32(?,00000018,?), ref: 00878641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00878671
DeleteObject.GDI32(?), ref: 00878699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008786AF

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: bd2f8909a2560206c77be52c88c1c56d4843b5dcea2f7508076d37a31885a4ca
Instruction ID: d3628e6d2bb297b55a167320bcf411f78d5da067cce3c3b7022a5db931719235
Opcode Fuzzy Hash: bd2f8909a2560206c77be52c88c1c56d4843b5dcea2f7508076d37a31885a4ca
Instruction Fuzzy Hash: 04411775640208FFDB119FA5CC8CEAA7BB8FB99B15F108058F909E7264DB30D941CB60

Function 008514BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00851502
VariantCopy.OLEAUT32(?,?), ref: 0085150B
VariantClear.OLEAUT32(?), ref: 00851517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008515FB
VarR8FromDec.OLEAUT32(?,?), ref: 00851657
VariantInit.OLEAUT32(?), ref: 00851708
SysFreeString.OLEAUT32(?), ref: 0085178C
VariantClear.OLEAUT32(?), ref: 008517D8
VariantClear.OLEAUT32(?), ref: 008517E7
VariantInit.OLEAUT32(00000000), ref: 00851823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00851625
Default, xrefs: 008516AF

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 056ea4e072ff1527c4d7b83a6ad5061a3f55076a91aeb5abecbacf13b7af60bd
Instruction ID: 4214e7f39622f97184da490f954cf91cc0a429e4cd0b5a4d8d4ff511611dcb68
Opcode Fuzzy Hash: 056ea4e072ff1527c4d7b83a6ad5061a3f55076a91aeb5abecbacf13b7af60bd
Instruction Fuzzy Hash: F3D1DE71A00109EBDF00AF65D88DB79B7B5FF48705F14805AF806EB290EB38E849DB61

Function 0086B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 0086C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0086B6AE,?,?), ref: 0086C9B5
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086C9F1
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA68
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0086B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0086B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0086B80A
RegCloseKey.ADVAPI32(?), ref: 0086B87E
RegCloseKey.ADVAPI32(?), ref: 0086B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0086B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0086B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0086B922
FreeLibrary.KERNEL32(00000000), ref: 0086B983
RegCloseKey.ADVAPI32(00000000), ref: 0086B994

Strings

RegDeleteKeyExW, xrefs: 0086B8FE
advapi32.dll, xrefs: 0086B8ED

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 34929e797cdb351499fa701b2cdfaebc931760354804a084076c8a2da4e71e9f
Instruction ID: 1962399b901c6d55058c1708e78daab1f90020f7c933acef4b8c68ff1566f240
Opcode Fuzzy Hash: 34929e797cdb351499fa701b2cdfaebc931760354804a084076c8a2da4e71e9f
Instruction Fuzzy Hash: B1C17C35205241EFD714DF15C499F2ABBE5FF88308F15845CE5AA8B2A2CB35EC85CB91

Function 0086255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008625D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008625E8
CreateCompatibleDC.GDI32(?), ref: 008625F4
SelectObject.GDI32(00000000,?), ref: 00862601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0086266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008626AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008626D0
SelectObject.GDI32(?,?), ref: 008626D8
DeleteObject.GDI32(?), ref: 008626E1
DeleteDC.GDI32(?), ref: 008626E8
ReleaseDC.USER32(00000000,?), ref: 008626F3

Strings

(, xrefs: 0086268D

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: abcd2fe7a42754effe80d8a72b0cdd8c0e7249636d2d58abf14740100e327d4f
Instruction ID: 1e550039b4f7c5e624ea22e6a401d3aafbeea1446ba643b66c256f6f26408667
Opcode Fuzzy Hash: abcd2fe7a42754effe80d8a72b0cdd8c0e7249636d2d58abf14740100e327d4f
Instruction Fuzzy Hash: B861E275D00619EFCF14CFA8D888AAEBBB5FF48310F208569E959A7250D770A951CFA0

Function 0081DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0081DAA1

Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D659
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D66B
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D67D
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D68F
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D6A1
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D6B3
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D6C5
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D6D7
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D6E9
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D6FB
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D70D
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D71F
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D731

_free.LIBCMT ref: 0081DA96

Part of subcall function 008129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000), ref: 008129DE
Part of subcall function 008129C8: GetLastError.KERNEL32(00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000,00000000), ref: 008129F0

_free.LIBCMT ref: 0081DAB8
_free.LIBCMT ref: 0081DACD
_free.LIBCMT ref: 0081DAD8
_free.LIBCMT ref: 0081DAFA
_free.LIBCMT ref: 0081DB0D
_free.LIBCMT ref: 0081DB1B
_free.LIBCMT ref: 0081DB26
_free.LIBCMT ref: 0081DB5E
_free.LIBCMT ref: 0081DB65
_free.LIBCMT ref: 0081DB82
_free.LIBCMT ref: 0081DB9A

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 0c832162cde3a2cc4a28db39e02b2540376502b279ce88c2aad35935de57619f
Instruction ID: aa0f878a77c4ebab8aefa1ef93768314bf22dcd3e6c36ed0f33fad107adc9d7a
Opcode Fuzzy Hash: 0c832162cde3a2cc4a28db39e02b2540376502b279ce88c2aad35935de57619f
Instruction Fuzzy Hash: E6312A326087059FEB21AA7DE845FDA7BEDFF10320F154429E449DB191DB35ACE08721

Function 0084365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0084369C
_wcslen.LIBCMT ref: 008436A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00843797
GetClassNameW.USER32(?,?,00000400), ref: 0084380C
GetDlgCtrlID.USER32(?), ref: 0084385D
GetWindowRect.USER32(?,?), ref: 00843882
GetParent.USER32(?), ref: 008438A0
ScreenToClient.USER32(00000000), ref: 008438A7
GetClassNameW.USER32(?,?,00000100), ref: 00843921
GetWindowTextW.USER32(?,?,00000400), ref: 0084395D

Strings

%s%u, xrefs: 00843734

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 8c90ff1beb856800d964ad68ca5cfb8cc5561b242ac09d7fbf912b574481e1bc
Instruction ID: 2e12db102e63bc01f82a5a1eea9daf3f447a67f731a4e5405d01b152225e5c9c
Opcode Fuzzy Hash: 8c90ff1beb856800d964ad68ca5cfb8cc5561b242ac09d7fbf912b574481e1bc
Instruction Fuzzy Hash: 6291A17120470AAFD719DF24C885BAAFBE8FF54350F10852DF999D2190EB30EA55CB91

Function 00844954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00844994
GetWindowTextW.USER32(?,?,00000400), ref: 008449DA
_wcslen.LIBCMT ref: 008449EB
CharUpperBuffW.USER32(?,00000000), ref: 008449F7
_wcsstr.LIBVCRUNTIME ref: 00844A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00844A64
GetWindowTextW.USER32(?,?,00000400), ref: 00844A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00844AE6
GetClassNameW.USER32(?,?,00000400), ref: 00844B20
GetWindowRect.USER32(?,?), ref: 00844B8B

Strings

ThumbnailClass, xrefs: 00844A6F, 00844AF1

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 5ff0857c936beae3a9f839738d20267d031eba74ff34345fb6ddd9bf3856ce7c
Instruction ID: 0e36e68608c827bf139c05b83bcd5ab419ecff2e1e8a20d3608317f00e7d820a
Opcode Fuzzy Hash: 5ff0857c936beae3a9f839738d20267d031eba74ff34345fb6ddd9bf3856ce7c
Instruction Fuzzy Hash: 2291CE710042099FDB04DF54C985BAABBE8FF84314F04946EFD89DA196EB34ED45CBA2

Function 00878D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00878D5A
GetFocus.USER32 ref: 00878D6A
GetDlgCtrlID.USER32(00000000), ref: 00878D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00878E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00878ECF
GetMenuItemCount.USER32(?), ref: 00878EEC
GetMenuItemID.USER32(?,00000000), ref: 00878EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00878F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00878F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00878FA1

Strings

0, xrefs: 00878E9F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 211af93ddaa0a63374c8a43c5da114922e6ac3cc89fc474380d2fc29225059c3
Instruction ID: 9370ac5c3fd00c5aa1ff14ef8f0b449c9de48c41cf7cf1485e51a2eb1a88bdfe
Opcode Fuzzy Hash: 211af93ddaa0a63374c8a43c5da114922e6ac3cc89fc474380d2fc29225059c3
Instruction Fuzzy Hash: A881AE72548305DFDB10CF24C888AAB7BE9FB88354F14891DF998D7295DB31D940CBA2

Function 0084BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(008B1990,000000FF,00000000,00000030), ref: 0084BFAC
SetMenuItemInfoW.USER32(008B1990,00000004,00000000,00000030), ref: 0084BFE1
Sleep.KERNEL32(000001F4), ref: 0084BFF3
GetMenuItemCount.USER32(?), ref: 0084C039
GetMenuItemID.USER32(?,00000000), ref: 0084C056
GetMenuItemID.USER32(?,-00000001), ref: 0084C082
GetMenuItemID.USER32(?,?), ref: 0084C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0084C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0084C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0084C145

Strings

0, xrefs: 0084BF3D

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: d1c3fd8fa0dcbed930f4810e376506b35476cf2ea11f7d822e6977d62e7ec60f
Instruction ID: 97deb67b403e3d3464b1a5c741f259682545c572464d6436a7556c7d35f9e66a
Opcode Fuzzy Hash: d1c3fd8fa0dcbed930f4810e376506b35476cf2ea11f7d822e6977d62e7ec60f
Instruction Fuzzy Hash: 9B618BB090124EAFDF51CF68CC88AAEBBB8FB05348F000159E815E7292DB35ED45CB61

Function 0084DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0084DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0084DC46
_wcslen.LIBCMT ref: 0084DC50
_wcsstr.LIBVCRUNTIME ref: 0084DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0084DCBC

Strings

04090000, xrefs: 0084DCF2
StringFileInfo\, xrefs: 0084DC8F
\VarFileInfo\Translation, xrefs: 0084DCB4
%u.%u.%u.%u, xrefs: 0084DD9A
DefaultLangCodepage, xrefs: 0084DD1F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: e22f6d053e60f4e940bc7313ed09c544952df00c1cd62b769cb7ae5db89188bb
Instruction ID: 31c575ae2946daa3a82dbcdc11b41a07f10bafdee5d5d9940b9d4aca46f82f0b
Opcode Fuzzy Hash: e22f6d053e60f4e940bc7313ed09c544952df00c1cd62b769cb7ae5db89188bb
Instruction Fuzzy Hash: 1E410672940308BBDB04A7799C47EBF77ACFF42760F144069FA04E72D2EA68D90187A5

Function 0086CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0086CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0086CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0086CD48

Part of subcall function 0086CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0086CCAA
Part of subcall function 0086CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0086CCBD
Part of subcall function 0086CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0086CCCF
Part of subcall function 0086CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0086CD05
Part of subcall function 0086CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0086CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0086CCF3

Strings

RegDeleteKeyExW, xrefs: 0086CCC9
advapi32.dll, xrefs: 0086CCB8

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: aeb6ea434ed80e09ef35d7df12681b92af18eaead7fe09032a640aa9c131b7dc
Instruction ID: de234654d3d046584b7dcc402961ce8f719fd22be3308a15484652ea119432de
Opcode Fuzzy Hash: aeb6ea434ed80e09ef35d7df12681b92af18eaead7fe09032a640aa9c131b7dc
Instruction Fuzzy Hash: 02315C71A01129BBDB209B54DC88EFFBB7CFF56750F010169A949E3244DA349A85AAF0

Function 00853D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00853D40
_wcslen.LIBCMT ref: 00853D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00853D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00853DBE
RemoveDirectoryW.KERNEL32(?), ref: 00853DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00853E55
CloseHandle.KERNEL32(00000000), ref: 00853E60
CloseHandle.KERNEL32(00000000), ref: 00853E6B

Strings

:, xrefs: 00853D82
\??\%s, xrefs: 00853D5B
\, xrefs: 00853D77

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 228b538ac829e1cf989a5e83703bf859970663fd605203828b880e5e936fe045
Instruction ID: 51575a76265dec01819d957b6413c8b12319ba63f7dd657860d1b3417dd7cb37
Opcode Fuzzy Hash: 228b538ac829e1cf989a5e83703bf859970663fd605203828b880e5e936fe045
Instruction Fuzzy Hash: B631A572500109ABDB219BA4DC49FEB37BDFF89741F1040B9F919D6164EB74D7848B24

Function 0084E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0084E6B4

Part of subcall function 007FE551: timeGetTime.WINMM(?,?,0084E6D4), ref: 007FE555

Sleep.KERNEL32(0000000A), ref: 0084E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0084E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0084E727
SetActiveWindow.USER32 ref: 0084E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0084E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0084E773
Sleep.KERNEL32(000000FA), ref: 0084E77E
IsWindow.USER32 ref: 0084E78A
EndDialog.USER32(00000000), ref: 0084E79B

Strings

BUTTON, xrefs: 0084E719

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 9ea1c91b897738351d918b01ce39639e47a1aefc355a8ec1f78c0f024d593511
Instruction ID: b93eab40b1162cefb1695b0fd908098546f6adf5a0a5bc8b2029326945ad8c41
Opcode Fuzzy Hash: 9ea1c91b897738351d918b01ce39639e47a1aefc355a8ec1f78c0f024d593511
Instruction Fuzzy Hash: 612190B0600208AFEB109FA4ECCEE263B69F775399F101529F51AC22B5DB75EC40DB25

Function 0084E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0084EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0084EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0084EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0084EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0084EAA7

Strings

play PlayMe, xrefs: 0084EAA2
status PlayMe mode, xrefs: 0084EA58
close PlayMe, xrefs: 0084EA6E, 0084EA9B
open , xrefs: 0084EA0C
play PlayMe wait, xrefs: 0084EA91
alias PlayMe, xrefs: 0084EA36

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 477886800a30856961ba3650311254afe1ef182f619970d175585747eead20d1
Instruction ID: a496ce6e1792f3290523e7566690407ffe4abf470de3aa42179d1fc21c5c3945
Opcode Fuzzy Hash: 477886800a30856961ba3650311254afe1ef182f619970d175585747eead20d1
Instruction Fuzzy Hash: 5011BF21A50269B9E720E3A2DC4EDFB6A7CFBD2B40F0804297821E20D5EEB40944C5B0

Function 00849F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0084A012
SetKeyboardState.USER32(?), ref: 0084A07D
GetAsyncKeyState.USER32(000000A0), ref: 0084A09D
GetKeyState.USER32(000000A0), ref: 0084A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0084A0E3
GetKeyState.USER32(000000A1), ref: 0084A0F4
GetAsyncKeyState.USER32(00000011), ref: 0084A120
GetKeyState.USER32(00000011), ref: 0084A12E
GetAsyncKeyState.USER32(00000012), ref: 0084A157
GetKeyState.USER32(00000012), ref: 0084A165
GetAsyncKeyState.USER32(0000005B), ref: 0084A18E
GetKeyState.USER32(0000005B), ref: 0084A19C

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: eca64f135a93c597954f01e7670df7dfdde90d4436f7e72728af000dc5b0bac6
Instruction ID: b55e3af94791083987f141e7cb0afd2744095eb800c4e83ae63c4ab15a7f70a3
Opcode Fuzzy Hash: eca64f135a93c597954f01e7670df7dfdde90d4436f7e72728af000dc5b0bac6
Instruction Fuzzy Hash: F951B62054478C29FB39DBA488547ABBFB5FF11380F084599D5C2DB1C2DA949A8CC763

Function 00845CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00845CE2
GetWindowRect.USER32(00000000,?), ref: 00845CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00845D59
GetDlgItem.USER32(?,00000002), ref: 00845D69
GetWindowRect.USER32(00000000,?), ref: 00845D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00845DCF
GetDlgItem.USER32(?,000003E9), ref: 00845DDD
GetWindowRect.USER32(00000000,?), ref: 00845DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00845E31
GetDlgItem.USER32(?,000003EA), ref: 00845E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00845E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00845E67

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7d4e3ba3c6fb48b82a0af4d26fddc9d760e5bda520bbc94a48734df65b1dc171
Instruction ID: be2dd80571847d403393bf4db8d5f15278711de09d2b984838e0eeaeb535399d
Opcode Fuzzy Hash: 7d4e3ba3c6fb48b82a0af4d26fddc9d760e5bda520bbc94a48734df65b1dc171
Instruction Fuzzy Hash: 24510C71A00609AFDB18CF68DD89AAEBBB5FF48300F54812DF519E7295D770AE44CB50

Function 007F8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 007F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007F8BE8,?,00000000,?,?,?,?,007F8BBA,00000000,?), ref: 007F8FC5

DestroyWindow.USER32(?), ref: 007F8C81
KillTimer.USER32(00000000,?,?,?,?,007F8BBA,00000000,?), ref: 007F8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00836973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,007F8BBA,00000000,?), ref: 008369A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,007F8BBA,00000000,?), ref: 008369B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,007F8BBA,00000000), ref: 008369D4
DeleteObject.GDI32(00000000), ref: 008369E6

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 380329afc88cb2e9353496f6ff9bcc4f62ba0b50d56b276a6c431841fd943946
Instruction ID: db0ea710d718e057bff8e802e8ae8dde778a7d1398de99abd32e83e08fa11ab9
Opcode Fuzzy Hash: 380329afc88cb2e9353496f6ff9bcc4f62ba0b50d56b276a6c431841fd943946
Instruction Fuzzy Hash: 0D61A030101618EFDB659F18D95CB36BBF1FB40312F54865CE1469B760CB39A9A0CFA2

Function 007F9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 007F9944: GetWindowLongW.USER32(?,000000EB), ref: 007F9952

GetSysColor.USER32(0000000F), ref: 007F9862

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: b925dc681f7f9cae5d5ce5f8ca37009cdd8bf657f97beae06f73c2ee0889e1dd
Instruction ID: 74bb0062c253cc07963a20cf9205eec14a3368679e0a1ccf5f5f968ce7551474
Opcode Fuzzy Hash: b925dc681f7f9cae5d5ce5f8ca37009cdd8bf657f97beae06f73c2ee0889e1dd
Instruction Fuzzy Hash: A741AF31104648AFDB309F389C88BB93BA5FB46370F544619FBA68B2E5D735D981DB20

Function 008496E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0082F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00849717
LoadStringW.USER32(00000000,?,0082F7F8,00000001), ref: 00849720

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0082F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00849742
LoadStringW.USER32(00000000,?,0082F7F8,00000001), ref: 00849745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00849866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0084984A
Line %d:, xrefs: 008497A0
^ ERROR, xrefs: 008497FB
Line %d (File "%s"):, xrefs: 0084978F
Error: , xrefs: 0084981D

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: e9137172efc78fecbafe92a769fc5b4e0582e752b247e82c5a1e392613261a4f
Instruction ID: abd9943294cfeea549fbebb99ac597fef703e0ad54e7b2f4df757c60bac684e7
Opcode Fuzzy Hash: e9137172efc78fecbafe92a769fc5b4e0582e752b247e82c5a1e392613261a4f
Instruction Fuzzy Hash: 2241517280125DAADF14EBE5CD4ADEEB778FF59340F600025F605B2192EA396F48CB61

Function 008406DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008407A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008407BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008407DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00840804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0084082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00840837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0084083C

Strings

\CLSID, xrefs: 00840724
SOFTWARE\Classes\, xrefs: 0084070E
\IPC$, xrefs: 00840784

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: db6e3b19c04609c817820d0b5cc00b607e7ad80799db0d44605863c513e36326
Instruction ID: 22b1ea62efeaacbf50afa58f660a9473979ccb0cd9d7149f46d2aa46281142e6
Opcode Fuzzy Hash: db6e3b19c04609c817820d0b5cc00b607e7ad80799db0d44605863c513e36326
Instruction Fuzzy Hash: 96410772C11229EBDF11EBA4DC89CEEB778FF48350B144129E915A7161EB34AE44CFA0

Function 00873F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0087403B
CreateCompatibleDC.GDI32(00000000), ref: 00874042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00874055
SelectObject.GDI32(00000000,00000000), ref: 0087405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00874068
DeleteDC.GDI32(00000000), ref: 00874072
GetWindowLongW.USER32(?,000000EC), ref: 0087407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00874092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0087409E

Strings

static, xrefs: 00873FD3

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 0824594832684bd18924039879f95a674ed2a4ca7f26d4ab98be63c4430afcce
Instruction ID: bce870355acab4ae2356a824ff0ebdf0f95f67505bc1c7959ccb9b89cfd989ad
Opcode Fuzzy Hash: 0824594832684bd18924039879f95a674ed2a4ca7f26d4ab98be63c4430afcce
Instruction Fuzzy Hash: 8B318E32101219EBDF219FA8CC48FDA3B68FF0D764F104214FA29E61A4C775D890DB60

Function 00863C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00863C5C
CoInitialize.OLE32(00000000), ref: 00863C8A
CoUninitialize.OLE32 ref: 00863C94
_wcslen.LIBCMT ref: 00863D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00863DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00863ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00863F0E
CoGetObject.OLE32(?,00000000,0087FB98,?), ref: 00863F2D
SetErrorMode.KERNEL32(00000000), ref: 00863F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00863FC4
VariantClear.OLEAUT32(?), ref: 00863FD8

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: a23c7695a2b87371d690a3a125ea2ef754bbaf5675f5d4323b49bfeac8498181
Instruction ID: d5127f8f4799599f0d0f85313f76c8d52ec0e60db721c968fb3b6e1ae17b72c7
Opcode Fuzzy Hash: a23c7695a2b87371d690a3a125ea2ef754bbaf5675f5d4323b49bfeac8498181
Instruction Fuzzy Hash: CFC13571608205AFC700DF68C88492BB7E9FF89748F15491DF98ADB251DB31EE45CB52

Function 00857A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00857AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00857B8F
SHGetDesktopFolder.SHELL32(?), ref: 00857BA3
CoCreateInstance.OLE32(0087FD08,00000000,00000001,008A6E6C,?), ref: 00857BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00857C74
CoTaskMemFree.OLE32(?,?), ref: 00857CCC
SHBrowseForFolderW.SHELL32(?), ref: 00857D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00857D7A
CoTaskMemFree.OLE32(00000000), ref: 00857D81
CoTaskMemFree.OLE32(00000000), ref: 00857DD6
CoUninitialize.OLE32 ref: 00857DDC

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 35cd593f128d01f8ce7d92f890a066d29f125815159d433a177a30d1467fbc66
Instruction ID: da9636d4b332ac0a3b4ed1facaba2ed7ae5d038c45a8eec3d9453ca061dd05fd
Opcode Fuzzy Hash: 35cd593f128d01f8ce7d92f890a066d29f125815159d433a177a30d1467fbc66
Instruction Fuzzy Hash: CEC12A75A04109EFCB14DFA4D888DAEBBB9FF48315B1484A8E91ADB361D730ED45CB90

Function 0087541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00875504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00875515
CharNextW.USER32(00000158), ref: 00875544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00875585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0087559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008755AC

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 300d16a65dcefc4fb17b0956af35f5d9c0ad0d0a84b70b9a6bad837bab336559
Instruction ID: 2096cef42e93bf5a2aae6bdeb6a418c6b621543f95a304b99c94e595911181f4
Opcode Fuzzy Hash: 300d16a65dcefc4fb17b0956af35f5d9c0ad0d0a84b70b9a6bad837bab336559
Instruction Fuzzy Hash: 3E618E70904608ABDF108F54DC88AFE7BB9FB15764F108149F629EB298D7B4DA80DB61

Function 0083FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0083FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0083FB08
VariantInit.OLEAUT32(?), ref: 0083FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0083FB3A
VariantCopy.OLEAUT32(?,?), ref: 0083FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0083FBA1
VariantClear.OLEAUT32(?), ref: 0083FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0083FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0083FBCC
VariantClear.OLEAUT32(?), ref: 0083FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0083FBE9

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2151c5544a4fe555419dc84f064502f0c0a3d02d3107361d0a44066145827268
Instruction ID: 7031c28a2cdf10e55eb56b8bf544d1250cca90247703006627bb853fedeb701d
Opcode Fuzzy Hash: 2151c5544a4fe555419dc84f064502f0c0a3d02d3107361d0a44066145827268
Instruction Fuzzy Hash: 0E412E75E002199FCB00DF68D8589AEBBB9FF48354F008069E955E7261D734E945CFE0

Function 00849C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00849CA1
GetAsyncKeyState.USER32(000000A0), ref: 00849D22
GetKeyState.USER32(000000A0), ref: 00849D3D
GetAsyncKeyState.USER32(000000A1), ref: 00849D57
GetKeyState.USER32(000000A1), ref: 00849D6C
GetAsyncKeyState.USER32(00000011), ref: 00849D84
GetKeyState.USER32(00000011), ref: 00849D96
GetAsyncKeyState.USER32(00000012), ref: 00849DAE
GetKeyState.USER32(00000012), ref: 00849DC0
GetAsyncKeyState.USER32(0000005B), ref: 00849DD8
GetKeyState.USER32(0000005B), ref: 00849DEA

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 70cb10166f9488bf001f75bae4b2745093ec604f13dba9021d2d068b36c76836
Instruction ID: b0dbf9a36778365c0db296c8fceb112a28d12a44b24e4ebcdffda62421060418
Opcode Fuzzy Hash: 70cb10166f9488bf001f75bae4b2745093ec604f13dba9021d2d068b36c76836
Instruction Fuzzy Hash: 8C4195349047CD6DFF319A6488447B7BEA0FB11344F04819EDAC6975C2EBA599C8C7A2

Function 0086055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008605BC
inet_addr.WSOCK32(?), ref: 0086061C
gethostbyname.WSOCK32(?), ref: 00860628
IcmpCreateFile.IPHLPAPI ref: 00860636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008606C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008606E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008607B9
WSACleanup.WSOCK32 ref: 008607BF

Strings

Ping, xrefs: 00860676

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e23930d92020c0180703556945891f9383e10e1db5fc7c56a8b5221a32df2fdc
Instruction ID: 5f9123c014a7731ccd0e95d874a0ff511ce8747d3cd1cf07334c5739d712ca89
Opcode Fuzzy Hash: e23930d92020c0180703556945891f9383e10e1db5fc7c56a8b5221a32df2fdc
Instruction Fuzzy Hash: A5917C356042419FD320CF15D889F1ABBE0FF48318F1585A9E46ADB6A2CB35ED45CF91

Function 00868CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00868CF3

Part of subcall function 00848E54: _wcslen.LIBCMT ref: 00848E77

_wcslen.LIBCMT ref: 00868D4E
_wcslen.LIBCMT ref: 00868D9C
_wcslen.LIBCMT ref: 00868DDC
_wcslen.LIBCMT ref: 00868E6E

Strings

none, xrefs: 00868E65, 00868E6A
cdecl, xrefs: 00868D48, 00868D4D
stdcall, xrefs: 00868DD6, 00868DDB
winapi, xrefs: 00868D96, 00868D9B

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 168edcbc47e3f437c5796cb68692aadf202aac3f9dd8cd32f28ac8712385f248
Instruction ID: b6a65c72afc51014d98b34e67c9d34fa4eb5fcfaac411145b10a8e528533169d
Opcode Fuzzy Hash: 168edcbc47e3f437c5796cb68692aadf202aac3f9dd8cd32f28ac8712385f248
Instruction Fuzzy Hash: 54519072A00116DBCB24DF6CC9509BEB7A5FF64324B224329E92AE72C4DB35DD40C790

Function 0086372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00863774
CoUninitialize.OLE32 ref: 0086377F
CoCreateInstance.OLE32(?,00000000,00000017,0087FB78,?), ref: 008637D9
IIDFromString.OLE32(?,?), ref: 0086384C
VariantInit.OLEAUT32(?), ref: 008638E4
VariantClear.OLEAUT32(?), ref: 00863936

Strings

NULL Pointer assignment, xrefs: 0086381E
Failed to create object, xrefs: 008637E4, 0086389A
Invalid parameter, xrefs: 00863865

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 1f25abca384a683be7e837edc0d89f94222aaa41179a5a8286dba2473eaa579f
Instruction ID: 44edbb7bb248f154dbab9924ff26c117f3339e0126f891c6f9c47810ae5a43d5
Opcode Fuzzy Hash: 1f25abca384a683be7e837edc0d89f94222aaa41179a5a8286dba2473eaa579f
Instruction Fuzzy Hash: 84618A71608301AFD310DF64D889BAABBE8FF49714F110829F985DB291D774EE48CB92

Function 00853388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008533CF

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008533F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00853504
Incorrect parameters to object property !, xrefs: 008534AB
"%s" (%d) : ==> %s:, xrefs: 00853522
Line %d (File "%s"):, xrefs: 00853443, 0085345C
^ ERROR , xrefs: 0085349E
Error: , xrefs: 008534D1

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: f7ef94a273ed99b14a2bc64bc96f63ee71c54619f2d3a0e3873d3d5f45ea3c14
Instruction ID: da680b3f5e02a5c78048244d18ea918ac1100ea0a158d9c61e579feac456206a
Opcode Fuzzy Hash: f7ef94a273ed99b14a2bc64bc96f63ee71c54619f2d3a0e3873d3d5f45ea3c14
Instruction Fuzzy Hash: B151B432801149EADF15EBA1CD4AEEEB778FF18340F244165F505B2162EB396F58CB61

Function 0084B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0084B5FC
_wcslen.LIBCMT ref: 0084B608
_wcslen.LIBCMT ref: 0084B64D
_wcslen.LIBCMT ref: 0084B68C
_wcslen.LIBCMT ref: 0084B6C7

Strings

APPEND, xrefs: 0084B6C1, 0084B6C6
EXISTS, xrefs: 0084B686, 0084B68B
REMOVE, xrefs: 0084B602, 0084B607
KEYS, xrefs: 0084B647, 0084B64C

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: af83f8e3a790c3426455acb1ea411b47aba242d52de86d3dd67224130cb4f442
Instruction ID: 532a7d8c2a87a9ac9850d7016b6aab6c94cdd8b19c35e4583b31afae134bc834
Opcode Fuzzy Hash: af83f8e3a790c3426455acb1ea411b47aba242d52de86d3dd67224130cb4f442
Instruction Fuzzy Hash: 4A41D632A0112A9BCB209F7DCC905BE77A5FFB1754B264229E921DB294F735CD81C790

Function 00855393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008553A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00855416
GetLastError.KERNEL32 ref: 00855420
SetErrorMode.KERNEL32(00000000,READY), ref: 008554A7

Strings

READONLY, xrefs: 00855452
NOTREADY, xrefs: 0085544B
INVALID, xrefs: 00855459
UNKNOWN, xrefs: 00855444
READY, xrefs: 00855460, 00855468

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: de3b59ef482041cb9c52bc3b7a88ba401519a54caec9839fe2e5ac77b785168e
Instruction ID: d070c48cd0192075aab4163d737d9836e6a6cb7bd086ee6c0d77edc67a6fa988
Opcode Fuzzy Hash: de3b59ef482041cb9c52bc3b7a88ba401519a54caec9839fe2e5ac77b785168e
Instruction Fuzzy Hash: 0D31EA75A00504DFDB10DF68C498BA97BB4FF0530AF548069E905DF292E775DD8ACB90

Function 00873C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00873C79
SetMenu.USER32(?,00000000), ref: 00873C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00873D10
IsMenu.USER32(?), ref: 00873D24
CreatePopupMenu.USER32 ref: 00873D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00873D5B
DrawMenuBar.USER32 ref: 00873D63

Strings

0, xrefs: 00873C54
F, xrefs: 00873D4E

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 1f635f5016cf0d8d7b7247d5b28ed04599ae737366f682b0077bd75dc9b3065e
Instruction ID: 5063e996d541cf571c21a019d98b7be9b6c43efb16994608f67a05dd6bdc0404
Opcode Fuzzy Hash: 1f635f5016cf0d8d7b7247d5b28ed04599ae737366f682b0077bd75dc9b3065e
Instruction Fuzzy Hash: 51416875A01209EFDB24CF64D848AAABBB5FF49350F18402CE94AE7360D771EA10DB91

Function 00841EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 00843CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00843CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00841F64
GetDlgCtrlID.USER32 ref: 00841F6F
GetParent.USER32 ref: 00841F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00841F8E
GetDlgCtrlID.USER32(?), ref: 00841F97
GetParent.USER32(?), ref: 00841FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00841FAE

Strings

ListBox, xrefs: 00841F21
ComboBox, xrefs: 00841EEC

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 0a6911810b02d4419739a46a684b7628ea9caea3b165459bb3c59d8ee62f9f3c
Instruction ID: e120f58b011efb06826bc6ce176216d72ac3289757c13ab64cf5334022092ea0
Opcode Fuzzy Hash: 0a6911810b02d4419739a46a684b7628ea9caea3b165459bb3c59d8ee62f9f3c
Instruction Fuzzy Hash: D921DA71900218BBCF04AFA0CC89DEEBBB4FF25310F100119F965A72A1DB399949DB70

Function 00841FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 00843CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00843CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00842043
GetDlgCtrlID.USER32 ref: 0084204E
GetParent.USER32 ref: 0084206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0084206D
GetDlgCtrlID.USER32(?), ref: 00842076
GetParent.USER32(?), ref: 0084208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0084208D

Strings

ListBox, xrefs: 00842002
ComboBox, xrefs: 00841FCD

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 49b83b79f4aef1c293376a95f1fbe7e9fa8b543f5ea32c362644273183b9516f
Instruction ID: a59b58523d565cf2c26272697d1b09009cfda79103bf1439df6dfdf1549fbc7e
Opcode Fuzzy Hash: 49b83b79f4aef1c293376a95f1fbe7e9fa8b543f5ea32c362644273183b9516f
Instruction Fuzzy Hash: 6021D171900218BBDF10AFA0CC89EEEBBB8FF29340F500449B955A72A1DB798955DB60

Function 00873A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00873A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00873AA0
GetWindowLongW.USER32(?,000000F0), ref: 00873AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00873AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00873B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00873BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00873BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00873BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00873BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00873C13

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 6e06423a92627f33ce90aedeb75d2d53ceb42980e241e5dbcd4c659252a9fbf6
Instruction ID: e4e10b65c191c3328755e3f8f6376b89330075b9513e7d847bc2e28533e19673
Opcode Fuzzy Hash: 6e06423a92627f33ce90aedeb75d2d53ceb42980e241e5dbcd4c659252a9fbf6
Instruction Fuzzy Hash: 68619A71A00248AFDB11DFA8CC85EEE77B8FB49710F104199FA19EB2A1C770AE41DB51

Function 0084B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0084B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0084A1E1,?,00000001), ref: 0084B165
GetWindowThreadProcessId.USER32(00000000), ref: 0084B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0084A1E1,?,00000001), ref: 0084B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0084B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0084A1E1,?,00000001), ref: 0084B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0084A1E1,?,00000001), ref: 0084B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0084A1E1,?,00000001), ref: 0084B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0084A1E1,?,00000001), ref: 0084B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0084A1E1,?,00000001), ref: 0084B21D

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: de63e475788bf3e423e91e75417544c12d43deda883343b685b918295876489e
Instruction ID: 0c26e87fd69379f6c62df87fb7ee2c090267fdc82db08723f5c4e484b0c0e012
Opcode Fuzzy Hash: de63e475788bf3e423e91e75417544c12d43deda883343b685b918295876489e
Instruction Fuzzy Hash: DF3187B154061CAFDB20AF64DC88BAE7BA9FF61311F104119FA09D71A0D7B4DA828F64

Function 00812C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00812C94

Part of subcall function 008129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000), ref: 008129DE
Part of subcall function 008129C8: GetLastError.KERNEL32(00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000,00000000), ref: 008129F0

_free.LIBCMT ref: 00812CA0
_free.LIBCMT ref: 00812CAB
_free.LIBCMT ref: 00812CB6
_free.LIBCMT ref: 00812CC1
_free.LIBCMT ref: 00812CCC
_free.LIBCMT ref: 00812CD7
_free.LIBCMT ref: 00812CE2
_free.LIBCMT ref: 00812CED
_free.LIBCMT ref: 00812CFB

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a7f055f88f25263e4bddfa15c1c66e68fe413d24ed8ec485edfe8e4c4a5ea0cc
Instruction ID: d21cda204ad00c7e9b34bbac0bf1a748988038753dd8cad37f1c16b5fdff2bc0
Opcode Fuzzy Hash: a7f055f88f25263e4bddfa15c1c66e68fe413d24ed8ec485edfe8e4c4a5ea0cc
Instruction Fuzzy Hash: 7D116676500108AFCB02EF58D942DDD3FA9FF05360F5145A5FA489F222DA31EAA09B91

Function 00857DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00857FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00857FC1
GetFileAttributesW.KERNEL32(?), ref: 00857FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00858005
SetCurrentDirectoryW.KERNEL32(?), ref: 00858017
SetCurrentDirectoryW.KERNEL32(?), ref: 00858060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008580B0

Strings

*.*, xrefs: 00858066

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: f68bc37c621e0283baead669f5b470544924167d79050643d1c9cc99c224c3e1
Instruction ID: 6afa0487fcf1f3ebfa8b1094ec946433f447f98c6d48d226b850887433636ff7
Opcode Fuzzy Hash: f68bc37c621e0283baead669f5b470544924167d79050643d1c9cc99c224c3e1
Instruction Fuzzy Hash: 47818E72508345DBCB20EF15D8469AAB3E8FF88716F14886EFC89D7250EB34DD498B52

Function 007E5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 007E5C7A

Part of subcall function 007E5D0A: GetClientRect.USER32(?,?), ref: 007E5D30
Part of subcall function 007E5D0A: GetWindowRect.USER32(?,?), ref: 007E5D71
Part of subcall function 007E5D0A: ScreenToClient.USER32(?,?), ref: 007E5D99

GetDC.USER32 ref: 008246F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00824708
SelectObject.GDI32(00000000,00000000), ref: 00824716
SelectObject.GDI32(00000000,00000000), ref: 0082472B
ReleaseDC.USER32(?,00000000), ref: 00824733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008247C4

Strings

U, xrefs: 00824693

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 851b563160308550cd8d1a6282dbab177e11d19543498a01dde318edddb40d63
Instruction ID: 662ee1b2c71f8cf492083ccfffa9cd9f1590fd8153edbfa9d0cf79e42167adf5
Opcode Fuzzy Hash: 851b563160308550cd8d1a6282dbab177e11d19543498a01dde318edddb40d63
Instruction Fuzzy Hash: 71710231500209DFCF218F64D984ABA3BB1FF4A314F245269ED659A1AAC731C8C1DF70

Function 0085359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008535E4

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

LoadStringW.USER32(008B2390,?,00000FFF,?), ref: 0085360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00853724
^ ERROR, xrefs: 008536C9
"%s" (%d) : ==> %s:, xrefs: 00853742
Line %d (File "%s"):, xrefs: 0085366B
Error: , xrefs: 008536EF

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: b13fb744e0d6df10e68bd491837e6fa439e1bbc50d22ebd9b48f0eae3e79e9bc
Instruction ID: 8244531e8cb46e6c7c2c31a41bc9fbd3bf2dec243c8d146c356059f4766da9b3
Opcode Fuzzy Hash: b13fb744e0d6df10e68bd491837e6fa439e1bbc50d22ebd9b48f0eae3e79e9bc
Instruction Fuzzy Hash: 6B518F72C01249FADF15EBA1CC4AEEEBB78FF18341F544125F505B21A1EB342A98DB61

Function 00878B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

Part of subcall function 007F912D: GetCursorPos.USER32(?), ref: 007F9141
Part of subcall function 007F912D: ScreenToClient.USER32(00000000,?), ref: 007F915E
Part of subcall function 007F912D: GetAsyncKeyState.USER32(00000001), ref: 007F9183
Part of subcall function 007F912D: GetAsyncKeyState.USER32(00000002), ref: 007F919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00878B6B
ImageList_EndDrag.COMCTL32 ref: 00878B71
ReleaseCapture.USER32 ref: 00878B77
SetWindowTextW.USER32(?,00000000), ref: 00878C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00878C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00878CFF

Strings

@GUI_DRAGFILE, xrefs: 00878C9A
@GUI_DROPID, xrefs: 00878C51

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 09630d1193cec6d5f62368879ca45f61229f476f9a2a453e34ef8eb53744a2ac
Instruction ID: c1080b8b9198dd31b4c3cbb9c85e9b690c5a864811c03c3e7b87fe34d7c33ab5
Opcode Fuzzy Hash: 09630d1193cec6d5f62368879ca45f61229f476f9a2a453e34ef8eb53744a2ac
Instruction Fuzzy Hash: C9518C71105244AFD700DF24CC9AFAA77E4FB88714F40062DFA5A9B2A1CB75E944CB62

Function 0085C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0085C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0085C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0085C2CA
GetLastError.KERNEL32 ref: 0085C322
SetEvent.KERNEL32(?), ref: 0085C336
InternetCloseHandle.WININET(00000000), ref: 0085C341

Strings

, xrefs: 0085C2BB

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: ea896331ab46883f44eba524815dc69886cf14b5f711cb4fb826e1bb8b277958
Instruction ID: 5b159b829186fa4974fda6abd19d8685df7aa3b28a6a88c56904c92efa0ba8e3
Opcode Fuzzy Hash: ea896331ab46883f44eba524815dc69886cf14b5f711cb4fb826e1bb8b277958
Instruction Fuzzy Hash: 71315CB1500708AFD7219F688C88AAB7AFCFB49785F10851DA84AD3211DB70D9489F61

Function 0084989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00823AAF,?,?,Bad directive syntax error,0087CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008498BC
LoadStringW.USER32(00000000,?,00823AAF,?), ref: 008498C3

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00849987

Strings

Line %d:, xrefs: 00849912
%s (%d) : ==> %s.: %s %s, xrefs: 008498F1
Line %d (File "%s"):, xrefs: 0084992D
., xrefs: 0084996D
Error: , xrefs: 00849955

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: d6b986f930422c5fc5732fcabfe4d6abc30094265f2afc71bdec0233d82a2f79
Instruction ID: 4212b5370a0e47581d40e62c84bedb61181ebe5277569445a5efeb4d88413d7c
Opcode Fuzzy Hash: d6b986f930422c5fc5732fcabfe4d6abc30094265f2afc71bdec0233d82a2f79
Instruction Fuzzy Hash: 7C21963280025DEBDF15AF90CC0EEEE7B35FF18304F044459F529A61A1EB759658CB21

Function 0084209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008420AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008420C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0084214D

Strings

smallicons, xrefs: 00842115
list, xrefs: 0084212F
SHELLDLL_DefView, xrefs: 008420CC
largeicons, xrefs: 008420E1
details, xrefs: 008420FB

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 92a86d98dac852c53dc851e8f8465ca5db5292ec9fb3b3f697d64a4bc7ce8aa1
Instruction ID: 42bbaa94beb15060eb5626292530a0c759b2a019e68bd24ad326026be73f0a13
Opcode Fuzzy Hash: 92a86d98dac852c53dc851e8f8465ca5db5292ec9fb3b3f697d64a4bc7ce8aa1
Instruction Fuzzy Hash: 8911367A2CC70EB9F6012228DC0BDE6739CFB15725B60001AFB04E50D2FBA9B8825624

Function 00818D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a144290f4e106d4f175ed8c0e6bf0eaff8896fecda8a831069a684eaf603e7f
Instruction ID: 313529e7fd8e67676bf220023076fbd040f0f3058fa7a113c4d08d0fba1f7604
Opcode Fuzzy Hash: 1a144290f4e106d4f175ed8c0e6bf0eaff8896fecda8a831069a684eaf603e7f
Instruction Fuzzy Hash: 35C1C274A04249DFDB219FACD855BEDBBB8FF09310F144199E554E7392CB309982CB61

Function 0081CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0081CEB7
_free.LIBCMT ref: 0081CF22
_free.LIBCMT ref: 0081CF48
_free.LIBCMT ref: 0081CF71
_free.LIBCMT ref: 0081CFA9
_free.LIBCMT ref: 0081CFDA
_free.LIBCMT ref: 0081D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0081D09C
_free.LIBCMT ref: 0081D0B5

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: a4b53a825163773488bebd6bc83920db1f2b6cab2082c06c5721312c3fd81a3e
Instruction ID: 6e34eb480bc47ebf943aa966f02e650446cd90c2d66be068f4977040bbf8a922
Opcode Fuzzy Hash: a4b53a825163773488bebd6bc83920db1f2b6cab2082c06c5721312c3fd81a3e
Instruction Fuzzy Hash: 12611671944314AFDB21AFB89881BEA7BADFF05320F04426DF944D7282DB7199C2D791

Function 008750D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00875186
ShowWindow.USER32(?,00000000), ref: 008751C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 008751CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008751D1

Part of subcall function 00876FBA: DeleteObject.GDI32(00000000), ref: 00876FE6

GetWindowLongW.USER32(?,000000F0), ref: 0087520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0087521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0087524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00875287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00875296

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 8d85e7f81cc4f2afbceb3dbc6811c250345fbb8610cf62c0e940681eb6daab76
Instruction ID: a5d453b1c60528d18517e15db172845336b3328f5b476f35a223bdd1e69a89c0
Opcode Fuzzy Hash: 8d85e7f81cc4f2afbceb3dbc6811c250345fbb8610cf62c0e940681eb6daab76
Instruction Fuzzy Hash: E951B130A50A08FEEF209F24CC49B983B61FB05326F54C115FA2DD62E9CBB5E980DB51

Function 007F8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00836890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008368A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008368B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008368D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008368F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,007F8874,00000000,00000000,00000000,000000FF,00000000), ref: 00836901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0083691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,007F8874,00000000,00000000,00000000,000000FF,00000000), ref: 0083692D

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 91889cc3db8af290ae466a9608e92d31d9840d70ff4f03335c23b568ff918aae
Instruction ID: cce3c75a54a4b013897408945d1f0fbc80254270dd5c51cd1fad8836af35cadb
Opcode Fuzzy Hash: 91889cc3db8af290ae466a9608e92d31d9840d70ff4f03335c23b568ff918aae
Instruction Fuzzy Hash: 77514EB0600209EFDB20CF29CC59BAA7BB5FB58750F10451CFA56D72A0DB75E990DB50

Function 0085C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0085C182
GetLastError.KERNEL32 ref: 0085C195
SetEvent.KERNEL32(?), ref: 0085C1A9

Part of subcall function 0085C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0085C272
Part of subcall function 0085C253: GetLastError.KERNEL32 ref: 0085C322
Part of subcall function 0085C253: SetEvent.KERNEL32(?), ref: 0085C336
Part of subcall function 0085C253: InternetCloseHandle.WININET(00000000), ref: 0085C341

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: dfffc4999d4dc79ffbd45acb09dd447afd3398c411f922e3ceff251520119ef1
Instruction ID: 0a561eb570e7630138edf4a5fdf4ac15fc16ce114429376aff7fc1bff5358a8b
Opcode Fuzzy Hash: dfffc4999d4dc79ffbd45acb09dd447afd3398c411f922e3ceff251520119ef1
Instruction Fuzzy Hash: CC317A75200B05AFDB219FA9DC48A66BBE9FF18342F00441DF95AC7615DB30E8589FA0

Function 008425A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00843A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00843A57
Part of subcall function 00843A3D: GetCurrentThreadId.KERNEL32 ref: 00843A5E
Part of subcall function 00843A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008425B3), ref: 00843A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008425BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008425DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008425DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008425E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00842601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00842605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0084260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00842623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00842627

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: ba5d13290677cd1b96524843e1aab16a539fa1f744b8e35f7e237df841a38623
Instruction ID: aa2b3f4ce52098c7e792bca476eebc9b64243c45a4374d755309b7bbea397aa2
Opcode Fuzzy Hash: ba5d13290677cd1b96524843e1aab16a539fa1f744b8e35f7e237df841a38623
Instruction Fuzzy Hash: 2E01B530394624BBFB1067689C8EF593E59EB5AB11F510019F318EF0D5C9E15484CA6A

Function 00841803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00841449,?,?,00000000), ref: 0084180C
HeapAlloc.KERNEL32(00000000,?,00841449,?,?,00000000), ref: 00841813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00841449,?,?,00000000), ref: 00841828
GetCurrentProcess.KERNEL32(?,00000000,?,00841449,?,?,00000000), ref: 00841830
DuplicateHandle.KERNEL32(00000000,?,00841449,?,?,00000000), ref: 00841833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00841449,?,?,00000000), ref: 00841843
GetCurrentProcess.KERNEL32(00841449,00000000,?,00841449,?,?,00000000), ref: 0084184B
DuplicateHandle.KERNEL32(00000000,?,00841449,?,?,00000000), ref: 0084184E
CreateThread.KERNEL32(00000000,00000000,00841874,00000000,00000000,00000000), ref: 00841868

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f4f151e1798a9d35bb0918f72daa59dd81d9233496e4c671d5f8b07b88abf991
Instruction ID: ef0c7813580624792f8a01a7c0af3f15a295e5390751c00a6e8d1500cdce2474
Opcode Fuzzy Hash: f4f151e1798a9d35bb0918f72daa59dd81d9233496e4c671d5f8b07b88abf991
Instruction Fuzzy Hash: 0E01A8B5240308BFE610ABA5DC4DF6B7BACFB89B11F404425FA09DB2A5CA74D8408B30

Function 0086A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0084D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0084D501
Part of subcall function 0084D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0084D50F
Part of subcall function 0084D4DC: CloseHandle.KERNELBASE(00000000), ref: 0084D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0086A16D
GetLastError.KERNEL32 ref: 0086A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0086A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0086A268
GetLastError.KERNEL32(00000000), ref: 0086A273
CloseHandle.KERNEL32(00000000), ref: 0086A2C4

Strings

SeDebugPrivilege, xrefs: 0086A18F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: c96452427327ef59c5ea926022f47db0d2505c2a8849cf1dab92891d048d108d
Instruction ID: fa26f2bd8f954972ee74bd666b49734e18a7d2ff955d154c48504b65ebec1d43
Opcode Fuzzy Hash: c96452427327ef59c5ea926022f47db0d2505c2a8849cf1dab92891d048d108d
Instruction Fuzzy Hash: 50618B312042429FD724DF19C898F16BBA1FF54318F19849CE46A9B7A2C776EC85CB92

Function 00873886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00873925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0087393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00873954
_wcslen.LIBCMT ref: 00873999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008739C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008739F4

Strings

SysListView32, xrefs: 008738F7

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d44dcc2acf2b50c9cc89a57719e700e984c33b125898afe7670401dbb2b1ea43
Instruction ID: 20170833b220a64a08139ef4a5bcebaaa813549cba754cfd2ad2c5021f65bab9
Opcode Fuzzy Hash: d44dcc2acf2b50c9cc89a57719e700e984c33b125898afe7670401dbb2b1ea43
Instruction Fuzzy Hash: FC41D071A00218ABEF219F64CC49FEA7BA9FF18354F10412AF95CE7285D771DA80DB91

Function 0084BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0084BCFD
IsMenu.USER32(00000000), ref: 0084BD1D
CreatePopupMenu.USER32 ref: 0084BD53
GetMenuItemCount.USER32(012D7F58), ref: 0084BDA4
InsertMenuItemW.USER32(012D7F58,?,00000001,00000030), ref: 0084BDCC

Strings

2, xrefs: 0084BD37
0, xrefs: 0084BCA8

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: ee2e72cebd9ecd93e721309679d7ab5aeba993e3405db9f5446200b153d2fe8c
Instruction ID: 2b559812b7b6c7ab99010c01a376306a2633bb940ed42271bf3e61ccf118dd34
Opcode Fuzzy Hash: ee2e72cebd9ecd93e721309679d7ab5aeba993e3405db9f5446200b153d2fe8c
Instruction Fuzzy Hash: C5519B70A0020D9BDF20CFA8D888BAEBBF8FF55354F1442A9E415EB290D770D945CB62

Function 0084C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0084C913

Strings

blank, xrefs: 0084C895
question, xrefs: 0084C8CC
info, xrefs: 0084C8B4
stop, xrefs: 0084C8E4
warning, xrefs: 0084C8FC

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9c26ac506fa7ffc7ae042668fa82fddd263f770163518e6e6147b10fb61be43b
Instruction ID: 78dc0f261786025e33ab514703039d9b335f4c5134b8ec551177945f04b1accf
Opcode Fuzzy Hash: 9c26ac506fa7ffc7ae042668fa82fddd263f770163518e6e6147b10fb61be43b
Instruction Fuzzy Hash: 2211EB3278A31EBAF7456B589C83CAA6F9CFF15358B10002BF504E62C2EB789D405265

Function 0084DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0084DE42
gethostname.WSOCK32(?,00000100), ref: 0084DE5C
gethostbyname.WSOCK32(?), ref: 0084DE69
inet_ntoa.WSOCK32(?), ref: 0084DEAB
_strcat.LIBCMT ref: 0084DEB9
WSACleanup.WSOCK32 ref: 0084DEDE

Strings

0.0.0.0, xrefs: 0084DE87

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: c9aea59e41c6310e4b49f5cac79e9d211753aaf7ae2998688e995b3a2f0ebbc9
Instruction ID: 9ff3bb1f684a7eb0ac3c00c42ed21626c2629246752612c93eccf1f5a3868c9d
Opcode Fuzzy Hash: c9aea59e41c6310e4b49f5cac79e9d211753aaf7ae2998688e995b3a2f0ebbc9
Instruction Fuzzy Hash: F511E17190420CABCB24AB68DC4AEEE77ACFF11711F0001BDF549EB091EF74CA818A61

Function 00879F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

GetSystemMetrics.USER32(0000000F), ref: 00879FC7
GetSystemMetrics.USER32(0000000F), ref: 00879FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0087A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0087A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0087A263
ShowWindow.USER32(00000003,00000000), ref: 0087A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0087A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0087A2CA

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 10b4ed1caf43a4f6e9fa02794e9fa933754c7cb501a26ae42d0cede84c3ef020
Instruction ID: f15a78cabcee11802d8908c67cbab81da887cdb9c3d40d9fdc4702bff04cbe27
Opcode Fuzzy Hash: 10b4ed1caf43a4f6e9fa02794e9fa933754c7cb501a26ae42d0cede84c3ef020
Instruction Fuzzy Hash: C0B15A31600215DBDF18CF68C9897AE7BB2FB84711F18C069EC49DB29ADB31E940CB61

Function 0084ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0084ED2A
_wcslen.LIBCMT ref: 0084ED3B
_wcslen.LIBCMT ref: 0084ED79
_wcslen.LIBCMT ref: 0084EDAF
_wcslen.LIBCMT ref: 0084EDDF
_wcslen.LIBCMT ref: 0084EDEF
_wcslen.LIBCMT ref: 0084EE2B
_wcslen.LIBCMT ref: 0084EE5A

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 6c12e9eeee9cd327ff02d9cf7ea488047a93fc07349b29ecf3c4ec669a6ff902
Instruction ID: 415d235074362f1b4fe0af84dd47a9330125db818b24630208d44ded965cfd12
Opcode Fuzzy Hash: 6c12e9eeee9cd327ff02d9cf7ea488047a93fc07349b29ecf3c4ec669a6ff902
Instruction Fuzzy Hash: 60413065C1021875CB51EBF88C8AACFB7A8FF45710F508566E918E3162FB34E265C3A6

Function 007FF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0083682C,00000004,00000000,00000000), ref: 007FF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0083682C,00000004,00000000,00000000), ref: 0083F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0083682C,00000004,00000000,00000000), ref: 0083F454

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 51ff83effd6c61de1ad26f16cc54602775b6b5d34ee5bc212c53ea0b4ff7ed70
Instruction ID: 85d2c17e8209184094eb0597b99c3ea8a932879e87e7f25a651b06478aa80ae8
Opcode Fuzzy Hash: 51ff83effd6c61de1ad26f16cc54602775b6b5d34ee5bc212c53ea0b4ff7ed70
Instruction Fuzzy Hash: 2D41C631608688FAC729DB29888C7367A91BF96314F54453DE247D6761CAB9B880CB91

Function 00872D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00872D1B
GetDC.USER32(00000000), ref: 00872D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00872D2E
ReleaseDC.USER32(00000000,00000000), ref: 00872D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00872D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00872D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00875A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00872DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00872DE1

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 06a28ee64fd8386bfcf5fe2993d7cf5d025c8138b3da8605041bac79a728bf58
Instruction ID: eaf1a2c89650aa0d7c2af99f58008c4b0af29473ba7b5224999051149afe19f7
Opcode Fuzzy Hash: 06a28ee64fd8386bfcf5fe2993d7cf5d025c8138b3da8605041bac79a728bf58
Instruction Fuzzy Hash: 4C317A72201214ABEB218F548C8AFEB3FA9FB19751F044059FE0CDA295C675D880CBA0

Function 00845622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00845637
_memcmp.LIBVCRUNTIME ref: 00845659
_memcmp.LIBVCRUNTIME ref: 00845671
_memcmp.LIBVCRUNTIME ref: 00845684
_memcmp.LIBVCRUNTIME ref: 0084569E
_memcmp.LIBVCRUNTIME ref: 008456B1
_memcmp.LIBVCRUNTIME ref: 008456C9
_memcmp.LIBVCRUNTIME ref: 008456E4

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 948f24c427670d11f7398e6f510c6b732b278ad255ab998690c6c819341bc27f
Instruction ID: 63c512c54e972cf32a3e1d351811f9488d167908bd60d05677ffc1054201324c
Opcode Fuzzy Hash: 948f24c427670d11f7398e6f510c6b732b278ad255ab998690c6c819341bc27f
Instruction Fuzzy Hash: F421D061641A1D7BD61456258E82FBE334CFF713A8B464020FE08DA787F728ED1185A6

Function 00864FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00865007
NULL Pointer assignment, xrefs: 0086502E, 00865383

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f633173332cb5a9a2de9a30bc139fd33bd0071f388980a77b9eaa47384d2cd7a
Instruction ID: bc97493e9b871ccd11dc08ece42cecdf8d791937e65d3dd5f9bf2f704e8ab20d
Opcode Fuzzy Hash: f633173332cb5a9a2de9a30bc139fd33bd0071f388980a77b9eaa47384d2cd7a
Instruction Fuzzy Hash: 5ED19C71A0060AAFDB10CFA8C891BAEB7B5FF49344F168069E915EB381E771DD45CB90

Function 00821522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008217FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008215CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00821651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008217FB,?,008217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008216E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008216FB

Part of subcall function 00813820: RtlAllocateHeap.NTDLL(00000000,?,008B1444,?,007FFDF5,?,?,007EA976,00000010,008B1440,007E13FC,?,007E13C6,?,007E1129), ref: 00813852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00821777
__freea.LIBCMT ref: 008217A2
__freea.LIBCMT ref: 008217AE

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 05ddc0a3f3fd0e5606ed63594a902941b1af3ee29ce15fa58385cfc16ea4b634
Instruction ID: efbe6ac748b1bd9d4437cea962b55afdee9d85ce9928ae2ffca30443c5342d22
Opcode Fuzzy Hash: 05ddc0a3f3fd0e5606ed63594a902941b1af3ee29ce15fa58385cfc16ea4b634
Instruction Fuzzy Hash: BF91C571E002269EDF208E64ED89AEE7BB5FFA5714F280569E805E7145DB35CDC0C7A0

Function 00864523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00864648
VariantInit.OLEAUT32(?), ref: 00864749
VariantClear.OLEAUT32(?), ref: 00864753
VariantClear.OLEAUT32(?), ref: 008647B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 008645D8, 00864706, 008647BE
Incorrect Object type in FOR..IN loop, xrefs: 0086472C

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 47b91326c406f5c4e8581e9f21188ef86e2a2eaefde44d714b5ebfe09c2a1766
Instruction ID: dcaaeab07e9fa6a1f51cc583cd8e28e467a54ef01e225d0b63f8c554d337b6c7
Opcode Fuzzy Hash: 47b91326c406f5c4e8581e9f21188ef86e2a2eaefde44d714b5ebfe09c2a1766
Instruction Fuzzy Hash: E2918871A00219ABDF20CFA5CC88FAEBBB8FF46714F119559F516EB280D7709945CBA0

Function 00851187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0085125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00851284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008512A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008512D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0085135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008513C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00851430

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 6326e47243f40eadcaf5daf40e0b865558be6f429803cd662b75215399a800fc
Instruction ID: 8c4d18d2379d0cda8275dd921a478574fd429b5650596d047a87a23701c33eb4
Opcode Fuzzy Hash: 6326e47243f40eadcaf5daf40e0b865558be6f429803cd662b75215399a800fc
Instruction Fuzzy Hash: 4391D271A00209AFDF00DF98C899BBEB7B6FF45316F104029E910E7291D778A949CB95

Function 007F948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2dae5360d1d90f8138bd59ff2c041e56080ec5d91f8972e7de6b65ce69839a6a
Instruction ID: a19713b385aff9d156024d1c7950b65639b71964507cbbb16d40be4a39017beb
Opcode Fuzzy Hash: 2dae5360d1d90f8138bd59ff2c041e56080ec5d91f8972e7de6b65ce69839a6a
Instruction Fuzzy Hash: E8912771D04219EFCB14CFA9C888AEEBBB8FF49320F144459E615B7391D378A951CBA0

Function 00863947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0086396B
CharUpperBuffW.USER32(?,?), ref: 00863A7A
_wcslen.LIBCMT ref: 00863A8A
VariantClear.OLEAUT32(?), ref: 00863C1F

Part of subcall function 00850CDF: VariantInit.OLEAUT32(00000000), ref: 00850D1F
Part of subcall function 00850CDF: VariantCopy.OLEAUT32(?,?), ref: 00850D28
Part of subcall function 00850CDF: VariantClear.OLEAUT32(?), ref: 00850D34

Strings

Incorrect Parameter format, xrefs: 008639A6, 00863BA1
AUTOIT.ERROR, xrefs: 00863A80, 00863A85

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 8a6e2e350a93d5848cea7b55374a4559b92b2a9ce7e54880297d4fd8f535a39e
Instruction ID: b6905e7a17bfbdb4c49118b1e3db0e469041d9db721dd83968a2763bf20eec05
Opcode Fuzzy Hash: 8a6e2e350a93d5848cea7b55374a4559b92b2a9ce7e54880297d4fd8f535a39e
Instruction Fuzzy Hash: C4913F756083459FC704EF68C48492ABBE5FF89314F14882EF88A9B351DB30EE45CB92

Function 00864BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0084000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?,?,?,0084035E), ref: 0084002B
Part of subcall function 0084000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?,?), ref: 00840046
Part of subcall function 0084000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?,?), ref: 00840054
Part of subcall function 0084000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?), ref: 00840064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00864C51
_wcslen.LIBCMT ref: 00864D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00864DCF
CoTaskMemFree.OLE32(?), ref: 00864DDA

Strings

NULL Pointer assignment, xrefs: 00864E23, 00864E52

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 94225b4d63e8aa55242c02cd2464d380557af862a2b88559467745aea75c85c6
Instruction ID: 6cd1da9b4d9177b610af583534cf667de249044d6fba2499c254222432ee1bd0
Opcode Fuzzy Hash: 94225b4d63e8aa55242c02cd2464d380557af862a2b88559467745aea75c85c6
Instruction Fuzzy Hash: 89912571D0021DEFDF14DFA4C885AEEB7B9FF08310F108169E919AB251EB34AA448F61

Function 008720FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00872183
GetMenuItemCount.USER32(00000000), ref: 008721B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008721DD
_wcslen.LIBCMT ref: 00872213
GetMenuItemID.USER32(?,?), ref: 0087224D
GetSubMenu.USER32(?,?), ref: 0087225B

Part of subcall function 00843A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00843A57
Part of subcall function 00843A3D: GetCurrentThreadId.KERNEL32 ref: 00843A5E
Part of subcall function 00843A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008425B3), ref: 00843A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008722E3

Part of subcall function 0084E97B: Sleep.KERNEL32 ref: 0084E9F3

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 4bcdb34f983338b5e252d1c97ed112169bec8e101f2d21c8339e9f7f41322d96
Instruction ID: dc9999910237595b2141a7766e26e4c42915a652aa8c0a7b74c3da3bf3dbbb96
Opcode Fuzzy Hash: 4bcdb34f983338b5e252d1c97ed112169bec8e101f2d21c8339e9f7f41322d96
Instruction Fuzzy Hash: F9718175A00219EFCB10DF69C885AAEB7F5FF48310F148499E91AEB355DB34EE418B90

Function 00877E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(012D7DF0), ref: 00877F37
IsWindowEnabled.USER32(012D7DF0), ref: 00877F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0087801E
SendMessageW.USER32(012D7DF0,000000B0,?,?), ref: 00878051
IsDlgButtonChecked.USER32(?,?), ref: 00878089
GetWindowLongW.USER32(012D7DF0,000000EC), ref: 008780AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008780C3

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 4cc3e26f8a8af76e807916baf284bdd841d8ea2ececdd3f3ea1a951d72f1dae1
Instruction ID: 79760e73f17b5c9715be829e337d232370985b505fd6106519c5f9973eb069ff
Opcode Fuzzy Hash: 4cc3e26f8a8af76e807916baf284bdd841d8ea2ececdd3f3ea1a951d72f1dae1
Instruction Fuzzy Hash: EC719C34608644EFEF21DF64C998FAABBB5FF19300F148459E949D7269CB31E884CB20

Function 0084AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0084AEF9
GetKeyboardState.USER32(?), ref: 0084AF0E
SetKeyboardState.USER32(?), ref: 0084AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0084AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0084AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0084AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0084B020

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d977ad0d4ef500abc643e22d1c104d7ad3a545b72cd0bc99bb738dc92e07cc4a
Instruction ID: 1d2f8890be79c85f34a3cdde0cb773c34cca3a89ee3afc004e384490e5339b4c
Opcode Fuzzy Hash: d977ad0d4ef500abc643e22d1c104d7ad3a545b72cd0bc99bb738dc92e07cc4a
Instruction Fuzzy Hash: D051C5A06447D93DFB3A43348845BBB7E99BB06304F088489E1E9D94C2D7D9EDC8D751

Function 0084ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0084AD19
GetKeyboardState.USER32(?), ref: 0084AD2E
SetKeyboardState.USER32(?), ref: 0084AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0084ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0084ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0084AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0084AE38

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a363dcf4fe15e9aed67c3ecb603ef65d7264330a73f753ede2908c51b942068d
Instruction ID: 1223607b735b8aef861ac1005073967ccf30edb518fac3f1efc7ca739ba06d5e
Opcode Fuzzy Hash: a363dcf4fe15e9aed67c3ecb603ef65d7264330a73f753ede2908c51b942068d
Instruction Fuzzy Hash: 2651E8A19887D93DFB3A83748C85B7A7E98FB45304F08848DE1E5CE8C2D294EC84D752

Function 0081542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00823CD6,?,?,?,?,?,?,?,?,00815BA3,?,?,00823CD6,?,?), ref: 00815470
__fassign.LIBCMT ref: 008154EB
__fassign.LIBCMT ref: 00815506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00823CD6,00000005,00000000,00000000), ref: 0081552C
WriteFile.KERNEL32(?,00823CD6,00000000,00815BA3,00000000,?,?,?,?,?,?,?,?,?,00815BA3,?), ref: 0081554B
WriteFile.KERNEL32(?,?,00000001,00815BA3,00000000,?,?,?,?,?,?,?,?,?,00815BA3,?), ref: 00815584

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 382d100350069f5653bbbba838679678f10d4d4f11cb27c8b9b01b402966df7e
Instruction ID: ac43e28ba7ab20140fd4ae0c39dd6f31d1bf47eb4342a71fe60599a9c2a09044
Opcode Fuzzy Hash: 382d100350069f5653bbbba838679678f10d4d4f11cb27c8b9b01b402966df7e
Instruction Fuzzy Hash: B3518FB1A00649DFDB10CFA8D895AEEBBFEFF49300F14415AE555E7291D630AA81CB60

Function 00802D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00802D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00802D53
_ValidateLocalCookies.LIBCMT ref: 00802DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00802E0C
_ValidateLocalCookies.LIBCMT ref: 00802E61

Strings

csm, xrefs: 00802DF6

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 82d8c907a3eb99d792ba45aa903e185798f67a6899206a4d07e5e303e9141d15
Instruction ID: b90b9141ef50f689391b06b2a28174b9df94484af2fc1016b6fd40cf65808de7
Opcode Fuzzy Hash: 82d8c907a3eb99d792ba45aa903e185798f67a6899206a4d07e5e303e9141d15
Instruction Fuzzy Hash: 69416E34A0020DABCF50DF68CC49A9EBBA5FF45324F1481A5EC14EB292D7B1AE15CB91

Function 008610B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0086304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0086307A
Part of subcall function 0086304E: _wcslen.LIBCMT ref: 0086309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00861112
WSAGetLastError.WSOCK32 ref: 00861121
WSAGetLastError.WSOCK32 ref: 008611C9
closesocket.WSOCK32(00000000), ref: 008611F9

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: dd5adc48e243384b5b0ab7affd2a199231e4545befab87ed32fa0bb4b5ca5159
Instruction ID: 7059876b12753616121f4e5660e5ac760a718881f7a75368b67a973723f7c85b
Opcode Fuzzy Hash: dd5adc48e243384b5b0ab7affd2a199231e4545befab87ed32fa0bb4b5ca5159
Instruction Fuzzy Hash: A341F631600204AFDB109F14C888BA9B7E9FF46364F198059F919DB296C774ED81CBE1

Function 0084CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0084DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0084CF22,?), ref: 0084DDFD

Part of subcall function 0084DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0084CF22,?), ref: 0084DE16

lstrcmpiW.KERNEL32(?,?), ref: 0084CF45
MoveFileW.KERNEL32(?,?), ref: 0084CF7F
_wcslen.LIBCMT ref: 0084D005
_wcslen.LIBCMT ref: 0084D01B
SHFileOperationW.SHELL32(?), ref: 0084D061

Strings

\*.*, xrefs: 0084CFF3

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 87f8263f7fd9ac2244c2df3e3fd251b2b8433eed656bbc397bfcfda5369693f2
Instruction ID: 0e4787c3c6c57d44d469129927708ca09d6709293e2d9429c059d0277d16b1dc
Opcode Fuzzy Hash: 87f8263f7fd9ac2244c2df3e3fd251b2b8433eed656bbc397bfcfda5369693f2
Instruction Fuzzy Hash: C341437194621C9EDF52EBA4C981ADEB7BCFF08340F1000A6E509EB151EE75A688CB51

Function 00872DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00872E1C
GetWindowLongW.USER32(?,000000F0), ref: 00872E4F
GetWindowLongW.USER32(?,000000F0), ref: 00872E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00872EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00872EE0
GetWindowLongW.USER32(?,000000F0), ref: 00872EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00872F0B

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 78a2fcaf0cce06e8e2a8c1b286c4c3e12092742fe1150d272c21683591a70a5d
Instruction ID: c93e49a65527d860d00bdef75f7d25be90de37a0b937d959a494a2ea10a4abd6
Opcode Fuzzy Hash: 78a2fcaf0cce06e8e2a8c1b286c4c3e12092742fe1150d272c21683591a70a5d
Instruction Fuzzy Hash: 043114326041409FDB20CF58DC98F6937E0FB6A710F5541A8F949CF2BACB71E8809B41

Function 00847726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00847769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0084778F
SysAllocString.OLEAUT32(00000000), ref: 00847792
SysAllocString.OLEAUT32(?), ref: 008477B0
SysFreeString.OLEAUT32(?), ref: 008477B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008477DE
SysAllocString.OLEAUT32(?), ref: 008477EC

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5aac863be2bc7c01c3fb996ff6770f8277484a6e24bf9d8a8855f34a78305743
Instruction ID: 38f61a5abb8c3f9fd7214ba21aa5e3e8b18286f82573f5d2399856937f0362b4
Opcode Fuzzy Hash: 5aac863be2bc7c01c3fb996ff6770f8277484a6e24bf9d8a8855f34a78305743
Instruction Fuzzy Hash: DA21B07660421DAFDB10DFA8CC88CBB77ACFB093647408029FA19DB260D770DC8187A4

Function 008477FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00847842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00847868
SysAllocString.OLEAUT32(00000000), ref: 0084786B
SysAllocString.OLEAUT32 ref: 0084788C
SysFreeString.OLEAUT32 ref: 00847895
StringFromGUID2.OLE32(?,?,00000028), ref: 008478AF
SysAllocString.OLEAUT32(?), ref: 008478BD

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f15ac8d494950b7d7916e82d039f5b2875b1951ff4c7d96f09a0d787bdee8564
Instruction ID: c3a5e87586a9ffe28cc370fc8df619d23a51879c04a2c7abf040d9aacb9d212d
Opcode Fuzzy Hash: f15ac8d494950b7d7916e82d039f5b2875b1951ff4c7d96f09a0d787bdee8564
Instruction Fuzzy Hash: 9E213075608208AFDB109FA8DC8CDAA77ECFB097647108135F915DB2A5DB74DC81CB68

Function 008504D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008504F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0085052E

Strings

nul, xrefs: 00850567

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 8278584bc34e1f5cba8da0b838b284fae77cda81b51382d1cd444e1737da5faf
Instruction ID: 83f905a1e4d3e89b8125a950f78813a81de2768c57a9c0297631a02bc018f8bd
Opcode Fuzzy Hash: 8278584bc34e1f5cba8da0b838b284fae77cda81b51382d1cd444e1737da5faf
Instruction Fuzzy Hash: AF218D71500305ABDB208F69DC08A9A77A4FF45726F204A19FCA1E72E0E770D948CF20

Function 008505A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008505C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00850601

Strings

nul, xrefs: 00850639

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 72bad901b4169e70d8bf64fd2d5bc6e4c6ef214c0483c37db6632add509f45a3
Instruction ID: 13cd98fbdf12a21674ecfe85a53b8d4b163b06effbd8b659c10d304a9f6f6be8
Opcode Fuzzy Hash: 72bad901b4169e70d8bf64fd2d5bc6e4c6ef214c0483c37db6632add509f45a3
Instruction Fuzzy Hash: 4221B5755003059BDB208F68CC04A9A77E4FFA5726F200A19FCA2E72E0D770D968CF10

Function 008740AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007E604C
Part of subcall function 007E600E: GetStockObject.GDI32(00000011), ref: 007E6060
Part of subcall function 007E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007E606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00874112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0087411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0087412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00874139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00874145

Strings

Msctls_Progress32, xrefs: 008740E3

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: b359310292697d1f6ceadfb0eec1c07e61c7717b406a050d32f5c35c3cb78e05
Instruction ID: a2119c727df98930d3a2758ac02b35d5606d002197b0885ba256e1fa746acd48
Opcode Fuzzy Hash: b359310292697d1f6ceadfb0eec1c07e61c7717b406a050d32f5c35c3cb78e05
Instruction Fuzzy Hash: 93118EB2140219BEEF119E64CC85EE77F9DFF18798F008110BA18E6150C776DC619BA4

Function 0081D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0081D7A3: _free.LIBCMT ref: 0081D7CC

_free.LIBCMT ref: 0081D82D

Part of subcall function 008129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000), ref: 008129DE
Part of subcall function 008129C8: GetLastError.KERNEL32(00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000,00000000), ref: 008129F0

_free.LIBCMT ref: 0081D838
_free.LIBCMT ref: 0081D843
_free.LIBCMT ref: 0081D897
_free.LIBCMT ref: 0081D8A2
_free.LIBCMT ref: 0081D8AD
_free.LIBCMT ref: 0081D8B8

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: e0c2e248ae79b415458958c0f75f7ae5c14e74e9785f316ad4640c974c292452
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 25115E71540B04AAD621BFB8CC47FCB7BDCFF00710F440C25B299EA0D2DAA5B5A58662

Function 0084DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0084DA74
LoadStringW.USER32(00000000), ref: 0084DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0084DA91
LoadStringW.USER32(00000000), ref: 0084DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0084DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0084DAB9

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 3ce6f89a478c81369c7d0eca4bcc648e55188cf083ab8672fc398a96ee6e55bd
Instruction ID: 26987e41079f3506f5ab850363046a2d5adcaf1dce427a58ebea17db5f78e7c1
Opcode Fuzzy Hash: 3ce6f89a478c81369c7d0eca4bcc648e55188cf083ab8672fc398a96ee6e55bd
Instruction Fuzzy Hash: CF014FF25002187FE711ABA49D89EEB366CF708705F4044A9B75AE3045EA749EC44B75

Function 0085096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(012D09B0,012D09B0), ref: 0085097B
EnterCriticalSection.KERNEL32(012D0990,00000000), ref: 0085098D
TerminateThread.KERNEL32(?,000001F6), ref: 0085099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008509A9
CloseHandle.KERNEL32(?), ref: 008509B8
InterlockedExchange.KERNEL32(012D09B0,000001F6), ref: 008509C8
LeaveCriticalSection.KERNEL32(012D0990), ref: 008509CF

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 2409dca4748c34c84a0d23cd392e528d4cb783e714b459b613429ebcb6b7803d
Instruction ID: 4e4bf8cd86897754ca003c68292cb6211db8db4fc2e5cf1120a5c42fcc54c227
Opcode Fuzzy Hash: 2409dca4748c34c84a0d23cd392e528d4cb783e714b459b613429ebcb6b7803d
Instruction Fuzzy Hash: 38F03132442502BBD7415F94EE8CBD6BB35FF01702F441029F205A28AAC774D4A5CF90

Function 00861C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00861DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00861DE1
WSAGetLastError.WSOCK32 ref: 00861DF2
htons.WSOCK32(?,?,?,?,?), ref: 00861EDB
inet_ntoa.WSOCK32(?), ref: 00861E8C

Part of subcall function 008439E8: _strlen.LIBCMT ref: 008439F2

Part of subcall function 00863224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0085EC0C), ref: 00863240

_strlen.LIBCMT ref: 00861F35

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 28ff55e5f911855e8bec36033eb46ba936504a03a3f7e653f595f5f03675f5f0
Instruction ID: 4b6a1a2323e3e9a2455cf413bd48f2b00fbd7eb07372fa011dd5a8086fd93691
Opcode Fuzzy Hash: 28ff55e5f911855e8bec36033eb46ba936504a03a3f7e653f595f5f03675f5f0
Instruction Fuzzy Hash: 28B1C031204340AFC724DF24C889E2A7BA5FF89318F59895CF5569B2A3CB31ED41CB92

Function 007E5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 007E5D30
GetWindowRect.USER32(?,?), ref: 007E5D71
ScreenToClient.USER32(?,?), ref: 007E5D99
GetClientRect.USER32(?,?), ref: 007E5ED7
GetWindowRect.USER32(?,?), ref: 007E5EF8

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: d9bc6b9d151e8fc6d1636e0b23cd190e912a12a5f861e36c121339f1fbded849
Instruction ID: 6a3bc4075ffddfe1c2e8bf521265e2f8b8395311d896635a08f1ba735c0ff087
Opcode Fuzzy Hash: d9bc6b9d151e8fc6d1636e0b23cd190e912a12a5f861e36c121339f1fbded849
Instruction Fuzzy Hash: 37B17A34A1078ADBDB10CFA9C4807EEB7F1FF58314F14951AE8A9D7250DB34AA91DB60

Function 008101B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008100BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008100D6
__allrem.LIBCMT ref: 008100ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0081010B
__allrem.LIBCMT ref: 00810122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00810140

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: dd905c0ea718aa1b6b6e980c93d618cd4f1edcc419db5fa8d94d0e8f8a464bc0
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 1181F671A00B06ABE7209A6CDC41BAA73ECFF55324F248539F551D66C2EFB4D9C08B51

Function 008161FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008082D9,008082D9,?,?,?,0081644F,00000001,00000001,8BE85006), ref: 00816258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0081644F,00000001,00000001,8BE85006,?,?,?), ref: 008162DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008163D8
__freea.LIBCMT ref: 008163E5

Part of subcall function 00813820: RtlAllocateHeap.NTDLL(00000000,?,008B1444,?,007FFDF5,?,?,007EA976,00000010,008B1440,007E13FC,?,007E13C6,?,007E1129), ref: 00813852

__freea.LIBCMT ref: 008163EE
__freea.LIBCMT ref: 00816413

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 1e8b1784a32b150297ad2c7de7d99a3ac343cc45f5a0c61994a3ca755c55fa3c
Instruction ID: d78d6b53409409b7f299161941eb75a350a7a26b73c07b12ff1364eb0e55a97b
Opcode Fuzzy Hash: 1e8b1784a32b150297ad2c7de7d99a3ac343cc45f5a0c61994a3ca755c55fa3c
Instruction Fuzzy Hash: F251DE72A00216ABEB258F68DC81EEF77AEFF44710F144229F855D6240EB34DCE0C6A0

Function 0086BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 0086C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0086B6AE,?,?), ref: 0086C9B5
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086C9F1
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA68
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0086BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0086BD25
RegCloseKey.ADVAPI32(00000000), ref: 0086BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0086BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0086BDF3
RegCloseKey.ADVAPI32(?), ref: 0086BDFF

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 099422029ba9990d4ae4596a2d0435fd6636869197a33abc730d184772e71ddc
Instruction ID: c9aae5847bafba938be7266a4e04a3415d83d0ce3f868ae474b6b4727c661686
Opcode Fuzzy Hash: 099422029ba9990d4ae4596a2d0435fd6636869197a33abc730d184772e71ddc
Instruction Fuzzy Hash: 81817C71208241EFD714DF24C895E2ABBE5FF84308F15895CF5598B2A2DB32ED85CB92

Function 0083F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0083F7B9
SysAllocString.OLEAUT32(00000001), ref: 0083F860
VariantCopy.OLEAUT32(0083FA64,00000000), ref: 0083F889
VariantClear.OLEAUT32(0083FA64), ref: 0083F8AD
VariantCopy.OLEAUT32(0083FA64,00000000), ref: 0083F8B1
VariantClear.OLEAUT32(?), ref: 0083F8BB

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 0e027deee85fcc1b9048ab4e94b74f192f3cbea55900f418ecfb6dd207e2ccae
Instruction ID: 1c39b22c2d6b5b94cc08f526c4a8e5cdb4be92fa313bf668ae1fd5e1d67fbca3
Opcode Fuzzy Hash: 0e027deee85fcc1b9048ab4e94b74f192f3cbea55900f418ecfb6dd207e2ccae
Instruction Fuzzy Hash: B151B331A00314FACF24AB65D899B29B7A4FF85314F24946AEE06DF297DB748C40C7D6

Function 0085910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 007E7620: _wcslen.LIBCMT ref: 007E7625

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008594E5
_wcslen.LIBCMT ref: 00859506
_wcslen.LIBCMT ref: 0085952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00859585

Strings

X, xrefs: 00859412

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: b46f02f7079fec166d76fbe3202289dfa7ccc6515d7c7d9c72f782e35578c231
Instruction ID: 75047fefa106f65c960cef90970f38f477b2bf40efc764286ff38d87c33c0860
Opcode Fuzzy Hash: b46f02f7079fec166d76fbe3202289dfa7ccc6515d7c7d9c72f782e35578c231
Instruction Fuzzy Hash: A6E19031504340DFC724DF25C885A6AB7E0FF89314F14896DE9999B3A2EB35DD09CB92

Function 007F920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

BeginPaint.USER32(?,?,?), ref: 007F9241
GetWindowRect.USER32(?,?), ref: 007F92A5
ScreenToClient.USER32(?,?), ref: 007F92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007F92D3
EndPaint.USER32(?,?,?,?,?), ref: 007F9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008371EA

Part of subcall function 007F9339: BeginPath.GDI32(00000000), ref: 007F9357

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 48a1fcf94b5a182ada5ffea7ca6809bee3af7ccff0b77fec9c42b1e36e265a37
Instruction ID: 3aa5b456e222b03febeafc343b060e2648aa0248c4e269fd6e702c4467d06d49
Opcode Fuzzy Hash: 48a1fcf94b5a182ada5ffea7ca6809bee3af7ccff0b77fec9c42b1e36e265a37
Instruction Fuzzy Hash: 56418E71104245EFDB21DF24C898FBA7BA8FF95724F140229FB64CB2A1C7359845DB61

Function 008507EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0085080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00850847
EnterCriticalSection.KERNEL32(?), ref: 00850863
LeaveCriticalSection.KERNEL32(?), ref: 008508DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008508F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00850921

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 92abe0ca711786aa1a8549198f5598132ffdd837d1e41f5d111f46dfa8d8b6fa
Instruction ID: 6f97ef6d96a542d15b158290d4d1a08aa867add8f638ab91f28ddbfac02e8cf2
Opcode Fuzzy Hash: 92abe0ca711786aa1a8549198f5598132ffdd837d1e41f5d111f46dfa8d8b6fa
Instruction Fuzzy Hash: 9E415671900209EBDF14AF54DC89A6A77B8FF04311F1440A9ED04EA2ABDB30DE64DBA0

Function 008781DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0083F3AB,00000000,?,?,00000000,?,0083682C,00000004,00000000,00000000), ref: 0087824C
EnableWindow.USER32(?,00000000), ref: 00878272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008782D1
ShowWindow.USER32(?,00000004), ref: 008782E5
EnableWindow.USER32(?,00000001), ref: 0087830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0087832F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1401ddbfe5a9b41c42bc2fed0e45534051c322070f816c046c182ca47b0a2105
Instruction ID: de82b4b26668ff51263145e62f842730f33a27a73efa71d96023b6e0016e29d5
Opcode Fuzzy Hash: 1401ddbfe5a9b41c42bc2fed0e45534051c322070f816c046c182ca47b0a2105
Instruction Fuzzy Hash: 2A415034641644EFDF15CF29D89DBA47BE1FB0A715F588269E60C8F266CB31E841CB50

Function 00844C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00844C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00844CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00844CEA
_wcslen.LIBCMT ref: 00844D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00844D10
_wcsstr.LIBVCRUNTIME ref: 00844D1A

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 25c034091d250061594786e1cb57b37a294cf67936b32226c5960ae782e781f4
Instruction ID: 59adf0afb591ad00b2beb4c5651ccd9bda64c61355d7722de1a4430d0bd741da
Opcode Fuzzy Hash: 25c034091d250061594786e1cb57b37a294cf67936b32226c5960ae782e781f4
Instruction Fuzzy Hash: 41212632604208BBEB555B39AC89F7B7B9CFF55750F10903DF909CB1A2EE65CC4082A0

Function 0085581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 007E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007E3A97,?,?,007E2E7F,?,?,?,00000000), ref: 007E3AC2

_wcslen.LIBCMT ref: 0085587B
CoInitialize.OLE32(00000000), ref: 00855995
CoCreateInstance.OLE32(0087FCF8,00000000,00000001,0087FB68,?), ref: 008559AE
CoUninitialize.OLE32 ref: 008559CC

Strings

.lnk, xrefs: 00855876, 008558C1, 00855985

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: b2b66685cf6b33fa1418e2ad1d64b1857af068d2eb8985df6e1496ba903f4aa7
Instruction ID: b479b66013b5bc8ab82eb19e1416ecb97e0c60284e8a7188a07ee44be5a8523c
Opcode Fuzzy Hash: b2b66685cf6b33fa1418e2ad1d64b1857af068d2eb8985df6e1496ba903f4aa7
Instruction Fuzzy Hash: 31D15171608601DFC714DF25C498A2ABBE1FF89721F148859F88ADB361DB35EC49CB92

Function 0084175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00840FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00840FCA
Part of subcall function 00840FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00840FD6
Part of subcall function 00840FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00840FE5
Part of subcall function 00840FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00840FEC
Part of subcall function 00840FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00841002

GetLengthSid.ADVAPI32(?,00000000,00841335), ref: 008417AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008417BA
HeapAlloc.KERNEL32(00000000), ref: 008417C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008417DA
GetProcessHeap.KERNEL32(00000000,00000000,00841335), ref: 008417EE
HeapFree.KERNEL32(00000000), ref: 008417F5

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c75fda0039c7b223092ffcc4c021c85a10fe29f6ab225b55b4cc663598acb7fe
Instruction ID: d6ed9b095d690e830213667f2d484a6ae3c2fe0181acc871003a83d5765c3940
Opcode Fuzzy Hash: c75fda0039c7b223092ffcc4c021c85a10fe29f6ab225b55b4cc663598acb7fe
Instruction Fuzzy Hash: 7C117C31510609EFDF109FA4CC4DBAE7BA9FB45359F144028F445D7218D739E984CB60

Function 008414CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008414FF
OpenProcessToken.ADVAPI32(00000000), ref: 00841506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00841515
CloseHandle.KERNEL32(00000004), ref: 00841520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0084154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00841563

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 9142b2c99a0a9b08e0a644d5ef19c1bff34fde7ddc00d804de4701aeb9b7ff64
Instruction ID: c69e216803b7e339a893abff824d5174544748a0d2e79f5ca78089fef470b89d
Opcode Fuzzy Hash: 9142b2c99a0a9b08e0a644d5ef19c1bff34fde7ddc00d804de4701aeb9b7ff64
Instruction Fuzzy Hash: 5F11E77250120DABDF118F98DD4DBDA7BA9FB49744F054019FA09A2160C375CEA59B60

Function 00803382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00803379,00802FE5), ref: 00803390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0080339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008033B7
SetLastError.KERNEL32(00000000,?,00803379,00802FE5), ref: 00803409

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2ac4239340f151beefc116b63a337a8fde22bf777ecf3d8aa7f5752d6a05f549
Instruction ID: 2398ef2257623ce2d0bb5eb62ba6aae772142261b759edd0843fcbe7b9bda199
Opcode Fuzzy Hash: 2ac4239340f151beefc116b63a337a8fde22bf777ecf3d8aa7f5752d6a05f549
Instruction Fuzzy Hash: 0401D432609B11BEF7A527787CC5A672A9CFB26379720022DF620C52F0FF224D416644

Function 00812D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00815686,00823CD6,?,00000000,?,00815B6A,?,?,?,?,?,0080E6D1,?,008A8A48), ref: 00812D78
_free.LIBCMT ref: 00812DAB
_free.LIBCMT ref: 00812DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0080E6D1,?,008A8A48,00000010,007E4F4A,?,?,00000000,00823CD6), ref: 00812DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0080E6D1,?,008A8A48,00000010,007E4F4A,?,?,00000000,00823CD6), ref: 00812DEC
_abort.LIBCMT ref: 00812DF2

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: dcb22f5672215eb07dfcdfdfdbb5a89e7044d3a9ef395b75da0d83ef4e6ec000
Instruction ID: 34c839a81232a33393f7d3d4019d0ed389d947dfcbc19da8d990eadafbe972e4
Opcode Fuzzy Hash: dcb22f5672215eb07dfcdfdfdbb5a89e7044d3a9ef395b75da0d83ef4e6ec000
Instruction Fuzzy Hash: 24F0A4325446046BD622373CFC0AEDA265DFFC27B5B24051CF828D22D6EF3488E14262

Function 00878A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 007F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007F9693
Part of subcall function 007F9639: SelectObject.GDI32(?,00000000), ref: 007F96A2
Part of subcall function 007F9639: BeginPath.GDI32(?), ref: 007F96B9
Part of subcall function 007F9639: SelectObject.GDI32(?,00000000), ref: 007F96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00878A4E
LineTo.GDI32(?,00000003,00000000), ref: 00878A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00878A70
LineTo.GDI32(?,00000000,00000003), ref: 00878A80
EndPath.GDI32(?), ref: 00878A90
StrokePath.GDI32(?), ref: 00878AA0

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 546eb27db2ec3ddaf384212652be208a3acb2c5276a8c4bd9589ffd432580dcd
Instruction ID: 1e578accc8ccbdfa320a5be9dfa6ddd78f46294ef6373626741ba716c0a34e3e
Opcode Fuzzy Hash: 546eb27db2ec3ddaf384212652be208a3acb2c5276a8c4bd9589ffd432580dcd
Instruction Fuzzy Hash: 9D11F776040158FFDF129F90DC8CEAA7F6DFB08350F008026FA199A1A5C7719D95DBA0

Function 008451FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00845218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00845229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00845230
ReleaseDC.USER32(00000000,00000000), ref: 00845238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0084524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00845261

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b84821f91a731f5abee7dedadc9a90a3506496c3f0b074a42db6e6d853604601
Instruction ID: 263dcf76e6a05e96e80bd6e141d25773fefa20933a7d025809fd1a59e5321975
Opcode Fuzzy Hash: b84821f91a731f5abee7dedadc9a90a3506496c3f0b074a42db6e6d853604601
Instruction Fuzzy Hash: B6014475E00718BBEB105BA59C49A5EBFB8FF54751F044069FA08E7285D670D800CFA0

Function 007E1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 007E1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 007E1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007E1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007E1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 007E1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 007E1C22

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 65b7ee17f6af09367b61ec2a664ab71746e734189b6e9aca7c51d1e3fac3db61
Instruction ID: 0c61cc12923ac0594bf93937a5732f6184b8b9e86117ea77f2a6383fabde09e5
Opcode Fuzzy Hash: 65b7ee17f6af09367b61ec2a664ab71746e734189b6e9aca7c51d1e3fac3db61
Instruction Fuzzy Hash: 63016CB09027597DE3008F5A8C85B52FFA8FF19754F00411F915C47941C7F5A864CBE5

Function 0084EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0084EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0084EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0084EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0084EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0084EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0084EB75

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: a4827e34b925164899c7dddf93653c4e1bf49671534ba31bf4f7c8ef6c364bce
Instruction ID: 78b3d6927c95a9b7a1e6ca463a44548794ee7cb5f41969c2d0312955cfd4d530
Opcode Fuzzy Hash: a4827e34b925164899c7dddf93653c4e1bf49671534ba31bf4f7c8ef6c364bce
Instruction Fuzzy Hash: 55F09A72200118BBE7205B629C4EEEF3A7CFFCBB11F00016CF605E2090D7A09A41CAB4

Function 00837439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00837452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00837469
GetWindowDC.USER32(?), ref: 00837475
GetPixel.GDI32(00000000,?,?), ref: 00837484
ReleaseDC.USER32(?,00000000), ref: 00837496
GetSysColor.USER32(00000005), ref: 008374B0

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 1fdaac0a05a75976477bfa4bf9deeecdc764ac82db828d6120396c4989e5ad99
Instruction ID: 15f64608ccf4a4861602e49c6fca95b0dfc89ea3ee674dc11d283ecadb99e6a5
Opcode Fuzzy Hash: 1fdaac0a05a75976477bfa4bf9deeecdc764ac82db828d6120396c4989e5ad99
Instruction Fuzzy Hash: F4016D31404219EFDB615F64DC0CBAA7BB5FF54311F510168FA1AA31A1CB31AE91EB50

Function 00841874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0084187F
UnloadUserProfile.USERENV(?,?), ref: 0084188B
CloseHandle.KERNEL32(?), ref: 00841894
CloseHandle.KERNEL32(?), ref: 0084189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008418A5
HeapFree.KERNEL32(00000000), ref: 008418AC

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 27f6e833bc2ce33d8df8497b3f1a4405729d76c82bbb17d37f0b4f9b44518b2c
Instruction ID: 13d21639a4706c95bf4e9ca05522ab23e0ddee261b93ae6b6701dac4c9d7dd44
Opcode Fuzzy Hash: 27f6e833bc2ce33d8df8497b3f1a4405729d76c82bbb17d37f0b4f9b44518b2c
Instruction Fuzzy Hash: A5E0E536004101BBEB015FA5ED0C90AFF39FF4AB22B508228F22992578CB32D4A0DF60

Function 0084C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E7620: _wcslen.LIBCMT ref: 007E7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0084C6EE
_wcslen.LIBCMT ref: 0084C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0084C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0084C7CA

Strings

0, xrefs: 0084C6AF

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: b1539ed4763db4f360abbf8b11bee786f78532b40bc5ee8a6f2883dfeb70d161
Instruction ID: 57c17448c8d8effd5fd15bf7531f810291048fae96b2ac25fed887711bf34bdf
Opcode Fuzzy Hash: b1539ed4763db4f360abbf8b11bee786f78532b40bc5ee8a6f2883dfeb70d161
Instruction Fuzzy Hash: 5A51ED716063499BD7949F2CC889A6BBBECFF99314F040A2DF995D32A0DB74D804CB52

Function 0086AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0086AEA3

Part of subcall function 007E7620: _wcslen.LIBCMT ref: 007E7625

GetProcessId.KERNEL32(00000000), ref: 0086AF38
CloseHandle.KERNEL32(00000000), ref: 0086AF67

Strings

<, xrefs: 0086AE6B
@, xrefs: 0086AE72

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 53f431bcee1de97c8ed58c05b81cf7aff8f2510caf5008a9d3cefa07bc74ada0
Instruction ID: 6686b4cecc153946a0d71b07bb6a2af7df16cb7e48dd2caf709e753539582edf
Opcode Fuzzy Hash: 53f431bcee1de97c8ed58c05b81cf7aff8f2510caf5008a9d3cefa07bc74ada0
Instruction Fuzzy Hash: 7A714475A00659DFCB18DF55C488A9EBBF0FF08314F058499E816AB3A2CB75ED41CB91

Function 0084719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00847206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0084723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0084724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008472CF

Strings

DllGetClassObject, xrefs: 00847242

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: a6b937e6d854b18b786f1645aa5982d05f42345482e3610c5d1fc54184f1ade1
Instruction ID: 469549396199fbf041ace072eac72c2cc05f10e4268344c15386f45c3b21a301
Opcode Fuzzy Hash: a6b937e6d854b18b786f1645aa5982d05f42345482e3610c5d1fc54184f1ade1
Instruction Fuzzy Hash: 85416D71A04218EFDB15CF64C884A9A7BA9FF44314F1480ADBD0ADF20AD7F1DA44CBA0

Function 00873D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00873E35
IsMenu.USER32(?), ref: 00873E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00873E92
DrawMenuBar.USER32 ref: 00873EA5

Strings

0, xrefs: 00873D89

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: c4d54b550dff6bbc2dd8d5ccf00d9fa5343a8474aa551e9f298c8a5a4bb44adc
Instruction ID: 9ba24673c67557fdcfc3049095e1ddabeb7cbd8cabbfc3b439ba7a69887547ec
Opcode Fuzzy Hash: c4d54b550dff6bbc2dd8d5ccf00d9fa5343a8474aa551e9f298c8a5a4bb44adc
Instruction Fuzzy Hash: 02414776A01209EFDB10DF50D884AAABBB9FF49354F04812AE909EB654D730EE44EF51

Function 00841DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 00843CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00843CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00841E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00841E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00841EA9

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

Strings

ListBox, xrefs: 00841E25
ComboBox, xrefs: 00841DF0

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: db56959d24c3cff83e05f7557e4efc1333839af47b733812798db9c23227735b
Instruction ID: 509cea564e597c2b859cc8d36160494c33e5c140fda19f9b1f3a69c0e2423e62
Opcode Fuzzy Hash: db56959d24c3cff83e05f7557e4efc1333839af47b733812798db9c23227735b
Instruction Fuzzy Hash: 5A21F376A00108EADB14ABA5DC8DCFFB7B9FF55360B10411DF925E72E1DB384D8A8620

Function 00872F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00872F8D
LoadLibraryW.KERNEL32(?), ref: 00872F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00872FA9
DestroyWindow.USER32(?), ref: 00872FB1

Strings

SysAnimate32, xrefs: 00872F68

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 7d6592e1391335c820e0340add110410a4e3ff28d5a0ab8a989e2ded0cfe9ffc
Instruction ID: c459c18f59824b7b78f0ec7ce394ba57c266f5432e5bd877dc8c9dc39372cd00
Opcode Fuzzy Hash: 7d6592e1391335c820e0340add110410a4e3ff28d5a0ab8a989e2ded0cfe9ffc
Instruction Fuzzy Hash: 4A21CD72204209ABEF205F68DC84EBB37BDFB59368F108628F958D7198DB71DC919760

Function 00804D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00804D1E,008128E9,?,00804CBE,008128E9,008A88B8,0000000C,00804E15,008128E9,00000002), ref: 00804D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00804DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00804D1E,008128E9,?,00804CBE,008128E9,008A88B8,0000000C,00804E15,008128E9,00000002,00000000), ref: 00804DC3

Strings

CorExitProcess, xrefs: 00804D98
mscoree.dll, xrefs: 00804D86

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bd1324be46715b2ca99548c660902ab6e4b1765859025b1d26416d3c352d9559
Instruction ID: a2cbcb427fa69e08f634dfe7723895d8f14c73667f424c8b5a73ec87f79a344a
Opcode Fuzzy Hash: bd1324be46715b2ca99548c660902ab6e4b1765859025b1d26416d3c352d9559
Instruction Fuzzy Hash: 0DF04F74A40218FBDB91AF94DC49BADBBB5FF44751F4400A8FD09E22A0CB359984DF91

Function 0083D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0083D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0083D3BF
FreeLibrary.KERNEL32(00000000), ref: 0083D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0083D3B9
X64, xrefs: 0083D2A8

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 382bb8e81433dfec3f909eae76c1e193b1cddda018444d3650af6d9e1340c803
Instruction ID: 70fd456c3e84c3165d1772dc3d2a67f931d8936afea82436a18a5946cacd27d4
Opcode Fuzzy Hash: 382bb8e81433dfec3f909eae76c1e193b1cddda018444d3650af6d9e1340c803
Instruction Fuzzy Hash: 6DF027704057248BD7B117209C1C96A3310FF50701F948069F505E7318EB34CD8086D1

Function 007E4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,007E4EDD,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007E4EAE
FreeLibrary.KERNEL32(00000000,?,?,007E4EDD,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4EC0

Strings

kernel32.dll, xrefs: 007E4E94
Wow64DisableWow64FsRedirection, xrefs: 007E4EA8

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: a9dd40376e6c687abe6e8d0d4b0760dfeb2cf12d15f3760966d8b82d9576956b
Instruction ID: 57cd3a6f8f9890f184e2c0277de009f2b3c1ca47c2d96b1d012c170a29c07cdd
Opcode Fuzzy Hash: a9dd40376e6c687abe6e8d0d4b0760dfeb2cf12d15f3760966d8b82d9576956b
Instruction Fuzzy Hash: DAE08635A025625BD2311B266C1CA5F7654BFC5B62B050129FC08D3214DB68CD4185B0

Function 007E4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00823CDE,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007E4E74
FreeLibrary.KERNEL32(00000000,?,?,00823CDE,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 007E4E6E
kernel32.dll, xrefs: 007E4E5B

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 80226055e2b3b8dee02b856850ba1d538fdaffd05b86fa4ef2bcab4a27b160c7
Instruction ID: 793a2cb57ff71dd31337ab222d3ab16501305913e91c7db8b958968ec1308f50
Opcode Fuzzy Hash: 80226055e2b3b8dee02b856850ba1d538fdaffd05b86fa4ef2bcab4a27b160c7
Instruction Fuzzy Hash: E3D01235903AA15756221B266C1CD8F7A18FF8DB613494529B909E7218CF68CD41C5E0

Function 00852947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00852C05
DeleteFileW.KERNEL32(?), ref: 00852C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00852C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00852CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00852CC0

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 4785de37c2c210c6e8730c0067ba53667d0286270841805cbe240db42b1cde9b
Instruction ID: 9651fd6279259144c9d46be6ce78ee26cebcbe9a95c83ba502d2fcd2e3690fbf
Opcode Fuzzy Hash: 4785de37c2c210c6e8730c0067ba53667d0286270841805cbe240db42b1cde9b
Instruction Fuzzy Hash: 9DB14E7290111DABDF21DBA4CC89EDEB7BDFF49354F1040A6F909E7141EA349A488F61

Function 0086A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0086A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0086A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0086A468
CloseHandle.KERNEL32(?), ref: 0086A63D

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 8de51e2325b1efe29b9c59238cecd599fdf4d58f7ec8d0a22f4ac5918141cb5c
Instruction ID: f0f8aedcbf6b87696b1cb714b8d526b873780050beb15332cb85fcea17828d94
Opcode Fuzzy Hash: 8de51e2325b1efe29b9c59238cecd599fdf4d58f7ec8d0a22f4ac5918141cb5c
Instruction Fuzzy Hash: 73A19D756043009FD724DF24C88AB2AB7E5EF88714F14881DF56ADB392DBB4EC418B92

Function 0081BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00883700), ref: 0081BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008B121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0081BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008B1270,000000FF,?,0000003F,00000000,?), ref: 0081BC36
_free.LIBCMT ref: 0081BB7F

Part of subcall function 008129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000), ref: 008129DE
Part of subcall function 008129C8: GetLastError.KERNEL32(00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000,00000000), ref: 008129F0

_free.LIBCMT ref: 0081BD4B

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 38d05c1da0a971f1f7e24fb85bd40c6ceebc4d49024af277d488b50299aefe32
Instruction ID: 8270a2a16b34a7695ab3a670a3fe0d0375507a5ce0b85865e75019e211814305
Opcode Fuzzy Hash: 38d05c1da0a971f1f7e24fb85bd40c6ceebc4d49024af277d488b50299aefe32
Instruction Fuzzy Hash: 5F51D671904209AFCB14EF69DC859EEB7BCFF41320B50026AE565D72A1EB309E918B91

Function 0084E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0084DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0084CF22,?), ref: 0084DDFD

Part of subcall function 0084DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0084CF22,?), ref: 0084DE16

Part of subcall function 0084E199: GetFileAttributesW.KERNEL32(?,0084CF95), ref: 0084E19A

lstrcmpiW.KERNEL32(?,?), ref: 0084E473
MoveFileW.KERNEL32(?,?), ref: 0084E4AC
_wcslen.LIBCMT ref: 0084E5EB
_wcslen.LIBCMT ref: 0084E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0084E650

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: b9e7bfa48ecabeda75c2e50ef93f336eaa2752f87df672aeba710e42ed76891a
Instruction ID: 36c88eb228b5a50a6008ab1f74b26a972711ac01132e7956bfe26faaab27b476
Opcode Fuzzy Hash: b9e7bfa48ecabeda75c2e50ef93f336eaa2752f87df672aeba710e42ed76891a
Instruction Fuzzy Hash: 165163B24087899BC764EB94DC859DBB3DCFF94340F00491EF689D3191EF74A588876A

Function 0086B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 0086C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0086B6AE,?,?), ref: 0086C9B5
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086C9F1
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA68
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0086BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0086BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0086BB63
RegCloseKey.ADVAPI32(?,?), ref: 0086BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0086BBB3

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f795a819bbdb9bdd3a82a60fc193198dc2a1eab3c15bdbc2e65f8f185e03f2d3
Instruction ID: b956a0bd5a960cf7876b64e8df8e3ecc86c363edb608215e18fcca1d58b9e794
Opcode Fuzzy Hash: f795a819bbdb9bdd3a82a60fc193198dc2a1eab3c15bdbc2e65f8f185e03f2d3
Instruction Fuzzy Hash: F8618C31209241EFC314DF64C494E2ABBE5FF84318F55895CF4998B2A2DB31ED85CB92

Function 00848BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00848BCD
VariantClear.OLEAUT32 ref: 00848C3E
VariantClear.OLEAUT32 ref: 00848C9D
VariantClear.OLEAUT32(?), ref: 00848D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00848D3B

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 4b51b68a779e136b62019952d925267ad1567bef8e7ba5eeb382590787c5fa90
Instruction ID: 6bdd2d303d55b573cf3bacc9669af172e06cb51ef6acf02929220a48667e0ee5
Opcode Fuzzy Hash: 4b51b68a779e136b62019952d925267ad1567bef8e7ba5eeb382590787c5fa90
Instruction Fuzzy Hash: 4A5157B5A01219EFCB14CF68C894AAAB7F8FF89314B158569E909DB354E730E911CF90

Function 00858AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00858BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00858BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00858C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00858C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00858C5F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 5de50e1e3e2528fdff342e48b44f96f9b3117a70d1634348e6ea4b2a24cb023a
Instruction ID: 42a94159ce3d4f7f69f4c0e9c2b6591ee2f7bc7fe9671335c125d3347b2bf72b
Opcode Fuzzy Hash: 5de50e1e3e2528fdff342e48b44f96f9b3117a70d1634348e6ea4b2a24cb023a
Instruction Fuzzy Hash: C0515935A00618EFCB05DF65C885A6EBBF5FF48314F088099E849AB362DB35ED55CB90

Function 00868EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00868F40
GetProcAddress.KERNEL32(00000000,?), ref: 00868FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00868FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00869032
FreeLibrary.KERNEL32(00000000), ref: 00869052

Part of subcall function 007FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00851043,?,75C0E610), ref: 007FF6E6
Part of subcall function 007FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0083FA64,00000000,00000000,?,?,00851043,?,75C0E610,?,0083FA64), ref: 007FF70D

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 2493ebc950896fcd4c18d3ef7c332f6026f606c495b0613886ad10945cbd2c0e
Instruction ID: fecefeae26a2709ba9b212f8512ff1ed538a4e7ad7240c3b660a531d4011718d
Opcode Fuzzy Hash: 2493ebc950896fcd4c18d3ef7c332f6026f606c495b0613886ad10945cbd2c0e
Instruction Fuzzy Hash: D8515835601245DFCB11DF68C4888ADBBF1FF49324B0581A8E90AAF362DB31ED85CB91

Function 00876B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00876C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00876C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00876C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0085AB79,00000000,00000000), ref: 00876C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00876CC7

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 614448b2390bb2ad5678ac0723f08e4af19108d0de1fd98a09d7c99c6dd05e11
Instruction ID: 2c89c0c91f1380f2fee84b93097bd6869acbbfa408730f89e62148355d58b62e
Opcode Fuzzy Hash: 614448b2390bb2ad5678ac0723f08e4af19108d0de1fd98a09d7c99c6dd05e11
Instruction Fuzzy Hash: 0041D635600504AFDB25CF28CC58FA97BA4FB49364F148268F89DE72E8E371ED60DA40

Function 00812051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008120C3
_free.LIBCMT ref: 008120E3

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f717cc9357ff40365a6876664c51ca5cbcd4c9f6764d90f334b529b7449d5b58
Instruction ID: b526c564e1d20b40db130c0adb0238d0cad1b5132a4e63c8b204a75d9437d945
Opcode Fuzzy Hash: f717cc9357ff40365a6876664c51ca5cbcd4c9f6764d90f334b529b7449d5b58
Instruction Fuzzy Hash: 0D41D232A00604EFDB24DF78C881A9DB7A9FF89324F1545A8E615EB391DB31AD51CB81

Function 007F912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007F9141
ScreenToClient.USER32(00000000,?), ref: 007F915E
GetAsyncKeyState.USER32(00000001), ref: 007F9183
GetAsyncKeyState.USER32(00000002), ref: 007F919D

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: bcd24c7e0611c8792618bf0b5a85559397958e02f25da42b4faf8aa5bcb690f8
Instruction ID: d84cb388944dfe82fbd3692749bc5dd53df6362716338b5cc49c7c975558faa0
Opcode Fuzzy Hash: bcd24c7e0611c8792618bf0b5a85559397958e02f25da42b4faf8aa5bcb690f8
Instruction Fuzzy Hash: 87416F71A0860EFBDF159F68C848BFEB774FB45324F208229E529A3290C734A950CB91

Function 00853874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008538CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00853922
TranslateMessage.USER32(?), ref: 0085394B
DispatchMessageW.USER32(?), ref: 00853955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00853966

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 2ff40fbd3f13677d6daaca696d453963983ce23a54248f2a4bf2170970628316
Instruction ID: d68a415b9be0aff43a5be6d8d3aa6f0770a782bfd148a7836f72fe10ccf1339b
Opcode Fuzzy Hash: 2ff40fbd3f13677d6daaca696d453963983ce23a54248f2a4bf2170970628316
Instruction Fuzzy Hash: 4E31D5B05083859EEF35CB34985CBB67FE8FB06386F44056DE866C61A0E7B4968CCB11

Function 0085CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0085C21E,00000000), ref: 0085CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0085CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0085C21E,00000000), ref: 0085CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0085C21E,00000000), ref: 0085CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0085C21E,00000000), ref: 0085CFF2

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 492dc6f8cd12d4706dc7743f9988f869d95d46dae80690ff6bc22b9fd8f0b9d3
Instruction ID: 60c81d8a29788c6a803369712cb3515ca1dc4a189d4da7f8c318649b85557eff
Opcode Fuzzy Hash: 492dc6f8cd12d4706dc7743f9988f869d95d46dae80690ff6bc22b9fd8f0b9d3
Instruction Fuzzy Hash: 05313C71604309EFDB24DFA5C8889AABBF9FB14356B10446EE90AD2151DB70ED449F60

Function 00841901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00841915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008419C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008419C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008419DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008419E2

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5c0d328eeab9e0e80ddb066954cacb84bf8d21ab6862494febf439d5f23eaf08
Instruction ID: 18dac9eea1b2c14ca6670ba1ac24bb30e0230f47712886b5c83f1c2b1b8e9b4b
Opcode Fuzzy Hash: 5c0d328eeab9e0e80ddb066954cacb84bf8d21ab6862494febf439d5f23eaf08
Instruction Fuzzy Hash: 0A317672A0021DAFCB048FA8C99DAAE3FA5FB14315F504229F925EB2D1C7709984CB90

Function 00875706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00875745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0087579D
_wcslen.LIBCMT ref: 008757AF
_wcslen.LIBCMT ref: 008757BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00875816

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: fb29c817aa4e341347aeb8c8454828f4a0e5cfe3512d6028c0e99e75d0704cba
Instruction ID: a39636dcc97be65a2810b25cbcc6611f67c290ab6ec23881c7e58090f91aec74
Opcode Fuzzy Hash: fb29c817aa4e341347aeb8c8454828f4a0e5cfe3512d6028c0e99e75d0704cba
Instruction Fuzzy Hash: DC21A7719046189ADB208F64CC84AEE7B78FF14364F10C21AE91DEB1D8D7B0C985CF50

Function 00860930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00860951
GetForegroundWindow.USER32 ref: 00860968
GetDC.USER32(00000000), ref: 008609A4
GetPixel.GDI32(00000000,?,00000003), ref: 008609B0
ReleaseDC.USER32(00000000,00000003), ref: 008609E8

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0ed06cbeaad3474bea86137b9ebb255285fddf4be9730f093f9416bbb8ff04fb
Instruction ID: 3b53d1c4521269126c7b95b6d6b77288d3068a19eabc62c8d80c049a4984a186
Opcode Fuzzy Hash: 0ed06cbeaad3474bea86137b9ebb255285fddf4be9730f093f9416bbb8ff04fb
Instruction Fuzzy Hash: 46216F35A00204AFD704EF69D889AAEBBE5FF48701F04846CE84AE7352DB70ED44CB50

Function 0081CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0081CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0081CDE9

Part of subcall function 00813820: RtlAllocateHeap.NTDLL(00000000,?,008B1444,?,007FFDF5,?,?,007EA976,00000010,008B1440,007E13FC,?,007E13C6,?,007E1129), ref: 00813852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0081CE0F
_free.LIBCMT ref: 0081CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0081CE31

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0d6396c031c0f97d0a540cb7873ed4c8c565e62949fd6221c14b4b85bc495c93
Instruction ID: b428ded0fa77fcb7fc782566cf7f37c23ca1aa826fd6871bc2f7ba4ce79936e1
Opcode Fuzzy Hash: 0d6396c031c0f97d0a540cb7873ed4c8c565e62949fd6221c14b4b85bc495c93
Instruction Fuzzy Hash: 7901D4726412157F23211ABAAC8CDBF7A6DFFC6BA1315012DF909C7200EB61CD8191B0

Function 007F9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007F9693
SelectObject.GDI32(?,00000000), ref: 007F96A2
BeginPath.GDI32(?), ref: 007F96B9
SelectObject.GDI32(?,00000000), ref: 007F96E2

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8ab7185ab646db76218b9ac1a87ff849f260b5a851ab74bb6b8add797336098c
Instruction ID: ab52f0986b60a8b8c68f3338ae651590c88b3cbd53c747aff0aaa014985560b7
Opcode Fuzzy Hash: 8ab7185ab646db76218b9ac1a87ff849f260b5a851ab74bb6b8add797336098c
Instruction Fuzzy Hash: 0C213D70802349EBDF119F64DC2C7B97FA8BB50355F90031AF614EB2A4D3759896CB94

Function 00845711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00845726
_memcmp.LIBVCRUNTIME ref: 00845744
_memcmp.LIBVCRUNTIME ref: 00845757
_memcmp.LIBVCRUNTIME ref: 0084576F
_memcmp.LIBVCRUNTIME ref: 00845787

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 59b82cb312e65f0fe9f9c71635ffba0cd7da54a8a12d8f1204299dad2999cd83
Instruction ID: 162c5eab3823ed9a4d52f765350934ffa018d7fb04b7fa8195e5013abf4380d4
Opcode Fuzzy Hash: 59b82cb312e65f0fe9f9c71635ffba0cd7da54a8a12d8f1204299dad2999cd83
Instruction Fuzzy Hash: 5B0196A164161DBBE60855159E42EBE635CFB613A8B008031FE18DA383F768ED11C2A1

Function 00812DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0080F2DE,00813863,008B1444,?,007FFDF5,?,?,007EA976,00000010,008B1440,007E13FC,?,007E13C6), ref: 00812DFD
_free.LIBCMT ref: 00812E32
_free.LIBCMT ref: 00812E59
SetLastError.KERNEL32(00000000,007E1129), ref: 00812E66
SetLastError.KERNEL32(00000000,007E1129), ref: 00812E6F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8fa207762b2fe82788260c31e2be6e91e28903c9b55fb0de3d53225a379788dc
Instruction ID: 68d81c0931b819fc80fc64bea90d6278668a6408659b82ef79d49a45e9b59183
Opcode Fuzzy Hash: 8fa207762b2fe82788260c31e2be6e91e28903c9b55fb0de3d53225a379788dc
Instruction Fuzzy Hash: DC0181326456006B961266787C89EEB265DFFD13BAB254128F829E2293EA74C8E14161

Function 0084000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?,?,?,0084035E), ref: 0084002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?,?), ref: 00840046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?,?), ref: 00840054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?), ref: 00840064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?,?), ref: 00840070

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 95576e212e644e3d519f4d28aea719beac5e1fe60ac1a8f190b3a48e58c3bd95
Instruction ID: a746f0ca4c3ff956cd534671a36f9f4b6d57b889cdc0473fb27747159a73beb2
Opcode Fuzzy Hash: 95576e212e644e3d519f4d28aea719beac5e1fe60ac1a8f190b3a48e58c3bd95
Instruction Fuzzy Hash: C4018F72600608BFDB204F68DC08BAB7AADFB44751F144128FE09D3214D771DE808BA0

Function 0084E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0084E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0084E9A5
Sleep.KERNEL32(00000000), ref: 0084E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0084E9B7
Sleep.KERNEL32 ref: 0084E9F3

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2ec62fa97c92995d5c25c660eab5bbbe54694a57f50bef6b9cf088f0964ed634
Instruction ID: ad8150cca81aaf220c86d13563c7bf15b0d8ac361bc0e232994bb1a98c6b27b2
Opcode Fuzzy Hash: 2ec62fa97c92995d5c25c660eab5bbbe54694a57f50bef6b9cf088f0964ed634
Instruction Fuzzy Hash: 8D010531C0162DDBCF00AFE5D859AEDBF78FB09715F40055AE506F2285CB309594CBA1

Function 008410F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00841114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 00841120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 0084112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 00841136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0084114D

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: fd1661ea00d0c36d5fd6ed2c2690de37d9a0aeb1dc7604c11de3f8aea4de01a0
Instruction ID: e073c7d106e452b87a598917bbedf1f53e856a9a854d24f490198854d494c263
Opcode Fuzzy Hash: fd1661ea00d0c36d5fd6ed2c2690de37d9a0aeb1dc7604c11de3f8aea4de01a0
Instruction Fuzzy Hash: 22013C75200209BFDB154FA9DC4DE6A7F6EFF893A1B244429FA49D7360DB31DC809A60

Function 00840FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00840FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00840FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00840FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00840FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00841002

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0f32c17f6b5cd2e415e4a82a8ec13207475e0484a6d6788e1071c4c4c5f7dcea
Instruction ID: 1a86f770a233d968894a8ff4323818c5821d2b5cd13c34e384103ad3ed26c00d
Opcode Fuzzy Hash: 0f32c17f6b5cd2e415e4a82a8ec13207475e0484a6d6788e1071c4c4c5f7dcea
Instruction Fuzzy Hash: C6F04935200705ABDB214FA4AC4DF563FADFF8AB62F504428FA49D7251DA70DC808A60

Function 00841014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0084102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00841036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00841045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0084104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00841062

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: fa9800dd367b9ca36ab141a46e88120c2b8728db869db93c7cdec0a0381ef6a4
Instruction ID: 6e7c1927518bdbcf2b8accf19d24b921cd5022f0190abe020191ba9f7c82de07
Opcode Fuzzy Hash: fa9800dd367b9ca36ab141a46e88120c2b8728db869db93c7cdec0a0381ef6a4
Instruction Fuzzy Hash: E3F06D35200705EBDB219FA4EC4DF563BADFF8A761F100428FA49D7250CA70D8908A60

Function 0085030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0085017D,?,008532FC,?,00000001,00822592,?), ref: 00850324
CloseHandle.KERNEL32(?,?,?,?,0085017D,?,008532FC,?,00000001,00822592,?), ref: 00850331
CloseHandle.KERNEL32(?,?,?,?,0085017D,?,008532FC,?,00000001,00822592,?), ref: 0085033E
CloseHandle.KERNEL32(?,?,?,?,0085017D,?,008532FC,?,00000001,00822592,?), ref: 0085034B
CloseHandle.KERNEL32(?,?,?,?,0085017D,?,008532FC,?,00000001,00822592,?), ref: 00850358
CloseHandle.KERNEL32(?,?,?,?,0085017D,?,008532FC,?,00000001,00822592,?), ref: 00850365

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b9aa24ec43485dfbab37f99c2d08a00abb5b3d349934abef8dbf87693b0eb40c
Instruction ID: 49b3365a718556fcc64bfd14dcba5eb0ff246a53095025734f84267373c1f4b4
Opcode Fuzzy Hash: b9aa24ec43485dfbab37f99c2d08a00abb5b3d349934abef8dbf87693b0eb40c
Instruction Fuzzy Hash: 2F01A272800B159FCB309F66D880452F7F5FF503163158A3FD19692A31C371A958CF80

Function 0081D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0081D752

Part of subcall function 008129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000), ref: 008129DE
Part of subcall function 008129C8: GetLastError.KERNEL32(00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000,00000000), ref: 008129F0

_free.LIBCMT ref: 0081D764
_free.LIBCMT ref: 0081D776
_free.LIBCMT ref: 0081D788
_free.LIBCMT ref: 0081D79A

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1248eeb6ddfc7e1c99cb5347f8202779470ff90929a345a1b952932a12a33da1
Instruction ID: eb2ce435d9fdbdf171a88134f88a1873a70e198fa9f5fea06482710bbd4fee33
Opcode Fuzzy Hash: 1248eeb6ddfc7e1c99cb5347f8202779470ff90929a345a1b952932a12a33da1
Instruction Fuzzy Hash: 7FF0FF32545314AB9621EB6CF9C5E967BDDFF45720B980C05F049DB941CB24FCD086A5

Function 00845C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00845C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00845C6F
MessageBeep.USER32(00000000), ref: 00845C87
KillTimer.USER32(?,0000040A), ref: 00845CA3
EndDialog.USER32(?,00000001), ref: 00845CBD

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 7c6ac11a6d1e2d8586e1ce1c6417ceac9dd2e83d4c1bb35cdc30b598c2747e9b
Instruction ID: 6b303a002b6265e2062b7b0ee58b4de12f411b42caa4262525e669925c237dac
Opcode Fuzzy Hash: 7c6ac11a6d1e2d8586e1ce1c6417ceac9dd2e83d4c1bb35cdc30b598c2747e9b
Instruction Fuzzy Hash: 6A018670500B08ABEB315B50DDCEFAA77B8FB14B45F04055DA587A20E5DBF4A9C48B91

Function 008122A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008122BE

Part of subcall function 008129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000), ref: 008129DE
Part of subcall function 008129C8: GetLastError.KERNEL32(00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000,00000000), ref: 008129F0

_free.LIBCMT ref: 008122D0
_free.LIBCMT ref: 008122E3
_free.LIBCMT ref: 008122F4
_free.LIBCMT ref: 00812305

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c25bebbac9ebd2cf05d6c6d8ad06be7781d4728e7e094732a1339191c7230cac
Instruction ID: c9fc4b66c877a098db6ec27119d4c7b5f30635d0d9e4dd57c8762dd11d65cbd7
Opcode Fuzzy Hash: c25bebbac9ebd2cf05d6c6d8ad06be7781d4728e7e094732a1339191c7230cac
Instruction Fuzzy Hash: FFF05E719001208B8A12EF5CBC01DAD3F68FB19760740071AF424DA3B5CB3448B1AFE5

Function 007F95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007F95D4
StrokeAndFillPath.GDI32(?,?,008371F7,00000000,?,?,?), ref: 007F95F0
SelectObject.GDI32(?,00000000), ref: 007F9603
DeleteObject.GDI32 ref: 007F9616
StrokePath.GDI32(?), ref: 007F9631

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 9e62fbf4d62bcb184e187c96c031126603b04f803f76d1f1a98f910c7f6952ee
Instruction ID: cc20874b67a6468aa8177a42e63c41554c34b70817c59c54268d2c56092ce26f
Opcode Fuzzy Hash: 9e62fbf4d62bcb184e187c96c031126603b04f803f76d1f1a98f910c7f6952ee
Instruction Fuzzy Hash: 9DF04F30005648EBDF225F65ED2C7B43F65BB00322F948318F6299A1F0D73489A1DF60

Function 00810F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008110F9
__freea.LIBCMT ref: 00811117

Part of subcall function 00811537: _free.LIBCMT ref: 0081154F

Strings

a/p, xrefs: 008111DE
am/pm, xrefs: 0081117A

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a52e43ffa0617c28ad76952356b36ee40474e4aab3d989d2caecf703a83b6162
Instruction ID: 6adff294a1a6d814daf785fb922f3b65d292e652c17775152d712d0c25b118e5
Opcode Fuzzy Hash: a52e43ffa0617c28ad76952356b36ee40474e4aab3d989d2caecf703a83b6162
Instruction Fuzzy Hash: 85D1DF7191020A9ACF249F68C84DBFAB7B9FF05704F280159EB11DBA54D7799DC0CB91

Function 00867B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00800242: EnterCriticalSection.KERNEL32(008B070C,008B1884,?,?,007F198B,008B2518,?,?,?,007E12F9,00000000), ref: 0080024D
Part of subcall function 00800242: LeaveCriticalSection.KERNEL32(008B070C,?,007F198B,008B2518,?,?,?,007E12F9,00000000), ref: 0080028A

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 008000A3: __onexit.LIBCMT ref: 008000A9

__Init_thread_footer.LIBCMT ref: 00867BFB

Part of subcall function 008001F8: EnterCriticalSection.KERNEL32(008B070C,?,?,007F8747,008B2514), ref: 00800202
Part of subcall function 008001F8: LeaveCriticalSection.KERNEL32(008B070C,?,007F8747,008B2514), ref: 00800235

Strings

Variable must be of type 'Object'., xrefs: 00867C3A
5, xrefs: 00867C78
G, xrefs: 00867C7F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: a4ad926a50c905079a076ccdcc8ca1cc06d34910c0f1ec139d50da0ef587411b
Instruction ID: eebdd97583599baed00a0def259cfc6ce743fef8155c4e53448febc5f8ff130b
Opcode Fuzzy Hash: a4ad926a50c905079a076ccdcc8ca1cc06d34910c0f1ec139d50da0ef587411b
Instruction Fuzzy Hash: 49918970A04209EFCB15EF98D8859ADB7B1FF48308F118449F906DB3A2DB35AE45CB91

Function 00815AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO~, xrefs: 00815BA8, 00815C6C

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID: JO~
API String ID: 0-1108401909
Opcode ID: 3470e67d6324346f1039ee8e289ab7ced369d458dfb963ac85b8898da881bca5
Instruction ID: 3363d4b8754735d0ba27397a1f93eb56f6d38de24df93a2d91d3d80a18024506
Opcode Fuzzy Hash: 3470e67d6324346f1039ee8e289ab7ced369d458dfb963ac85b8898da881bca5
Instruction Fuzzy Hash: 1B519F71D04609DFDB209FA8CC45EEEBBBCFF85324F140059E405E7292D77199818BA2

Function 00842716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0084B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008421D0,?,?,00000034,00000800,?,00000034), ref: 0084B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00842760

Part of subcall function 0084B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008421FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0084B3F8

Part of subcall function 0084B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0084B355
Part of subcall function 0084B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00842194,00000034,?,?,00001004,00000000,00000000), ref: 0084B365
Part of subcall function 0084B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00842194,00000034,?,?,00001004,00000000,00000000), ref: 0084B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008427CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0084281A

Strings

@, xrefs: 00842832

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ba613f218c753eb6d0addb359f6776cc659e23e47d4a31331d23877fafd7f3a7
Instruction ID: e196bed1e1bc05f193caaf1c5d662f49c73e2b39eaa9c771936c1c6ad8f9c909
Opcode Fuzzy Hash: ba613f218c753eb6d0addb359f6776cc659e23e47d4a31331d23877fafd7f3a7
Instruction Fuzzy Hash: 5D41FC7690021CAEDB10DFA8C985ADEBBB8FF19700F104099FA55B7181DA71AE85CB61

Function 0081172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00811769
_free.LIBCMT ref: 00811834
_free.LIBCMT ref: 0081183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00811760, 00811767, 00811796, 008117CE

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: 9af88b28fb6d00f870daa304188a82009bfc92dc86346233529cf985d8eb1eac
Instruction ID: 39dc128907e64889b40fa2265deac51ae6ad282d42d0cc7885a7badcde26f2e5
Opcode Fuzzy Hash: 9af88b28fb6d00f870daa304188a82009bfc92dc86346233529cf985d8eb1eac
Instruction Fuzzy Hash: D5316D71A04218ABDF21DF999889DDEBBBCFF85310B548166EA04DB351D6708A80CB91

Function 0084C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0084C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0084C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008B1990,012D7F58), ref: 0084C395

Strings

0, xrefs: 0084C2DF

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: eb731685b5244a32be783abbae5ce2187e4ebfd76f4564e60ff9977abecb124b
Instruction ID: 0c93a535ef7a966dcbfd6e47c9e07cc400ddaf9b6976a6528377d6f5d48c43c3
Opcode Fuzzy Hash: eb731685b5244a32be783abbae5ce2187e4ebfd76f4564e60ff9977abecb124b
Instruction Fuzzy Hash: 38418A322063059FD760DF29D884B1ABBE8FB85324F008A1DE9A5D7391D770E904CB62

Function 00874416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0087CC08,00000000,?,?,?,?), ref: 008744AA
GetWindowLongW.USER32 ref: 008744C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008744D7

Strings

SysTreeView32, xrefs: 0087447C

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5288dd272f9b11ea587259127715450dd142866adce198def58eb0e47c4618ee
Instruction ID: 495d4ca97a00d6672a73d17762c554b00feb2a8de169b0209fd39469b15b4a17
Opcode Fuzzy Hash: 5288dd272f9b11ea587259127715450dd142866adce198def58eb0e47c4618ee
Instruction Fuzzy Hash: 58319E31200205AFDB208E38DC45BEA77A9FB08328F209719F979E31E4DB74EC909750

Function 0086304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0086335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00863077,?,?), ref: 00863378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0086307A
_wcslen.LIBCMT ref: 0086309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00863106

Strings

255.255.255.255, xrefs: 00863095, 0086309A

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 46a5f6acf4f1e696c7b497214b2ac8a566d51a54f084c8cf1612a5140b51eddc
Instruction ID: 84fc834887e3ed14e65004dd38e20aec204ae8ac54998c06edbf717be914bfec
Opcode Fuzzy Hash: 46a5f6acf4f1e696c7b497214b2ac8a566d51a54f084c8cf1612a5140b51eddc
Instruction Fuzzy Hash: 3231D535604205DFC710CF68C585E6977E0FF15318F268059E915CB3A2DB32DE85C761

Function 00873EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00873F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00873F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00873F78

Strings

SysMonthCal32, xrefs: 00873F0B

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: cab02554b11d6dc1aabc343fb0794daca410df940a1bf833823451d3d3f125c3
Instruction ID: 26a721b83aa33f591d1c1ece1154ccbc331526fe53702cfdc9b15e7f42566511
Opcode Fuzzy Hash: cab02554b11d6dc1aabc343fb0794daca410df940a1bf833823451d3d3f125c3
Instruction Fuzzy Hash: E421EF32600218BFDF118F54CC86FEA3B75FB48754F114218FA19AB1D4DAB1E8909BA0

Function 00874653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00874705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00874713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0087471A

Strings

msctls_updown32, xrefs: 00874684

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: e891d9380ad410b9abd8e7f8b7d971b59ba2a3d847f596b03da34187e863dcca
Instruction ID: 8c7a9e26f80d1c73350232353b5aea11dce720263d22ac47dde8c762bb704f85
Opcode Fuzzy Hash: e891d9380ad410b9abd8e7f8b7d971b59ba2a3d847f596b03da34187e863dcca
Instruction Fuzzy Hash: 892190B5600208AFEB10DF68DCD5DAB37ADFB9A398B404149FA05DB351CB30EC51CA61

Function 008495AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0084961D

Strings

#OnAutoItStartRegister, xrefs: 008495F3
#requireadmin, xrefs: 008495D9
#notrayicon, xrefs: 008495B7

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 6e545578245e9b651c9430fc28e817868784fba8e3e9ac2b7b3d4c2d1346342c
Instruction ID: 214390076c582a0cbaa50a7c5c11fc6d61b5206b74c6fb53f9d40121697aded2
Opcode Fuzzy Hash: 6e545578245e9b651c9430fc28e817868784fba8e3e9ac2b7b3d4c2d1346342c
Instruction Fuzzy Hash: A6215B72104518A6C331AB29EC06FB7B3D8FFA5324F118026FAC9D7181EB55DD81C295

Function 008737B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00873840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00873850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00873876

Strings

Listbox, xrefs: 0087380F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 601c3af3ea471752077b983d4972920fe03d4dd1a20d48cda71f2f375b8e8e1a
Instruction ID: be65a3a9fa5ac0ecb596bc78ed4217ac2ea1d4a962121bd7c3e42e4e633c7f04
Opcode Fuzzy Hash: 601c3af3ea471752077b983d4972920fe03d4dd1a20d48cda71f2f375b8e8e1a
Instruction Fuzzy Hash: CE21C272600118BBEF118F54CC85FBB376EFF89794F108124F9189B194C671DC5297A1

Function 008549F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00854A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00854A5C
SetErrorMode.KERNEL32(00000000,?,?,0087CC08), ref: 00854AD0

Strings

%lu, xrefs: 00854A6F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: a56027df7f0ca8dc5d75620b1281838026d48421fa63a5dbfc25d511b8f2bef0
Instruction ID: 3aaf5160cca7bc8d58b5bc5dff6bf5bd42d468a33400ddf1b03ad67e735017c6
Opcode Fuzzy Hash: a56027df7f0ca8dc5d75620b1281838026d48421fa63a5dbfc25d511b8f2bef0
Instruction Fuzzy Hash: D6315071A00118AFDB11DF64C985EAA7BF8FF08308F1480A9F909DB262D775ED85CB61

Function 008741EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0087424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00874264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00874271

Strings

msctls_trackbar32, xrefs: 00874226

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 814fe627e260645f9430d6722e2ef41d449079571b0f4f167cd9aca6884718d6
Instruction ID: 02ba81b032b0a0f24f1387abd1531217e47b59ca733ea2ae57fcfffeeacfb818
Opcode Fuzzy Hash: 814fe627e260645f9430d6722e2ef41d449079571b0f4f167cd9aca6884718d6
Instruction Fuzzy Hash: 8011E331350248BEEF205E29CC46FAB3BACFF95B54F114528FA59E6090D271DC619B20

Function 00842F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

Part of subcall function 00842DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00842DC5
Part of subcall function 00842DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00842DD6
Part of subcall function 00842DA7: GetCurrentThreadId.KERNEL32 ref: 00842DDD
Part of subcall function 00842DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00842DE4

GetFocus.USER32 ref: 00842F78

Part of subcall function 00842DEE: GetParent.USER32(00000000), ref: 00842DF9

GetClassNameW.USER32(?,?,00000100), ref: 00842FC3
EnumChildWindows.USER32(?,0084303B), ref: 00842FEB

Strings

%s%d, xrefs: 00842FFF

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: ea6d10214a2d79a1047e074673f05b3a664487e3735505690a1c1c005b2c95ba
Instruction ID: d32afa1420c6d444b04a34ac7f29ff444dd171dee1c0a7df65246ff07440ab33
Opcode Fuzzy Hash: ea6d10214a2d79a1047e074673f05b3a664487e3735505690a1c1c005b2c95ba
Instruction Fuzzy Hash: 6811C0B160020DABCF007F658CC9EED37AAFF94304F0440B9B909DB256DE3499458B60

Function 00875882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008758C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008758EE
DrawMenuBar.USER32(?), ref: 008758FD

Strings

0, xrefs: 0087588F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 99fdaeb844286cd84195232d7054e8e2e20a41ced68b0cb7a47356b1f4233084
Instruction ID: 8e50d29de578ce173b3e659c9a1ff0603a3efe3d947aea121ea2cc445dded737
Opcode Fuzzy Hash: 99fdaeb844286cd84195232d7054e8e2e20a41ced68b0cb7a47356b1f4233084
Instruction Fuzzy Hash: A2015B31500218EEDB219F11EC48BAEBBB4FF45360F10C099E94DD6265DB71CA84DF21

Function 0084007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6c5a68b22bcf66f0699223d6e8850341c11d8463b498df2a4b89524f6e5ba4
Instruction ID: 0912bb2628a4e1b86e5d100a1ca0648bdc42748644f1fbe47eca2fe3e79dc89a
Opcode Fuzzy Hash: 6a6c5a68b22bcf66f0699223d6e8850341c11d8463b498df2a4b89524f6e5ba4
Instruction Fuzzy Hash: 48C14B75A0021AEFDB14CFA4C898AAEBBB5FF48704F108598E605EB251D771ED41DF90

Function 00813E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00813F0B
__alldvrm.LIBCMT ref: 0081410C
__alldvrm.LIBCMT ref: 0081412E

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 97c90545f626397d442ddba788ec3097792a538a1405d19101661d5c5b39f92d
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: E9A12672D00786AFDB25CE18C891BEABBE9FF65350F28416DE585DB281C63489C2C751

Function 0086342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00863459
CoUninitialize.OLE32 ref: 00863463
VariantInit.OLEAUT32(?), ref: 0086346E
VariantClear.OLEAUT32(?), ref: 0086371B

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: da6f1c1b735036757f6028c8623b9f7fd505e56fcf79757d4f6a110fc4fa9233
Instruction ID: cab5ddfe9ce35dde055c16b617aeca155ea1ce46a3e9afe9c80c99e97c6c9bf0
Opcode Fuzzy Hash: da6f1c1b735036757f6028c8623b9f7fd505e56fcf79757d4f6a110fc4fa9233
Instruction Fuzzy Hash: 7DA11475204604DFC714DF29C889A2AB7E5FF88714F058859F98ADB362DB34EE01CB92

Function 00840436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0087FC08,?), ref: 008405F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0087FC08,?), ref: 00840608
CLSIDFromProgID.OLE32(?,?,00000000,0087CC40,000000FF,?,00000000,00000800,00000000,?,0087FC08,?), ref: 0084062D
_memcmp.LIBVCRUNTIME ref: 0084064E

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 7269fad494b281d94661d47d5fd169f187795f3991c5cec1d0c3baa43da8c9bf
Instruction ID: 385837ff395d7a8e6eaeac63f37ace261f42f70bcd9d3205ba6b73c51b9bdaa2
Opcode Fuzzy Hash: 7269fad494b281d94661d47d5fd169f187795f3991c5cec1d0c3baa43da8c9bf
Instruction Fuzzy Hash: D681F871A00209EFCB04DF94C988DEEB7B9FF89315B214558E616EB250DB71AE46CF60

Function 0086A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0086A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0086A6BA

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0086A79C
CloseHandle.KERNEL32(00000000), ref: 0086A7AB

Part of subcall function 007FCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00823303,?), ref: 007FCE8A

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 00c58382f1c77f3d80b495b5617e1ee2a324402308e00338492919bd7be8e916
Instruction ID: 7d1c0bc874de0db192cc8af8ed00a00eed507c6263aa26c13252b1683485a561
Opcode Fuzzy Hash: 00c58382f1c77f3d80b495b5617e1ee2a324402308e00338492919bd7be8e916
Instruction Fuzzy Hash: 55515B71508340AFD310EF25C88AA6BBBE8FF89754F40492DF585D7262EB34D904CB92

Function 00821391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008214C0

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d47baeac997eb998f0e0aa9056078bdf3422bd62b5f306bb74450ca874ea4736
Instruction ID: 3628301b1baf9a21fcf3adc7cbd71e7657175baf03df850348504aa6f495acb5
Opcode Fuzzy Hash: d47baeac997eb998f0e0aa9056078bdf3422bd62b5f306bb74450ca874ea4736
Instruction Fuzzy Hash: 58413E31600524ABDF317BBCAC4D6AE3AAAFF61370F344225F41CD61D2E67448C15267

Function 00876278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008762E2
ScreenToClient.USER32(?,?), ref: 00876315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00876382

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: f74c04d38c6f3bb88736156f755a719d5ab73a98b9bd16398c9e5ebdc6aa1e1b
Instruction ID: f45d16f0459a2ce60dc1ba7691b72986fa6f4f2a3083a6e768f7a2490884cc76
Opcode Fuzzy Hash: f74c04d38c6f3bb88736156f755a719d5ab73a98b9bd16398c9e5ebdc6aa1e1b
Instruction Fuzzy Hash: 0A514A70A00649EFCF10DF68D8849AE7BB6FB45364F108259F819DB2A4E730ED91CB90

Function 00861AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00861AFD
WSAGetLastError.WSOCK32 ref: 00861B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00861B8A
WSAGetLastError.WSOCK32 ref: 00861B94

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 256c34ff63a492dff40d49382e31d8a3b5c94635b7c01b2b14dd81e7647529bf
Instruction ID: 27eb8074832bbb851ffdf607c4305b4c70b6a028317a77f3ea94e3eaee3bb638
Opcode Fuzzy Hash: 256c34ff63a492dff40d49382e31d8a3b5c94635b7c01b2b14dd81e7647529bf
Instruction Fuzzy Hash: 7B417135600240AFEB20AF25C88AF3977E5EB48718F588458FA1A9F3D3D776DD418B90

Function 0081B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de676bd43aff15cbcfd989c548d46644e069eac3b0beb379378e6bf6a016710
Instruction ID: 03d5b34e148918b535db9b76fe5ce4c7d745dce8c7cc6ab261f6657ce71c0e08
Opcode Fuzzy Hash: 5de676bd43aff15cbcfd989c548d46644e069eac3b0beb379378e6bf6a016710
Instruction Fuzzy Hash: 0341D175A00214AFD724AF7CCC41BEABBADFF88720F20852EF141DB682D77199818795

Function 008556D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00855783
GetLastError.KERNEL32(?,00000000), ref: 008557A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008557CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008557FA

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: dbcc1f1d097e6a7e519842c4538899c0ee21dc3b7a2316dc9cab022ce362072c
Instruction ID: 90dca78146b610da04fcc079cfabb2440f74ccab0aa3dda349189bad95248d47
Opcode Fuzzy Hash: dbcc1f1d097e6a7e519842c4538899c0ee21dc3b7a2316dc9cab022ce362072c
Instruction Fuzzy Hash: 21411A39600A50DFCB15DF15C448A1ABBE2FF8D321B188498EC4AAB362CB34FD45CB91

Function 0081D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00806D71,00000000,00000000,008082D9,?,008082D9,?,00000001,00806D71,8BE85006,00000001,008082D9,008082D9), ref: 0081D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0081D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0081D9AB
__freea.LIBCMT ref: 0081D9B4

Part of subcall function 00813820: RtlAllocateHeap.NTDLL(00000000,?,008B1444,?,007FFDF5,?,?,007EA976,00000010,008B1440,007E13FC,?,007E13C6,?,007E1129), ref: 00813852

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 8fc9b57b946113750f54c29bcfc903232b2f0f5ecbae12918a7dbfe906c4fa3f
Instruction ID: 087861d98f10bdfebf413c5514926240eb877eca6df874597e4da7105cddd517
Opcode Fuzzy Hash: 8fc9b57b946113750f54c29bcfc903232b2f0f5ecbae12918a7dbfe906c4fa3f
Instruction Fuzzy Hash: 7731AE72A0021AABDF249F69DC45EEE7BA9FF40310B054168FC04D7290EB35DD91CBA1

Function 008752C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00875352
GetWindowLongW.USER32(?,000000F0), ref: 00875375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00875382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008753A8

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: d3e5900a3877726f96814f9e1988660641e4f2d7da34bb708c37cca5d25fefa4
Instruction ID: aebbd7fdeee27dfce82d587526abf3160bd4f623f8246a1b602b29e84ca0e5e3
Opcode Fuzzy Hash: d3e5900a3877726f96814f9e1988660641e4f2d7da34bb708c37cca5d25fefa4
Instruction Fuzzy Hash: 7631CF30A55A0CEFEB209A14CC5ABE97761FB06390F988105BA19D63F8C7F4ED809B41

Function 0084AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0084ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0084AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0084AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0084ACC6

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 85663fe392478caefc58c220301ce816ddd69106f46713e9a00896887e2a90c8
Instruction ID: 9ff36f77e8794ca4c516a146c0d3759b2283e78f2301ffd8334224eec2f79441
Opcode Fuzzy Hash: 85663fe392478caefc58c220301ce816ddd69106f46713e9a00896887e2a90c8
Instruction Fuzzy Hash: 3131F670A8061CAFEB79CB65C8887FA7AA5FB49310F04421EE495DB1D1C375C9858792

Function 00877674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0087769A
GetWindowRect.USER32(?,?), ref: 00877710
PtInRect.USER32(?,?,00878B89), ref: 00877720
MessageBeep.USER32(00000000), ref: 0087778C

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5d535e27dbe67e51cfa1eecce5703e02bfe426df8b0c486f8aab0e0eca22c7f9
Instruction ID: 25fcf8347536857db9e1b91fe258bba6016834d77305ce73e9f2bb05fa4c0956
Opcode Fuzzy Hash: 5d535e27dbe67e51cfa1eecce5703e02bfe426df8b0c486f8aab0e0eca22c7f9
Instruction Fuzzy Hash: 6D41AD34609254EFDB05CF58C898EA9BBF5FB49384F5481A8E418DF269C330E941CF90

Function 008716DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008716EB

Part of subcall function 00843A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00843A57
Part of subcall function 00843A3D: GetCurrentThreadId.KERNEL32 ref: 00843A5E
Part of subcall function 00843A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008425B3), ref: 00843A65

GetCaretPos.USER32(?), ref: 008716FF
ClientToScreen.USER32(00000000,?), ref: 0087174C
GetForegroundWindow.USER32 ref: 00871752

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 08673035f9957af23bfb0a435b751ca74bc0b814650f4e642ceb7edf94ce19c1
Instruction ID: da1964f72edbc2e0c22591465ec69cbeb63dbfe09a78b81cb66a3ff28eb673d4
Opcode Fuzzy Hash: 08673035f9957af23bfb0a435b751ca74bc0b814650f4e642ceb7edf94ce19c1
Instruction Fuzzy Hash: B7317275D01149AFCB04DFAAC885CAEB7F9FF48304B54806AE415E7211D735DE45CBA1

Function 0084DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 007E7620: _wcslen.LIBCMT ref: 007E7625

_wcslen.LIBCMT ref: 0084DFCB
_wcslen.LIBCMT ref: 0084DFE2
_wcslen.LIBCMT ref: 0084E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0084E018

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: aece6ab07df4494a35b01e7769063680d4356337bc8f46d236d8cd36ea58e54a
Instruction ID: 68424ada42abb0db907a62a44f4a5e642e252ea057ee6ec21cb87ce7fc62457a
Opcode Fuzzy Hash: aece6ab07df4494a35b01e7769063680d4356337bc8f46d236d8cd36ea58e54a
Instruction Fuzzy Hash: 1F219F71900618EFCB20AFA8D981BAEBBF8FF45750F144065E915FB385D6749E408BA2

Function 00878FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

GetCursorPos.USER32(?), ref: 00879001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00837711,?,?,?,?,?), ref: 00879016
GetCursorPos.USER32(?), ref: 0087905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00837711,?,?,?), ref: 00879094

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 494131e43f4616978465e07857149add603a9b92c665e5d5884f453e9feaa589
Instruction ID: 5c5e08fdb538f28930c78d3686a248b15844d877a761a2fd0fd6310e4eaf30f5
Opcode Fuzzy Hash: 494131e43f4616978465e07857149add603a9b92c665e5d5884f453e9feaa589
Instruction Fuzzy Hash: 4B219F35610418EFDB258F94C898EFA7BF9FB89350F448169F9498B265C331D990DB60

Function 0084D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0087CB68), ref: 0084D2FB
GetLastError.KERNEL32 ref: 0084D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0084D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0087CB68), ref: 0084D376

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 9be2f841a998264409e7a2d5ac1a5c60943914960a9e595dc073db5a6606c076
Instruction ID: a0f6a1bea015c25f37bd2ad3a13e4b0eb1cae762d704aeee68ee436bf8065f31
Opcode Fuzzy Hash: 9be2f841a998264409e7a2d5ac1a5c60943914960a9e595dc073db5a6606c076
Instruction Fuzzy Hash: 802157705093059F8710DF28C88586AB7E8FA5A328F504A5DF4A9D73A1EB30D986CB93

Function 00841571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00841014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0084102A
Part of subcall function 00841014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00841036
Part of subcall function 00841014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00841045
Part of subcall function 00841014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0084104C
Part of subcall function 00841014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00841062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008415BE
_memcmp.LIBVCRUNTIME ref: 008415E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00841617
HeapFree.KERNEL32(00000000), ref: 0084161E

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: b48afddd7d9351e55d46f91a59bf9d2519a3ab8e46eb84520d145ac7f3d1aeb1
Instruction ID: 474dc9609859134899ee5c711ff9e468aca10b8901bf96684fd38d5eff0ed195
Opcode Fuzzy Hash: b48afddd7d9351e55d46f91a59bf9d2519a3ab8e46eb84520d145ac7f3d1aeb1
Instruction Fuzzy Hash: 8C216931E00108AFDF00DFA4C949BEEB7B8FF54354F0A4459E445EB241E730AA85CBA0

Function 00872782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0087280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00872824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00872832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00872840

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 535621e0c0726d856c450dd5a2fc36e06cc80b8adacbd31fe0d19555f9f02b28
Instruction ID: 126781bbf6071df903f56dcabaca113cbb037ce138911dd3bf98020ddfa0374d
Opcode Fuzzy Hash: 535621e0c0726d856c450dd5a2fc36e06cc80b8adacbd31fe0d19555f9f02b28
Instruction Fuzzy Hash: 6C21D331209115AFD7149B24C848FAA7B95FF49324F14825CF42ACB6E6CB76FC82C791

Function 008478F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00848D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0084790A,?,000000FF,?,00848754,00000000,?,0000001C,?,?), ref: 00848D8C
Part of subcall function 00848D7D: lstrcpyW.KERNEL32(00000000,?,?,0084790A,?,000000FF,?,00848754,00000000,?,0000001C,?,?,00000000), ref: 00848DB2
Part of subcall function 00848D7D: lstrcmpiW.KERNEL32(00000000,?,0084790A,?,000000FF,?,00848754,00000000,?,0000001C,?,?), ref: 00848DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00848754,00000000,?,0000001C,?,?,00000000), ref: 00847923
lstrcpyW.KERNEL32(00000000,?,?,00848754,00000000,?,0000001C,?,?,00000000), ref: 00847949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00848754,00000000,?,0000001C,?,?,00000000), ref: 00847984

Strings

cdecl, xrefs: 0084797B

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 5a4e406138b765686310f79c4079ec19065e2b609b7ce8b040469323aefe1763
Instruction ID: 7e6f2db0e931b3d5e6f486abb084f1de2c1261f77f29ac0ca20f378042cd4b99
Opcode Fuzzy Hash: 5a4e406138b765686310f79c4079ec19065e2b609b7ce8b040469323aefe1763
Instruction Fuzzy Hash: 4A11263A20034AABCB159F38C848E7A7BA9FF85350B40402AF906C73A4EF35D851C7A1

Function 00877CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00877D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00877D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00877D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0085B7AD,00000000), ref: 00877D6B

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 507eefb2575c873af82df6f58e160e0b840f36e8b33a7b1c0e6d1fc2f2344677
Instruction ID: 38f205c2b6ede9af45ae589458c0288700c23320fcc9f600f4fd4be664af68c8
Opcode Fuzzy Hash: 507eefb2575c873af82df6f58e160e0b840f36e8b33a7b1c0e6d1fc2f2344677
Instruction Fuzzy Hash: 9B118C31604659AFCB209F68CC08AA63BA5FF45364B558728F93DDB2F8D731D960CB90

Function 00875660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008756BB
_wcslen.LIBCMT ref: 008756CD
_wcslen.LIBCMT ref: 008756D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00875816

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 0eb028a6a7cfbe133e2e3ea432a2a1363070f68d27f21ae0ba10cce3a564cdf4
Instruction ID: 4d1a568810885d6315253a1f9a432cfe84dd71deb3fc04c20186fc7c45ea7676
Opcode Fuzzy Hash: 0eb028a6a7cfbe133e2e3ea432a2a1363070f68d27f21ae0ba10cce3a564cdf4
Instruction Fuzzy Hash: 7F11B471A0060896DF209F65DC85AEE7B6CFF20764F50802AFA1DD6189E7B0D984CB65

Function 00811D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74c146381d858395b9c082c5bc5da03e490aa33c92bf395bbc4a11f6fd7dfe0
Instruction ID: 03bb4595544befa0fb84ddbff95cb8838dd4c0bcf8d64e81067a4713c430c354
Opcode Fuzzy Hash: c74c146381d858395b9c082c5bc5da03e490aa33c92bf395bbc4a11f6fd7dfe0
Instruction Fuzzy Hash: 680162B220961A7EFA11167C7CC9FA7661DFF413B8B340329F625D51D6DB608C905171

Function 00841A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00841A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00841A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00841A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00841A8A

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0f7fb15890c1f2440bc265fe92f37f28e9dc03be2fed29e31cc7fd1f97cd03fd
Instruction ID: 7725b2b840a80de76c1404ec918f0fd429c27ae8d430e0a5700bb0e0bcc191da
Opcode Fuzzy Hash: 0f7fb15890c1f2440bc265fe92f37f28e9dc03be2fed29e31cc7fd1f97cd03fd
Instruction Fuzzy Hash: 2D112A3A901229FFEF10DBA4C985FADBB78FB04754F200495E604B7290D771AE50DB94

Function 0084E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0084E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0084E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0084E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0084E24D

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: bca2cf1dcc257644f490eb7cded415778bc91d307d2f9e74426c415cd5d007c4
Instruction ID: d40e980c5f689ec9f5524676c74bbf9e0461621bec9f47d2e6cfa3763dc916d0
Opcode Fuzzy Hash: bca2cf1dcc257644f490eb7cded415778bc91d307d2f9e74426c415cd5d007c4
Instruction Fuzzy Hash: D211E572904218ABCB019FA89C09A9A7BACFB45360F404329F825E3390D7B4C90087A0

Function 0080D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0080CFF9,00000000,00000004,00000000), ref: 0080D218
GetLastError.KERNEL32 ref: 0080D224
__dosmaperr.LIBCMT ref: 0080D22B
ResumeThread.KERNEL32(00000000), ref: 0080D249

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 2b518bb0d9ecaa434829ec0f77130cb769d4f9aa39854d4ee2b90192eac926a7
Instruction ID: 023c8760b8aadb2e58cc20565837c1da89b4055e95362d6e0f6a7f882b334ca2
Opcode Fuzzy Hash: 2b518bb0d9ecaa434829ec0f77130cb769d4f9aa39854d4ee2b90192eac926a7
Instruction Fuzzy Hash: DC01D236805308BBDB616BE9DC09BAE7A69FF82730F104229F929D61D1CF70D941C7A1

Function 00879EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

GetClientRect.USER32(?,?), ref: 00879F31
GetCursorPos.USER32(?), ref: 00879F3B
ScreenToClient.USER32(?,?), ref: 00879F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00879F7A

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7f6ed3ab8d92449a9c6686e6c21578c0d12bebb467e0ebc61b3f3ab07a9bd6c8
Instruction ID: 39cb8e0209761ce95775663395d6c4970a45b125dcfa6842c3e42cf1ac1c04e1
Opcode Fuzzy Hash: 7f6ed3ab8d92449a9c6686e6c21578c0d12bebb467e0ebc61b3f3ab07a9bd6c8
Instruction Fuzzy Hash: 80115732A0051AABDF10EFA8D889DEE77B8FB06311F408455F955E7144DB30FA81CBA1

Function 007E600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007E604C
GetStockObject.GDI32(00000011), ref: 007E6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 007E606A

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 52be7485582ec40d8cb9afeb8f70ad7259844802362cc8eb0fce80d2c1819387
Instruction ID: 98d40c62521b4bddb2638aace96675d24da69dd452c02e7fbd8dbfb5ce49da73
Opcode Fuzzy Hash: 52be7485582ec40d8cb9afeb8f70ad7259844802362cc8eb0fce80d2c1819387
Instruction Fuzzy Hash: 3C11A172102558BFEF125F959C48EEA7B69FF2C3A4F000215FA0452020C736ECA0DBA0

Function 00803B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00803B56

Part of subcall function 00803AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00803AD2
Part of subcall function 00803AA3: ___AdjustPointer.LIBCMT ref: 00803AED

_UnwindNestedFrames.LIBCMT ref: 00803B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00803B7C
CallCatchBlock.LIBVCRUNTIME ref: 00803BA4

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 679b5d6c70aa2e656c70e28e8f61eb6a7a199dee8487818693ad9ca97b773b3b
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 4E014C72100148BBDF526E99CC42EEB3F6DFF88768F044414FE48A6161C732E961DBA1

Function 00813073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007E13C6,00000000,00000000,?,0081301A,007E13C6,00000000,00000000,00000000,?,0081328B,00000006,FlsSetValue), ref: 008130A5
GetLastError.KERNEL32(?,0081301A,007E13C6,00000000,00000000,00000000,?,0081328B,00000006,FlsSetValue,00882290,FlsSetValue,00000000,00000364,?,00812E46), ref: 008130B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0081301A,007E13C6,00000000,00000000,00000000,?,0081328B,00000006,FlsSetValue,00882290,FlsSetValue,00000000), ref: 008130BF

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: fa6100dd8b387a1e205fac6f93b773bd0fad318eec74df592261d98e36e01bfc
Instruction ID: 3eeca2d863ce27788880322e00681fab88575298f7c80c6abae2b8847e780029
Opcode Fuzzy Hash: fa6100dd8b387a1e205fac6f93b773bd0fad318eec74df592261d98e36e01bfc
Instruction Fuzzy Hash: F401F732311A26ABCB314B799C48DA77BDCFF09B61B210624F909E3240DB21DA81C7E0

Function 00847464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0084747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00847497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008474AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008474CA

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 7fb98cd99f2c304247b6c34c151d48fd2c81604f47c72a7b654cf9727f672664
Instruction ID: 1010690813d699ead7225226615b35c6f8930d40ceb2f5e221deba297e7fb6fd
Opcode Fuzzy Hash: 7fb98cd99f2c304247b6c34c151d48fd2c81604f47c72a7b654cf9727f672664
Instruction Fuzzy Hash: 6A116DB5205319ABE7208F54DC0DBA27BFCFB00B04F10856DE65AD7191D7B4E984DBA4

Function 0084B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0084ACD3,?,00008000), ref: 0084B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0084ACD3,?,00008000), ref: 0084B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0084ACD3,?,00008000), ref: 0084B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0084ACD3,?,00008000), ref: 0084B126

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 5d08d36cafe45b1c27aae5102a0c66632da8e4b3df5b8da897d44cf27dd758ce
Instruction ID: 44dfed7290a4c20ca960d561b7098a718ca85d9b39aeeeda9d71dab5ce20df69
Opcode Fuzzy Hash: 5d08d36cafe45b1c27aae5102a0c66632da8e4b3df5b8da897d44cf27dd758ce
Instruction Fuzzy Hash: 54113931C0192DE7CF04AFE4E9586EEBB78FF09711F104099D941B2285DB309650CB61

Function 00877E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00877E33
ScreenToClient.USER32(?,?), ref: 00877E4B
ScreenToClient.USER32(?,?), ref: 00877E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00877E8A

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 705c21aade121229eb78ff5eb8df5cfe9716ff66d16761e1f91180ff194e5bb7
Instruction ID: ad1246795243411afbc9605933b5d621773bc9d0d5ae7b6f92cdfa27366a34c9
Opcode Fuzzy Hash: 705c21aade121229eb78ff5eb8df5cfe9716ff66d16761e1f91180ff194e5bb7
Instruction Fuzzy Hash: 261156B9D0020AAFDB41DF98D8849EEBBF5FF18310F509056E915E3214D735AA94CF51

Function 00842DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00842DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00842DD6
GetCurrentThreadId.KERNEL32 ref: 00842DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00842DE4

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 635f7a278c3309a4678ca4a5aee9fe166b89f28fba61151262f56f1893a4bd3e
Instruction ID: 61497d1fd9ab0f33363162c7ab0f433765f8d3148284f6cb413970e98b9c6565
Opcode Fuzzy Hash: 635f7a278c3309a4678ca4a5aee9fe166b89f28fba61151262f56f1893a4bd3e
Instruction Fuzzy Hash: 5FE0EDB150562C7AD7201B629C4DFEB7E6CFB56BA1F84011DB50AD20949AA5C981C6B0

Function 00878863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 007F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007F9693
Part of subcall function 007F9639: SelectObject.GDI32(?,00000000), ref: 007F96A2
Part of subcall function 007F9639: BeginPath.GDI32(?), ref: 007F96B9
Part of subcall function 007F9639: SelectObject.GDI32(?,00000000), ref: 007F96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00878887
LineTo.GDI32(?,?,?), ref: 00878894
EndPath.GDI32(?), ref: 008788A4
StrokePath.GDI32(?), ref: 008788B2

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 5b386717904e7d5ae7cd11aa4f6fdd8bee79a27277368d6c22d03fb2e7984d91
Instruction ID: f39befc21fd1a54d6fa1f14d8c8baefe0dd22c2db175078d608505ae56ec3bde
Opcode Fuzzy Hash: 5b386717904e7d5ae7cd11aa4f6fdd8bee79a27277368d6c22d03fb2e7984d91
Instruction Fuzzy Hash: EAF09A36041658FADB122F94AC0DFCA3F19BF06310F808104FB15A60E1C7748550CBE5

Function 007F98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007F98CC
SetTextColor.GDI32(?,?), ref: 007F98D6
SetBkMode.GDI32(?,00000001), ref: 007F98E9
GetStockObject.GDI32(00000005), ref: 007F98F1

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 478d6d0dd4823821f2412d1ef7babb7aa7e7e0f04bda34862f769d5a2e3d27e4
Instruction ID: 2936611773eb6421530e3f66fa9cb34909a9b64777e231f8962510423a34a99f
Opcode Fuzzy Hash: 478d6d0dd4823821f2412d1ef7babb7aa7e7e0f04bda34862f769d5a2e3d27e4
Instruction Fuzzy Hash: A8E03031244244AADB215B74AC0DBE83B10FB51335F148229F7B9950E5C37196809B20

Function 0084162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00841634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008411D9), ref: 0084163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008411D9), ref: 00841648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008411D9), ref: 0084164F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3227d58824a0944224dda64650ee6ad967b22e136e43e5cd1643215e45a3bcd3
Instruction ID: dbc9bbe32a355da180163b8a1c17d97d5879b43ffe98bd8ef85170145c4042c3
Opcode Fuzzy Hash: 3227d58824a0944224dda64650ee6ad967b22e136e43e5cd1643215e45a3bcd3
Instruction Fuzzy Hash: 2DE08C32602211EBDB201FA1AE0DB867B7CFF55792F15880CF24DDA094E634C4C0CBA4

Function 0083D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0083D858
GetDC.USER32(00000000), ref: 0083D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0083D882
ReleaseDC.USER32(?), ref: 0083D8A3

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cbc09b11acdc24800d3c1fa0f7bd0a76f83c046a9fb9c6afc23afe97f8799a2a
Instruction ID: a7c08799fca90e18313b81a3f644895fbb6ebf614bda3ef448f3df43b2560438
Opcode Fuzzy Hash: cbc09b11acdc24800d3c1fa0f7bd0a76f83c046a9fb9c6afc23afe97f8799a2a
Instruction Fuzzy Hash: 18E01AB5800204DFCB41AFA0D84C66DBBB2FB18310F14841DE80AE7254DB389981AF40

Function 0083D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0083D86C
GetDC.USER32(00000000), ref: 0083D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0083D882
ReleaseDC.USER32(?), ref: 0083D8A3

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: fc287d8b1c2d3b72bd1711c2aa7beaa4f720c4728a517eb17803b73e202e49cf
Instruction ID: 9d95f1de05b38d0d42a2c7f5522274c8f24de7d70d1b81aaf6e7cebdf92410c7
Opcode Fuzzy Hash: fc287d8b1c2d3b72bd1711c2aa7beaa4f720c4728a517eb17803b73e202e49cf
Instruction Fuzzy Hash: CBE012B5800204EFCB51AFA0D84C66DBBB2BB18310B14800CE90EE7264DB389982AF40

Function 00854D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 007E7620: _wcslen.LIBCMT ref: 007E7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00854ED4

Strings

*, xrefs: 00854E10
LPT, xrefs: 00854DFB

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 717bad362756d7274e7fd8144bc827e12d91e4ba43cbfefe90c8f211b88a947a
Instruction ID: 52c3d499756554f7b977ba3c234fc8368c43e4f34491cce9d60a828073b0b269
Opcode Fuzzy Hash: 717bad362756d7274e7fd8144bc827e12d91e4ba43cbfefe90c8f211b88a947a
Instruction Fuzzy Hash: 66913D759002449FCB14DF58C484EA9BBF1FF48319F189099E80A9F362DB35ED89CB51

Function 0080E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0080E30D

Strings

pow, xrefs: 0080E2E5, 0080E302

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 8ae1736300507272948875ed0eb7cdd2d975125c257989b42bb843dc11127014
Instruction ID: 761445852a846283412d3ee8e978aaa7c31816ead7e397a47bf2efa06772c991
Opcode Fuzzy Hash: 8ae1736300507272948875ed0eb7cdd2d975125c257989b42bb843dc11127014
Instruction Fuzzy Hash: 04510671A0C60696DB657718DD413BB2BB8FF40B40F344DACE095C22E9DB358CD19A86

Function 007FE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 007FE1B1

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 1fa9bec3fbce77fe589dcd9c35d18a3ff1a6b778b85e47051e7c9e50a00dd948
Instruction ID: 8176275da988eef6cf71812ab317a313f94a54fe94cb9a545402d57aaa335337
Opcode Fuzzy Hash: 1fa9bec3fbce77fe589dcd9c35d18a3ff1a6b778b85e47051e7c9e50a00dd948
Instruction Fuzzy Hash: B751353590524ADFDB15EF28C485AFA7BA4FF95310F244059F991DB2E0E7389D42CB90

Function 007FF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 007FF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 007FF2BB

Strings

@, xrefs: 007FF2AF

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 927e99f3cbaf59d04c720a24a866ab8818679c3f0f6c50df2cece7b5e7260bba
Instruction ID: 74373b7af5605abcdc9eededc0697b314405ad3c82b3e91e04e2c16f792c7414
Opcode Fuzzy Hash: 927e99f3cbaf59d04c720a24a866ab8818679c3f0f6c50df2cece7b5e7260bba
Instruction Fuzzy Hash: 10515972419785DBD320AF11E88ABABB7F8FB88300F81485DF19941195EB358529CB66

Function 00865745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008657E0
_wcslen.LIBCMT ref: 008657EC

Strings

CALLARGARRAY, xrefs: 008657E6, 008657EB

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: fdb91f01a92d94cad6229f213aa7da775e04fee424f292c5f84891b4fe62fb33
Instruction ID: e72dd67f55dc0724cf31ffdd3612f43df42ebe8fc13a0f0a444b8e637fe72e1f
Opcode Fuzzy Hash: fdb91f01a92d94cad6229f213aa7da775e04fee424f292c5f84891b4fe62fb33
Instruction Fuzzy Hash: 0E41AE71A00209DFCB14DFA9C8859BEBBB5FF59724F114069E605EB352E7349D81CB90

Function 0085D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0085D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0085D13A

Strings

|, xrefs: 0085D10B

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 4f0790b91f7d572690474cd5a53ab2facf56b10dbd69e0532b7d18f9080c6afa
Instruction ID: 960ca85a0f3553a14da714602e79a46888f9e34242b2eaa20cb8983f8d5f1003
Opcode Fuzzy Hash: 4f0790b91f7d572690474cd5a53ab2facf56b10dbd69e0532b7d18f9080c6afa
Instruction Fuzzy Hash: BA311B71D01209EBCF15EFA5CC89AEEBFB9FF18340F000059ED15A6165E735A946CB60

Function 0087356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00873621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0087365C

Strings

static, xrefs: 008735BC

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: aadd37a6dc9312db7babe2b3ee3299559c5a42ee95cf54ecaa3de23f34cd7a88
Instruction ID: 51a74c82378336ae9f4d91c3fafb4721ac96423ca8b868b92a21b4909d046528
Opcode Fuzzy Hash: aadd37a6dc9312db7babe2b3ee3299559c5a42ee95cf54ecaa3de23f34cd7a88
Instruction Fuzzy Hash: 11318B71100608AADB109F28DC84EBB73A9FF98764F10D61DF9A9D7280DA35ED81E761

Function 00874537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0087461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00874634

Strings

', xrefs: 0087458E

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 48670005c891760fda8b6d2444aa5f216dae206ff0207549f05e5ae8b1dc95d7
Instruction ID: 8b3df63d9ee316a9e48d04359849316107d2b5f54086dea6ea0fee061f6209c4
Opcode Fuzzy Hash: 48670005c891760fda8b6d2444aa5f216dae206ff0207549f05e5ae8b1dc95d7
Instruction Fuzzy Hash: F4311774A0120A9FDB14CF69C990ADABBB5FB19300F109169E908EB355D770E941CF90

Function 008731EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0087327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00873287

Strings

Combobox, xrefs: 00873249

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 40ad309b7760fa7d370ff56ee4db26a89887c1ecc288bc8c2efc45ba4ddeb802
Instruction ID: 3629b5e1089b84056f0e53757eac8675b8c6e250b858666f0c2c13cfea43aee0
Opcode Fuzzy Hash: 40ad309b7760fa7d370ff56ee4db26a89887c1ecc288bc8c2efc45ba4ddeb802
Instruction Fuzzy Hash: 5411D071310208AFEF219E54DC84EAB376AFBA83A5F108128F92CE7295D631DD51A760

Function 00873710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 007E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007E604C
Part of subcall function 007E600E: GetStockObject.GDI32(00000011), ref: 007E6060
Part of subcall function 007E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007E606A

GetWindowRect.USER32(00000000,?), ref: 0087377A
GetSysColor.USER32(00000012), ref: 00873794

Strings

static, xrefs: 00873757

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6c23d354bc3c135ff214c9dccb1232276e63b7f2b8cc519f537c5b431ad4f428
Instruction ID: 7755833cda2ec11b42838bc9aa11839a106321245c1ee7e6a293bcba7ab58399
Opcode Fuzzy Hash: 6c23d354bc3c135ff214c9dccb1232276e63b7f2b8cc519f537c5b431ad4f428
Instruction Fuzzy Hash: 931129B2610209AFDF00DFA8CC49EFA7BB8FB08354F004928F959E3250E735E8519B61

Function 0085CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0085CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0085CDA6

Strings

<local>, xrefs: 0085CD66

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 16154fc6570257e92e0c3d23313780bae23c39f1874c908f4594b139c016a842
Instruction ID: 089eef2ff7dda921b735a952ac31fb2f36035db529c1a7a3a1d417fe06a8d086
Opcode Fuzzy Hash: 16154fc6570257e92e0c3d23313780bae23c39f1874c908f4594b139c016a842
Instruction Fuzzy Hash: D511A371205735BED7284A668C49FE7BEB8FB127A5F00422AB909C3180D6649848DAF0

Function 00873429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008734AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008734BA

Strings

edit, xrefs: 0087348F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 83a3e33e2c6341de05fee0ca37d6a6532ac5bf5a0b877fb305b39019b7d200d7
Instruction ID: 96d96ee157d0944b1ca84e01a577a31301511da387da0e7cfa94c26b5ab5f7e8
Opcode Fuzzy Hash: 83a3e33e2c6341de05fee0ca37d6a6532ac5bf5a0b877fb305b39019b7d200d7
Instruction Fuzzy Hash: EC11BF71100108ABEB154E64DC44AAB376AFB25378F508328FA68D31D8C731DD91A76A

Function 00846C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00846CB6
_wcslen.LIBCMT ref: 00846CC2

Strings

STOP, xrefs: 00846CBC, 00846CC1

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 3fa19b2623e64cc41d57b4f5cb08df1a3b879bc6870b96a2499630437e5b0d9a
Instruction ID: c547a1117f2652e4c8eebaf67695baa3a3d6d85aa495b46e01e8e36edf48fe87
Opcode Fuzzy Hash: 3fa19b2623e64cc41d57b4f5cb08df1a3b879bc6870b96a2499630437e5b0d9a
Instruction Fuzzy Hash: DE010432A0052E8ACB20AFBDCC849BF77A4FF667147100528E852D7190FA36DC60C651

Function 00841CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 00843CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00843CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00841D4C

Strings

ListBox, xrefs: 00841D16
ComboBox, xrefs: 00841CEB

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5637054eaa1bb1ff442b7a69d1afdb95c2fb97f35f2f11c953ce3b1ace8fc9a1
Instruction ID: 6e987747ceb55939727d853bfe8f4b9dc06d020b8a5353ced04acf5f7c6b2dd6
Opcode Fuzzy Hash: 5637054eaa1bb1ff442b7a69d1afdb95c2fb97f35f2f11c953ce3b1ace8fc9a1
Instruction Fuzzy Hash: 7E01D871A4121CABCF14FFA4CC59EFE7368FB56350B140919F832A73D1EA3459498670

Function 00841BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 00843CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00843CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00841C46

Strings

ListBox, xrefs: 00841C10
ComboBox, xrefs: 00841BE5

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ed3c21f8de1c955ddfe4c6f5ddbc21e5bb266b873507035dbc774ab47850f2fc
Instruction ID: f1e0ba40f9d1d0df3abc6f11ff130509d6f67f304574e52bc1cafa9f4008d2f4
Opcode Fuzzy Hash: ed3c21f8de1c955ddfe4c6f5ddbc21e5bb266b873507035dbc774ab47850f2fc
Instruction Fuzzy Hash: B801FC7168111CA6CF14F7A0CD99AFFB3A8FB15340F100019A916B7291EA249E488671

Function 00841C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 00843CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00843CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00841CC8

Strings

ListBox, xrefs: 00841C94
ComboBox, xrefs: 00841C69

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8b2e527d6c69fcc79b002f5d1c54c4c1ae78bc55aa135e3577010983df1f6887
Instruction ID: 8040fd4eddd3efe0769555c9826c73c8bf9f9a04d40b95194d9f369fa99e974e
Opcode Fuzzy Hash: 8b2e527d6c69fcc79b002f5d1c54c4c1ae78bc55aa135e3577010983df1f6887
Instruction Fuzzy Hash: 6301DB7268111CA7DF14F7A5CE89AFE73A8FB15340F540019B901F7291FA249F49C671

Function 00841D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 00843CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00843CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00841DD3

Strings

ListBox, xrefs: 00841DA0
ComboBox, xrefs: 00841D75

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0beb2c9f6e815875de2918f70f4e06589fc12faff2b61418a954407e013ae183
Instruction ID: 2f0265670a6e769c6bb5229362f386444add15fbd846a476d6703d8deefc9cc0
Opcode Fuzzy Hash: 0beb2c9f6e815875de2918f70f4e06589fc12faff2b61418a954407e013ae183
Instruction Fuzzy Hash: F1F0F4B2F4121CA6DB14F7A4CC9ABFE7368FB06350F440919B922E72D1EA6459488270

Function 0086747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00867493
_wcslen.LIBCMT ref: 008674B9

Strings

3, 3, 16, 1, xrefs: 00867483

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 9cb1d75317ee2c4c75fe79e840c91899233b734dd5d38c4cab045873ecb677a7
Instruction ID: e34783ebbe64694c0057ede808831e237746bc853a43aea1c56297e339ac35f4
Opcode Fuzzy Hash: 9cb1d75317ee2c4c75fe79e840c91899233b734dd5d38c4cab045873ecb677a7
Instruction Fuzzy Hash: 9FE02B4224522010D271127D9CC5A7F5A8AFFC5B50711283BFE81C22B6EE948D9193E6

Function 00840B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00840B23

Strings

Error allocating memory., xrefs: 00840B1C
AutoIt, xrefs: 00840B17

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 89e327d16966d9aa310af1079bf2afc93861633a97626d4c4cb1ba6edb57f960
Instruction ID: a7fbc5c101b91d27b7c50564b9add224dd8347ae9462e76b564c911057ca6120
Opcode Fuzzy Hash: 89e327d16966d9aa310af1079bf2afc93861633a97626d4c4cb1ba6edb57f960
Instruction Fuzzy Hash: 78E0D83238430C66D21436947C07F897A84EF05B60F10446EF79CDA6C38EE564D006E9

Function 00800D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007FF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00800D71,?,?,?,007E100A), ref: 007FF7CE

IsDebuggerPresent.KERNEL32(?,?,?,007E100A), ref: 00800D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007E100A), ref: 00800D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00800D7F

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 672f55dd25669d36cdb0807e3711f706f74c1d3130e91489aae465d149091567
Instruction ID: b7604372bbbbeb2fc1c251ddc4f8e520e0bc4fc3823a3501a90c6c630633ea6a
Opcode Fuzzy Hash: 672f55dd25669d36cdb0807e3711f706f74c1d3130e91489aae465d149091567
Instruction Fuzzy Hash: 73E065702007418BD3609FB9D8083427BE0FF04744F008A2DE989C7756DBB4E4848FA1

Function 00853017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0085302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00853044

Strings

aut, xrefs: 00853038

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3fa6ac1a815abe217484a396be4157b97fbac341092cab37f61dbefd50f8a4f6
Instruction ID: 596ad55de9f461afbc3984433084b46a14f7627968f8a3cbf785180a4ceace64
Opcode Fuzzy Hash: 3fa6ac1a815abe217484a396be4157b97fbac341092cab37f61dbefd50f8a4f6
Instruction Fuzzy Hash: 60D05B7250032467DB209794AC0DFC73B6CE705750F0001517655D3095DAB4DA84CBD0

Function 0083D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0083D220

Strings

%.3d, xrefs: 0083D22B
X64, xrefs: 0083D2A8

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 8cf63ae515b0bda19ceeb4b85249ca9c3edc32e88709b261f98399f465e4f417
Instruction ID: d83c047a5ce99f70f4516df436da25b642bd2746d87ae36647061865ee8c095a
Opcode Fuzzy Hash: 8cf63ae515b0bda19ceeb4b85249ca9c3edc32e88709b261f98399f465e4f417
Instruction Fuzzy Hash: B3D012A180820CE9CB9096E0EC498BBB37CFB48305F608452F906D2141DA38E54867A1

Function 00872322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0087232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0087233F

Part of subcall function 0084E97B: Sleep.KERNEL32 ref: 0084E9F3

Strings

Shell_TrayWnd, xrefs: 00872325

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4cf6f161bb6fab17bccfa724c002d7e5645463ef1386057ecffb3de8415be307
Instruction ID: 636a9ebc518c170e09123836ddee7a94579e15c30781855dd785472815660128
Opcode Fuzzy Hash: 4cf6f161bb6fab17bccfa724c002d7e5645463ef1386057ecffb3de8415be307
Instruction Fuzzy Hash: E0D0C936394310B6E6A4A7709C4FFC66A14BB10B10F004A1AB659EA1E8D9A4A8418A54

Function 00872356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0087236C
PostMessageW.USER32(00000000), ref: 00872373

Part of subcall function 0084E97B: Sleep.KERNEL32 ref: 0084E9F3

Strings

Shell_TrayWnd, xrefs: 00872365

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 40d91a180a2ba07c811dc9ff746604255bb5bd4d5765e48fee496ceb185eccd5
Instruction ID: 48e7756b639d83a8ccc480d4782b9583b5b94361fe1c1b1dad8d8c049f932bc0
Opcode Fuzzy Hash: 40d91a180a2ba07c811dc9ff746604255bb5bd4d5765e48fee496ceb185eccd5
Instruction Fuzzy Hash: 5FD0C932391310BAE6A4A7709C4FFC66A14BB15B10F004A1AB659EA1E8D9A4A8418A54

Function 0081BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0081BE93
GetLastError.KERNEL32 ref: 0081BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0081BEFC

Memory Dump Source

Source File: 00000000.00000002.1302419637.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1302397051.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302485174.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302542974.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1302562903.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 333deabe872dad182cae0548f9369570af976bfe43851d98e51a14e075b96551
Instruction ID: ff391fd463b338164bdb0514158d17f9826f08924120bd24c39f27413479d056
Opcode Fuzzy Hash: 333deabe872dad182cae0548f9369570af976bfe43851d98e51a14e075b96551
Instruction Fuzzy Hash: 6341A235604206AFDB218FA9DC44AEA7BA9FF41320F244169F959D71E1DF308D82CB61

Analysis Process: firefox.exePID: 7916, Parent PID: 6464COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001F8DBCA34B7 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001F8DBCA34DC

Memory Dump Source

Source File: 00000018.00000002.2507466717.000001F8DBCA0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F8DBCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1f8dbca0000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: 105f1ada1c649a9015bcdd32513d1dfd48cd145701f57a77acf98c7766dc4875
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: A4A3DF31614A498BDB2DDF69DC857E977E5FB95304F08423EE94BC3291DF30EA428A81

Function 000001F8DBCAC542 Relevance: .1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000018.00000002.2507466717.000001F8DBCAC000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F8DBCAC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1f8dbcac000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c13bd90e80e50607008e1c2f044e9c2951e83b42a65922e956abd66e1a1fb58
Instruction ID: 6bf38e07f1c47a0e7acfe564e2e10a88d2f958b1bf25ce99ffcbc86abb077bef
Opcode Fuzzy Hash: 4c13bd90e80e50607008e1c2f044e9c2951e83b42a65922e956abd66e1a1fb58
Instruction Fuzzy Hash: 7F21903150CB8C4FD746DF28C844B96BBE0FBAA310F1406AFE0CAC3292DA34D9458782

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000012.00000003.1431340688.000022D4B3503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "https://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1431340688.000022D4B3503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1431587451.00001B8315003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1431587451.00001B8315003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1344680931.0000028632796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1431340688.000022D4B3503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1431340688.000022D4B3503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1425646300.00000286352B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1425646300.0000028635285000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1458110990.00000286352BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1453857794.000002862C0A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1386755318.000002862C0A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1385083739.0000028631477000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1346483318.0000028630D81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1332634070.0000028631465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1385083739.0000028631477000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1346483318.0000028630D81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1332634070.0000028631465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1425646300.00000286352B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1425646300.0000028635285000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1458110990.00000286352BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1452465818.00000286327D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1386755318.000002862C0A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1384545970.00000286327D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1346134138.0000028631034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1450770331.0000028631034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1460521091.0000028631034000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1346134138.0000028631034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1450770331.0000028631034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1460521091.0000028631034000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1385083739.0000028631477000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1346483318.0000028630D81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1332634070.0000028631465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1385083739.0000028631477000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1346483318.0000028630D81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1332634070.0000028631465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2504187418.000001F8DB703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2504483445.000001D45D40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2504187418.000001F8DB703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2504483445.000001D45D40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2504187418.000001F8DB703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2504483445.000001D45D40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1425646300.00000286352E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1447586574.00000286352E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1425646300.00000286352B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1431340688.000022D4B3503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1458110990.000002863524F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1431340688.000022D4B3503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1431587451.00001B8315003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000003.1460751468.0000028630D41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1452465818.00000286327D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1431340688.000022D4B3503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1458110990.000002863524F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1425646300.000002863522F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1431340688.000022D4B3503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000003.1441972422.00000286326A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1456163799.0000028629FC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1456163799.0000028629F55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.7:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49872 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49879 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8d86e050-11a5-4a1b-8e72-1ca38f9723c3.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8d86e050-11a5-4a1b-8e72-1ca38f9723c3.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre