Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1572087
MD5:	cd6fbd133b166f011ee0459dab795a09
SHA1:	8aeaa235e3210f51f69d2e582157a90dfdc4cbff
SHA256:	372b4cee4013a85a973aa26f426edcc974b88c34df77b867622ca294bda3a638
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7116 cmdline: "C:\Users\user\Desktop\file.exe" MD5: CD6FBD133B166F011EE0459DAB795A09)

taskkill.exe (PID: 5772 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6892 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3960 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2356 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5948 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7104 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7012 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4256 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5260 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ff868d4-e876-4eb3-90fc-8f920c308aec} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 1dd4596e910 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7824 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3860 -parentBuildID 20230927232528 -prefsHandle 3868 -prefMapHandle 3068 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5d50ed7-ac4a-4dd8-8fac-bb1be5cc9d47} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 1dd57beff10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7628 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 5084 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f165d4fc-795c-42a0-aec5-4aaa0c03c649} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 1dd5763c310 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7116	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0027EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0027EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0027ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0027ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0027EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0026AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0026AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00299576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00299576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_320e9a9b-8
Source: file.exe, 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1bec8610-4
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9b7b2304-4
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6d6c5f20-f

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_000001DBB2CF2377 NtQuerySystemInformation,		23_2_000001DBB2CF2377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_000001DBB2EF8072 NtQuerySystemInformation,		23_2_000001DBB2EF8072

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0026D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0026D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00261201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00261201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0026E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0026E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0020BF40	0_2_0020BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00208060	0_2_00208060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00272046	0_2_00272046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00268298	0_2_00268298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023E4FF	0_2_0023E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023676B	0_2_0023676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00294873	0_2_00294873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0022CAA0	0_2_0022CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0020CAF0	0_2_0020CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021CC39	0_2_0021CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00236DD9	0_2_00236DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021B119	0_2_0021B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002091C0	0_2_002091C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00221394	0_2_00221394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00221706	0_2_00221706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0022781B	0_2_0022781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00207920	0_2_00207920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021997D	0_2_0021997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002219B0	0_2_002219B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00227A4A	0_2_00227A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00221C77	0_2_00221C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00227CA7	0_2_00227CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0028BE44	0_2_0028BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00239EEE	0_2_00239EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00221F32	0_2_00221F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_000001DBB2CF2377	23_2_000001DBB2CF2377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_000001DBB2EF8072	23_2_000001DBB2EF8072
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_000001DBB2EF879C	23_2_000001DBB2EF879C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_000001DBB2EF80B2	23_2_000001DBB2EF80B2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00209CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0021F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00220A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/34@66/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002737B5 GetLastError,FormatMessageW,

0_2_002737B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002610BF AdjustTokenPrivileges,CloseHandle,		0_2_002610BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002616C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002751CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0026D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0026D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0027648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0027648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002042A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user~1\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.1438410857.000001DD5802D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.1438410857.000001DD5802D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.1438410857.000001DD5802D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.1438410857.000001DD5802D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.1438410857.000001DD5802D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.1438410857.000001DD5802D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.1438410857.000001DD5802D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.1438410857.000001DD5802D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.1438410857.000001DD5802D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

Virustotal: Detection: 24%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ff868d4-e876-4eb3-90fc-8f920c308aec} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 1dd4596e910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3860 -parentBuildID 20230927232528 -prefsHandle 3868 -prefMapHandle 3068 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5d50ed7-ac4a-4dd8-8fac-bb1be5cc9d47} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 1dd57beff10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 5084 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f165d4fc-795c-42a0-aec5-4aaa0c03c649} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 1dd5763c310 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ff868d4-e876-4eb3-90fc-8f920c308aec} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 1dd4596e910 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3860 -parentBuildID 20230927232528 -prefsHandle 3868 -prefMapHandle 3068 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5d50ed7-ac4a-4dd8-8fac-bb1be5cc9d47} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 1dd57beff10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 5084 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f165d4fc-795c-42a0-aec5-4aaa0c03c649} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 1dd5763c310 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.1377853958.000001DD530B3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1379202224.000001DD530BA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378490942.000001DD530B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.1377853958.000001DD530B3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1379202224.000001DD530BA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378490942.000001DD530B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.1375481192.000001DD60FAA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.1375481192.000001DD60FAA000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002042DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00220A76 push ecx; ret

0_2_00220A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0021F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00291C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00291C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96646

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 23_2_000001DBB2CF2377 rdtsc

23_2_000001DBB2CF2377

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0026DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023C2A2 FindFirstFileExW,	0_2_0023C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002768EE FindFirstFileW,FindClose,	0_2_002768EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0027698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0026D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0026D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00279642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00279642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0027979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00279B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00279B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00275C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00275C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002042DE

Source: firefox.exe, 00000019.00000002.2477514710.00000191E1800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWU
Source: firefox.exe, 00000012.00000002.2475392837.000001E87778A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWN
Source: firefox.exe, 00000012.00000002.2475392837.000001E87778A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000012.00000002.2481533890.000001E877C1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000017.00000002.2481861483.000001DBB34B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW_MJ.
Source: file.exe, 00000000.00000003.1292045007.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1300279571.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1300102431.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWKU
Source: firefox.exe, 00000017.00000002.2475999289.000001DBB2C6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 00000012.00000002.2482376401.000001E877D00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2481861483.000001DBB34B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000017.00000002.2481861483.000001DBB34B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllON
Source: firefox.exe, 00000019.00000002.2475171013.00000191E14EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp6

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 23_2_000001DBB2CF2377 rdtsc

23_2_000001DBB2CF2377

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0027EAA2 BlockInput,

0_2_0027EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00232622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00232622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002042DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00224CE8 mov eax, dword ptr fs:[00000030h]

0_2_00224CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00260B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00260B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00232622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00232622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0022083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0022083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002209D5 SetUnhandledExceptionFilter,	0_2_002209D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00220C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00220C21

Source: C:\Users\user\Desktop\file.exe

0_2_00261201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00242BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00242BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0026B226 SendInput,keybd_event,

0_2_0026B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002822DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00260B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00261663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00261663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.1345690989.000001DD60E95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00220698 cpuid

0_2_00220698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0025D21C GetLocalTime,

0_2_0025D21C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0025D27A GetUserNameW,

0_2_0025D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0023B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0023B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002042DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00281204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00281204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00281806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00281806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	25%	Virustotal		Browse
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
twitter.com	104.244.42.65	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.193.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
dualstack.reddit.map.fastly.net	151.101.193.140	true	false	high
youtube-ui.l.google.com	142.250.181.110	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678942	firefox.exe, 0000000E.00000003.1329200218.000001DD575B8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	firefox.exe, 0000000E.00000003.1357813424.000001DD60C91000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000019.00000002.2478092164.00000191E1ABA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.1439691342.000001DD5739B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.1415288444.000001DD60967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1431700099.000001DD60967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1426303801.000001DD60967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1463156966.000001DD60967000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.1381584226.000001DD5D833000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000017.00000002.2478313808.000001DBB2F86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2478092164.00000191E1A86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.1419846056.000001DD5DE41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464678453.000001DD5DE49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1427589796.000001DD5DE49000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.1359516600.000001DD5DE8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1445274206.000001DD581AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1298621320.000001DD5DE5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1357813424.000001DD60C91000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.1435558496.000001DD5DE7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419207984.000001DD5DE72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1359516600.000001DD5DE72000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.1270002601.000001DD55600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1270143871.000001DD55822000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1270536292.000001DD55863000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1270676152.000001DD55883000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1270351091.000001DD55842000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.1420464538.000001DD5DC95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1436184046.000001DD5DC95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1359924609.000001DD5DC95000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.1438410857.000001DD5802D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.1361692282.000001DD59361000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.1419846056.000001DD5DE41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1320175022.000001DD5744D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1386061828.000001DD5744D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1270143871.000001DD55822000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1270536292.000001DD55863000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1270676152.000001DD55883000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1270351091.000001DD55842000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1312666901.000001DD5744D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000E.00000003.1421575948.000001DD58E39000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.1270002601.000001DD55600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1270143871.000001DD55822000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1270536292.000001DD55863000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1270351091.000001DD55842000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 0000000E.00000003.1301747714.000001DD56E20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.1326556050.000001DD5D733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1367445474.000001DD582C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1443096424.000001DD593BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1361180609.000001DD593BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1429031023.000001DD57DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1444150717.000001DD582C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1422769216.000001DD582C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1299213759.000001DD582C5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.1445878578.000001DD57E96000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	firefox.exe, 0000000E.00000003.1424221107.000001DD58071000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.1438637881.000001DD57FAE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 0000000E.00000003.1319287013.000001DD57484000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1320175022.000001DD57484000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ok.ru/	firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.1369255504.000001DD578F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464678453.000001DD5DE49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1427589796.000001DD5DE49000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.1359168095.000001DD5F7B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1416981087.000001DD5F7AD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=hte	firefox.exe, 00000017.00000002.2477765985.000001DBB2EE0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.1420464538.000001DD5DCBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2478313808.000001DBB2F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2478092164.00000191E1A0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.1329518110.000001DD5776E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1328947535.000001DD56020000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.1359924609.000001DD5DC81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1436184046.000001DD5DC81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1420464538.000001DD5DC81000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.1419846056.000001DD5DE41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464678453.000001DD5DE49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1427589796.000001DD5DE49000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.1450455828.000001DD57F9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1428573226.000001DD57F9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464210834.000001DD57F9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1438689672.000001DD57F9A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000019.00000002.2478092164.00000191E1ABA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.1329200218.000001DD575B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1328947535.000001DD56020000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.1310348220.000001DD57244000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.1428573226.000001DD57F5C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://amazon.com	firefox.exe, 0000000E.00000003.1368503963.000001DD58059000.00000004.00000800.00020000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.1420464538.000001DD5DC95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1436184046.000001DD5DC95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1359924609.000001DD5DC95000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.1361692282.000001DD59351000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000012.00000002.2478425355.000001E877BE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2478313808.000001DBB2FE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2481173903.00000191E1B03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.1359168095.000001DD5F7B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1416981087.000001DD5F7AD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.1357813424.000001DD60C91000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2478313808.000001DBB2F12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2478092164.00000191E1A13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419846056.000001DD5DE41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464678453.000001DD5DE49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1427589796.000001DD5DE49000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.1369840128.000001DD57853000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.1361692282.000001DD59361000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.1441255397.000001DD5DE65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1427589796.000001DD5DE65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1463546630.000001DD5DE65000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.tsn.ca	firefox.exe, 0000000E.00000003.1377543262.000001DD570AD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.1381584226.000001DD5D818000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1368615198.000001DD57DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1473992075.000001DD539F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1310348220.000001DD57244000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1361976410.000001DD58DEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1368615198.000001DD57D95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1299213759.000001DD5820B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1361976410.000001DD58DD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1465017755.000001DD57D95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1412600059.000001DD572F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1412800654.000001DD5755E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1320858668.000001DD57235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1319610514.000001DD57271000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1321754300.000001DD57558000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1320175022.000001DD574A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1310348220.000001DD57271000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1320175022.000001DD574B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1379354189.000001DD5911E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1318229226.000001DD5723B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1465017755.000001DD57DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1449710397.000001DD5908B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.1421575948.000001DD58E39000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.1421575948.000001DD58E39000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 0000000E.00000003.1301747714.000001DD56E20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.1361180609.000001DD593B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1443096424.000001DD593B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.1360829029.000001DD5D9A4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.1360829029.000001DD5D9A4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.1441255397.000001DD5DE65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1427589796.000001DD5DE65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1463546630.000001DD5DE65000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.1381584226.000001DD5D833000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.1435558496.000001DD5DE7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419207984.000001DD5DE72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1359516600.000001DD5DE72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1298621320.000001DD5DE7A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.1327774837.000001DD5815B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.1271657975.000001DD53933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1273048827.000001DD53933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1372404338.000001DD53928000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1461533577.000001DD5392B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1272748237.000001DD53928000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.1329200218.000001DD575B8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.1369681086.000001DD57872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1429980573.000001DD57872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1446947805.000001DD57875000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.1326556050.000001DD5D78C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.1329437627.000001DD56036000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1329518110.000001DD5776E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1328947535.000001DD56020000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.1271657975.000001DD53933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1273048827.000001DD53933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1372404338.000001DD53928000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1461533577.000001DD5392B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1272748237.000001DD53928000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.1450455828.000001DD57F9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1428573226.000001DD57F9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464210834.000001DD57F9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1438689672.000001DD57F9A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.1442387750.000001DD5DA75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1326251586.000001DD5D9BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2477665465.000001E877990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2476461762.000001DBB2CA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2476836172.00000191E15E0000.00000002.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572087
Start date and time:	2024-12-10 04:31:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/34@66/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 48 Number of non-executed functions: 286
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.228.225.150, 35.85.93.176, 54.200.77.17, 172.217.17.74, 172.217.17.42, 172.217.17.46, 88.221.134.155, 88.221.134.209, 184.30.17.174, 13.107.246.63, 20.109.210.53, 4.175.87.197
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, time.windows.com, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:32:11	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Xmrig	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Xmrig	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Xmrig	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Xmrig	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Xmrig	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	https://www.google.com.hk/url?q=KWUZMS42J831JSWOSF4KEIP36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fjvsimmigration.com/c/efcfa9e5f8b2f41713ea899643a31954/YnJ1Y2VwQGxlc21hbi5jb20=	Get hash	malicious	Unknown	Browse	151.101.2.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
ATGS-MMD-ASUS	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	48.112.89.152
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	33.169.72.150
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	56.91.232.92
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	34.175.64.213
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	33.152.224.98
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	57.49.43.41
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	34.190.116.127
ATGS-MMD-ASUS	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	48.112.89.152
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	33.169.72.150
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	56.91.232.92
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	34.175.64.213
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	33.152.224.98
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	57.49.43.41
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	34.190.116.127

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Xmrig	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d2baf1c1-67a3-4dbf-b204-8d4bc03195f7.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.172819554640786
Encrypted:	false
SSDEEP:	192:qMvMXUWJcbhbVbTbfbRbObtbyEl7n4rZJA6unSrDtTkd/S95:qFpcNhnzFSJYr01nSrDhkd/c5
MD5:	1D7BC5C04FD2CEECF04BDA543BD80AEB
SHA1:	7B291379CB8DE3181BD4CE18FE56D78D908EF25A
SHA-256:	6A02ED96895E1B4DE8467A613F21F8219476A52579BE4F3437118E87F0D32C44
SHA-512:	350F53B32FFA21978DE4AE5C6EEA466465111E6AC609769D468A56D46591CC1F6DB695EA76D287B86D0B8CEDA74D04C0B5988782BEDA6E7121485E29452BBB80
Malicious:	false
Preview:	{"type":"uninstall","id":"d2baf1c1-67a3-4dbf-b204-8d4bc03195f7","creationDate":"2024-12-10T04:33:14.632Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d2baf1c1-67a3-4dbf-b204-8d4bc03195f7.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.172819554640786
Encrypted:	false
SSDEEP:	192:qMvMXUWJcbhbVbTbfbRbObtbyEl7n4rZJA6unSrDtTkd/S95:qFpcNhnzFSJYr01nSrDhkd/c5
MD5:	1D7BC5C04FD2CEECF04BDA543BD80AEB
SHA1:	7B291379CB8DE3181BD4CE18FE56D78D908EF25A
SHA-256:	6A02ED96895E1B4DE8467A613F21F8219476A52579BE4F3437118E87F0D32C44
SHA-512:	350F53B32FFA21978DE4AE5C6EEA466465111E6AC609769D468A56D46591CC1F6DB695EA76D287B86D0B8CEDA74D04C0B5988782BEDA6E7121485E29452BBB80
Malicious:	false
Preview:	{"type":"uninstall","id":"d2baf1c1-67a3-4dbf-b204-8d4bc03195f7","creationDate":"2024-12-10T04:33:14.632Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.938053087715893
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLYl48P:8S+Oc+UAOdwiOdKeQjDLYl48P
MD5:	D291A51A1F4A83D7A76759190F3D1607
SHA1:	70B359815D4B1FDFDF31E32E396AAE274A6FEEFE
SHA-256:	02353D2FD3C24B72C337585C5AD15653DECF5212E1B4AD592B8CF4C5B9032BDE
SHA-512:	389B97641140689CFAD74AB8566160F4D1D596B4C41D4669B6D5DB48901FF1C3BA3CF737D72C1B93146FFAA10885070B4A6649F6DB9F293B69627A34B7B37401
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.938053087715893
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLYl48P:8S+Oc+UAOdwiOdKeQjDLYl48P
MD5:	D291A51A1F4A83D7A76759190F3D1607
SHA1:	70B359815D4B1FDFDF31E32E396AAE274A6FEEFE
SHA-256:	02353D2FD3C24B72C337585C5AD15653DECF5212E1B4AD592B8CF4C5B9032BDE
SHA-512:	389B97641140689CFAD74AB8566160F4D1D596B4C41D4669B6D5DB48901FF1C3BA3CF737D72C1B93146FFAA10885070B4A6649F6DB9F293B69627A34B7B37401
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07338695179673393
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkie:DLhesh7Owd4+ji
MD5:	AF640001328E3E611A0E1C1C0A350038
SHA1:	FC693E5EC711F67FD43D61A84AD0D4C7A086D9D4
SHA-256:	5773A61477AEFBFF498F57404EF78898393EE8D757684B1FFBFC9C03156D7B97
SHA-512:	DA98D7F47B5AE69E640F7CC987A0D09B9B536AF58891E45B8114E18B16716297A71EFE481BB426DA7BF680DEB5B561FA7423CDD3A60EFFA91215220E7897E8AA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035822017202226504
Encrypted:	false
SSDEEP:	3:GtlstFiTc9Q1qJPottlstFiTc9Q1qJX//J89//alEl:GtWtgQSk4tWtgQS8/x89XuM
MD5:	763DB716A5442D2B59B4D2E7192E15F5
SHA1:	090F1E85187A71047C02295D1B282465E5D5AA80
SHA-256:	549F01D90C6910206440C8D065CCB0E73983DA4249BAD07838DE6539B5AC8F5C
SHA-512:	B800CDB2E67C64727423413F16161228009160CE29410D0377A00CC1A477B05CB8BE1C96D39EF2BB390489D959D4C1139549CDF67BD1626B6C67D6BE37622F66
Malicious:	false
Preview:	..-.....................5&.k.<..K....`.....].H..-.....................5&.k.<..K....`.....].H........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.039859322236019214
Encrypted:	false
SSDEEP:	3:Ol1r96nI6DCfyAKeMGUtl8rEXsxdwhml8XW3R2:Kb6nHbeMJtl8dMhm93w
MD5:	CF2FA27AA99B3EA67E276796A144A7CC
SHA1:	108B122E1C888E1B3BFE80F2340C944D907A7807
SHA-256:	41226028A4291E6B45DFBE3F6A35AD718B8903D196A40C02271ADF487EDF1227
SHA-512:	66EAC4D34DA5A094B729571BE3E6453E26A0512C3F042E1F8B37B18EF0439544EE15738D255E67718254A818638260E1DE0C4B207E73E38885C47F29B03222AF
Malicious:	false
Preview:	7....-............K....`.....vX...........K....`..&5<.k.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.478368927876207
Encrypted:	false
SSDEEP:	192:lBnSRkyYbBp6uqUCaXd6VdfNUb5RHNBw8d3nSl:iehqUcbVyPwM0
MD5:	96A4E881651EC4E63B4529678A27A46F
SHA1:	F55DE930CF363421EE28DA9B7F0CC1791800BFA2
SHA-256:	5A013DD5B76C8438E669F87804216E6A9D688E6E28F75D13486BDAA438F61EF5
SHA-512:	F192E7D65F26498177AED7EB081E27B0F57616D52047691016B4CB9666220B641C8512183E8C17B46AB1ED344FA13F5C77BD7C50F93577323F34E88B0D3E615C
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1733805165);..user_pref("app.update.lastUpdateTime.background-update-timer", 1733805165);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1733805165);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173380

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.478368927876207
Encrypted:	false
SSDEEP:	192:lBnSRkyYbBp6uqUCaXd6VdfNUb5RHNBw8d3nSl:iehqUcbVyPwM0
MD5:	96A4E881651EC4E63B4529678A27A46F
SHA1:	F55DE930CF363421EE28DA9B7F0CC1791800BFA2
SHA-256:	5A013DD5B76C8438E669F87804216E6A9D688E6E28F75D13486BDAA438F61EF5
SHA-512:	F192E7D65F26498177AED7EB081E27B0F57616D52047691016B4CB9666220B641C8512183E8C17B46AB1ED344FA13F5C77BD7C50F93577323F34E88B0D3E615C
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1733805165);..user_pref("app.update.lastUpdateTime.background-update-timer", 1733805165);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1733805165);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173380

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.33406004427707
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMLXnIgVNl/pnxQwRlszT5sAi0yU3eHVVPNZT/amhuj3pOOcUb2miI:GUpOxNd9nR6mU3etZT/45edMd
MD5:	1461D18F3526625CD71656B04AEFA386
SHA1:	AE0266EB4605F242F74B0DD9A00DDED087C947F6
SHA-256:	DE43907D1FCD4240A7B13FE5FF9ED119D4F27B697DF777F429FF0C44510BDD6F
SHA-512:	E2AD91A677A88BCA0F3B81FDFB1CA556020E584D097A25410C8D42FA7DB35F49F2C3D10F68748A15C1AFD343559953F4030B847D8CDC7056D568803DA9EFF788
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{371b3df3-8241-4d07-9c70-e4ba7d50e53c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1733805168280,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e6..2ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P34334...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...39410,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.33406004427707
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMLXnIgVNl/pnxQwRlszT5sAi0yU3eHVVPNZT/amhuj3pOOcUb2miI:GUpOxNd9nR6mU3etZT/45edMd
MD5:	1461D18F3526625CD71656B04AEFA386
SHA1:	AE0266EB4605F242F74B0DD9A00DDED087C947F6
SHA-256:	DE43907D1FCD4240A7B13FE5FF9ED119D4F27B697DF777F429FF0C44510BDD6F
SHA-512:	E2AD91A677A88BCA0F3B81FDFB1CA556020E584D097A25410C8D42FA7DB35F49F2C3D10F68748A15C1AFD343559953F4030B847D8CDC7056D568803DA9EFF788
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{371b3df3-8241-4d07-9c70-e4ba7d50e53c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1733805168280,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e6..2ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P34334...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...39410,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.33406004427707
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMLXnIgVNl/pnxQwRlszT5sAi0yU3eHVVPNZT/amhuj3pOOcUb2miI:GUpOxNd9nR6mU3etZT/45edMd
MD5:	1461D18F3526625CD71656B04AEFA386
SHA1:	AE0266EB4605F242F74B0DD9A00DDED087C947F6
SHA-256:	DE43907D1FCD4240A7B13FE5FF9ED119D4F27B697DF777F429FF0C44510BDD6F
SHA-512:	E2AD91A677A88BCA0F3B81FDFB1CA556020E584D097A25410C8D42FA7DB35F49F2C3D10F68748A15C1AFD343559953F4030B847D8CDC7056D568803DA9EFF788
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{371b3df3-8241-4d07-9c70-e4ba7d50e53c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1733805168280,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e6..2ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P34334...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...39410,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.036135473664196
Encrypted:	false
SSDEEP:	48:YrSAY4eUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAcb5:yc4+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	418295534B66A94C90D965477C53C46D
SHA1:	46F0C0A394470274705F291CCA11A21E98A16214
SHA-256:	3AE2BB7B9D20B7334EED4267B850C978072F8F6D34C908A1AB4EA2D0DD7E4656
SHA-512:	58179D6177A99CB7CDB13CC46AC2E05E68389559BF9AC800DE5DD740862DAAF4352EF8FAC4E05747EE4EB53CEA8630FC1931D8B88A5B6ACF361D512B7177BB36
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-10T04:32:28.277Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.036135473664196
Encrypted:	false
SSDEEP:	48:YrSAY4eUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAcb5:yc4+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	418295534B66A94C90D965477C53C46D
SHA1:	46F0C0A394470274705F291CCA11A21E98A16214
SHA-256:	3AE2BB7B9D20B7334EED4267B850C978072F8F6D34C908A1AB4EA2D0DD7E4656
SHA-512:	58179D6177A99CB7CDB13CC46AC2E05E68389559BF9AC800DE5DD740862DAAF4352EF8FAC4E05747EE4EB53CEA8630FC1931D8B88A5B6ACF361D512B7177BB36
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-10T04:32:28.277Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.698584631681327
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	968'192 bytes
MD5:	cd6fbd133b166f011ee0459dab795a09
SHA1:	8aeaa235e3210f51f69d2e582157a90dfdc4cbff
SHA256:	372b4cee4013a85a973aa26f426edcc974b88c34df77b867622ca294bda3a638
SHA512:	2b62c881a7306fe5c718e081a7be0c1a7ecc3c1d3d7fddac41c93919b95e08232e32bb736c148cc41d2280ead149810d31729ca505a4dab6118cc34466dfbfcb
SSDEEP:	24576:wqDEvCTbMWu7rQYlBQcBiT6rprG8aZFT/:wTvC/MTQYxsWR7aZt
TLSH:	75259E027391C062FF9B92334B5AF6515BBC79260123E61F13A81DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6757B517 [Tue Dec 10 03:27:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F30C451B373h
jmp 00007F30C451AC7Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F30C451AE5Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F30C451AE2Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F30C451DA1Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F30C451DA68h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F30C451DA51h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x15ae4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x15ae4	0x15c00	76cde660b0f2822643e940febebb874a	False	0.6943696120689655	data	7.1425327228335656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xcc66	data			1.0004968849138096
RT_GROUP_ICON	0xe9564	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe95dc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe95f0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe9604	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe9618	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xe96f4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 04:32:09.787007093 CET	49706	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:09.787045002 CET	443	49706	142.250.181.78	192.168.2.7
Dec 10, 2024 04:32:09.787331104 CET	49707	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:09.787367105 CET	443	49707	142.250.181.78	192.168.2.7
Dec 10, 2024 04:32:09.789366007 CET	49706	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:09.789609909 CET	49707	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:09.795979023 CET	49706	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:09.795990944 CET	443	49706	142.250.181.78	192.168.2.7
Dec 10, 2024 04:32:09.799916029 CET	49707	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:09.799933910 CET	443	49707	142.250.181.78	192.168.2.7
Dec 10, 2024 04:32:09.812683105 CET	49708	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:09.931951046 CET	80	49708	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:09.932017088 CET	49708	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:09.932145119 CET	49708	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:10.051317930 CET	80	49708	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:10.388869047 CET	49709	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:10.388911963 CET	443	49709	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:10.389600039 CET	49710	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:10.389606953 CET	443	49710	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:10.390774012 CET	49711	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:10.390790939 CET	443	49711	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:10.391624928 CET	49712	443	192.168.2.7	35.190.72.216
Dec 10, 2024 04:32:10.391645908 CET	443	49712	35.190.72.216	192.168.2.7
Dec 10, 2024 04:32:10.400674105 CET	49709	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:10.400804996 CET	49710	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:10.400808096 CET	49711	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:10.400836945 CET	49709	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:10.400849104 CET	49712	443	192.168.2.7	35.190.72.216
Dec 10, 2024 04:32:10.400852919 CET	443	49709	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:10.402250051 CET	49710	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:10.402257919 CET	443	49710	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:10.403354883 CET	49711	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:10.403367996 CET	443	49711	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:10.404593945 CET	49712	443	192.168.2.7	35.190.72.216
Dec 10, 2024 04:32:10.404608965 CET	443	49712	35.190.72.216	192.168.2.7
Dec 10, 2024 04:32:11.019855022 CET	80	49708	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:11.024321079 CET	49708	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:11.143884897 CET	80	49708	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:11.144123077 CET	49708	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:11.317962885 CET	49713	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:11.368370056 CET	49714	443	192.168.2.7	34.160.144.191
Dec 10, 2024 04:32:11.368419886 CET	443	49714	34.160.144.191	192.168.2.7
Dec 10, 2024 04:32:11.368519068 CET	49714	443	192.168.2.7	34.160.144.191
Dec 10, 2024 04:32:11.370848894 CET	49714	443	192.168.2.7	34.160.144.191
Dec 10, 2024 04:32:11.370862007 CET	443	49714	34.160.144.191	192.168.2.7
Dec 10, 2024 04:32:11.437367916 CET	80	49713	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:11.438894987 CET	49713	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:11.439179897 CET	49713	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:11.491508961 CET	443	49707	142.250.181.78	192.168.2.7
Dec 10, 2024 04:32:11.491632938 CET	49707	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:11.492404938 CET	443	49707	142.250.181.78	192.168.2.7
Dec 10, 2024 04:32:11.492584944 CET	49707	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:11.494864941 CET	443	49706	142.250.181.78	192.168.2.7
Dec 10, 2024 04:32:11.495775938 CET	49706	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:11.495898962 CET	443	49706	142.250.181.78	192.168.2.7
Dec 10, 2024 04:32:11.496336937 CET	49706	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:11.501565933 CET	49707	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:11.501576900 CET	443	49707	142.250.181.78	192.168.2.7
Dec 10, 2024 04:32:11.501703024 CET	49707	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:11.501770020 CET	443	49707	142.250.181.78	192.168.2.7
Dec 10, 2024 04:32:11.502526999 CET	49706	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:11.502537966 CET	443	49706	142.250.181.78	192.168.2.7
Dec 10, 2024 04:32:11.502604008 CET	49706	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:11.502777100 CET	443	49706	142.250.181.78	192.168.2.7
Dec 10, 2024 04:32:11.502934933 CET	49706	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:11.502934933 CET	49707	443	192.168.2.7	142.250.181.78
Dec 10, 2024 04:32:11.558468103 CET	80	49713	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:11.615402937 CET	443	49709	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:11.615420103 CET	443	49709	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:11.617841959 CET	443	49712	35.190.72.216	192.168.2.7
Dec 10, 2024 04:32:11.617858887 CET	443	49712	35.190.72.216	192.168.2.7
Dec 10, 2024 04:32:11.621632099 CET	443	49711	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:11.621676922 CET	443	49711	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:11.623282909 CET	49709	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:11.623346090 CET	49712	443	192.168.2.7	35.190.72.216
Dec 10, 2024 04:32:11.623368025 CET	49711	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:11.624293089 CET	443	49710	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:11.624304056 CET	443	49710	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:11.626733065 CET	49709	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:11.626744032 CET	443	49709	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:11.627008915 CET	443	49709	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:11.632364035 CET	49709	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:11.632442951 CET	49709	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:11.632505894 CET	443	49709	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:11.632802963 CET	49712	443	192.168.2.7	35.190.72.216
Dec 10, 2024 04:32:11.632817030 CET	443	49712	35.190.72.216	192.168.2.7
Dec 10, 2024 04:32:11.632873058 CET	49712	443	192.168.2.7	35.190.72.216
Dec 10, 2024 04:32:11.632958889 CET	443	49712	35.190.72.216	192.168.2.7
Dec 10, 2024 04:32:11.643691063 CET	49710	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:11.643691063 CET	49709	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:11.649240017 CET	49710	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:11.649255037 CET	443	49710	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:11.649338961 CET	49710	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:11.649482965 CET	443	49710	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:11.649684906 CET	49716	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:11.649734020 CET	443	49716	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:11.650019884 CET	49711	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:11.650037050 CET	443	49711	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:11.650068998 CET	49711	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:11.650276899 CET	443	49711	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:11.663851976 CET	49709	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:11.663979053 CET	49710	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:11.663984060 CET	49712	443	192.168.2.7	35.190.72.216
Dec 10, 2024 04:32:11.663997889 CET	49716	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:11.668582916 CET	49716	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:11.668596983 CET	443	49716	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:11.670089960 CET	49711	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:12.149418116 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:12.268646955 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:12.268759966 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:12.268920898 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:12.388096094 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:12.525093079 CET	80	49713	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:12.526161909 CET	49713	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:12.588916063 CET	443	49714	34.160.144.191	192.168.2.7
Dec 10, 2024 04:32:12.588990927 CET	49714	443	192.168.2.7	34.160.144.191
Dec 10, 2024 04:32:12.592288017 CET	49714	443	192.168.2.7	34.160.144.191
Dec 10, 2024 04:32:12.592303991 CET	443	49714	34.160.144.191	192.168.2.7
Dec 10, 2024 04:32:12.592571020 CET	443	49714	34.160.144.191	192.168.2.7
Dec 10, 2024 04:32:12.594785929 CET	49714	443	192.168.2.7	34.160.144.191
Dec 10, 2024 04:32:12.594861031 CET	49714	443	192.168.2.7	34.160.144.191
Dec 10, 2024 04:32:12.594961882 CET	443	49714	34.160.144.191	192.168.2.7
Dec 10, 2024 04:32:12.601136923 CET	49714	443	192.168.2.7	34.160.144.191
Dec 10, 2024 04:32:12.645948887 CET	80	49713	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:12.646028996 CET	49713	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:12.884948015 CET	443	49716	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:12.884963036 CET	443	49716	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:12.885023117 CET	49716	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:12.889982939 CET	49716	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:12.889993906 CET	443	49716	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:12.890084982 CET	49716	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:12.890162945 CET	443	49716	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:12.890358925 CET	49716	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:13.054260015 CET	49719	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:13.054306984 CET	443	49719	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:13.055409908 CET	49719	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:13.056786060 CET	49719	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:13.056803942 CET	443	49719	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:13.106317997 CET	49720	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:13.106358051 CET	443	49720	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:13.110563040 CET	49720	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:13.111953020 CET	49720	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:13.111964941 CET	443	49720	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:13.362489939 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:13.421823025 CET	49721	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:13.421888113 CET	443	49721	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:13.422185898 CET	49721	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:13.422307014 CET	49721	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:13.422314882 CET	443	49721	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:13.427012920 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:13.456749916 CET	49722	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:13.456792116 CET	443	49722	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:13.456979990 CET	49722	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:13.458512068 CET	49722	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:13.458528042 CET	443	49722	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:13.519932032 CET	49723	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:13.519964933 CET	443	49723	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:13.520116091 CET	49723	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:13.521517038 CET	49723	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:13.521533012 CET	443	49723	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:13.585349083 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:13.704571962 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:13.705013037 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:13.705203056 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:13.824417114 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:14.274883032 CET	443	49719	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:14.287343025 CET	443	49719	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:14.290498018 CET	49719	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:14.328314066 CET	443	49720	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:14.346090078 CET	49720	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:14.515196085 CET	49719	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:14.515217066 CET	443	49719	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:14.515280962 CET	49719	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:14.515383005 CET	49720	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:14.515399933 CET	443	49720	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:14.515458107 CET	49720	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:14.515516043 CET	443	49719	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:14.515640020 CET	49719	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:14.515667915 CET	443	49720	34.117.188.166	192.168.2.7
Dec 10, 2024 04:32:14.515743971 CET	49720	443	192.168.2.7	34.117.188.166
Dec 10, 2024 04:32:14.631968975 CET	443	49721	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:14.632050991 CET	49721	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:14.634665012 CET	49721	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:14.634674072 CET	443	49721	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:14.634919882 CET	443	49721	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:14.637377024 CET	49721	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:14.637454033 CET	49721	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:14.637536049 CET	443	49721	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:14.637599945 CET	49721	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:14.671996117 CET	443	49722	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:14.672113895 CET	49722	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:14.676358938 CET	49722	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:14.676371098 CET	443	49722	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:14.676440954 CET	49722	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:14.676533937 CET	443	49722	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:14.676644087 CET	49722	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:14.735671997 CET	443	49723	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:14.735748053 CET	49723	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:14.791850090 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:14.809202909 CET	49723	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:14.809227943 CET	443	49723	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:14.809288979 CET	49723	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:14.809494972 CET	443	49723	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:14.809551954 CET	49723	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:14.846498013 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:17.272762060 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:17.392050028 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:17.586901903 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:17.629828930 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:20.759268045 CET	49739	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:20.759305954 CET	443	49739	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:20.759622097 CET	49739	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:20.761116028 CET	49739	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:20.761133909 CET	443	49739	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:20.832235098 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:20.862328053 CET	49740	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:20.862368107 CET	443	49740	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:20.863709927 CET	49740	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:20.865175962 CET	49740	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:20.865191936 CET	443	49740	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:20.951455116 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:21.028287888 CET	49742	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:21.028326988 CET	443	49742	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:21.028443098 CET	49742	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:21.028675079 CET	49742	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:21.028691053 CET	443	49742	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:21.125893116 CET	49743	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:21.125935078 CET	443	49743	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:21.126003027 CET	49743	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:21.127374887 CET	49743	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:21.127383947 CET	443	49743	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:21.148940086 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:21.204900980 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:21.970573902 CET	443	49739	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:21.970671892 CET	49739	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:22.022898912 CET	49739	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:22.076970100 CET	443	49740	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:22.077852011 CET	49740	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:22.237962961 CET	443	49742	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:22.238097906 CET	49742	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:22.338557005 CET	443	49743	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:22.338637114 CET	49743	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:22.717251062 CET	49742	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:22.717276096 CET	443	49742	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:22.717596054 CET	443	49742	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:22.723582983 CET	49739	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:22.723597050 CET	443	49739	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:22.723814011 CET	49739	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:22.723829031 CET	443	49739	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:22.723977089 CET	49740	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:22.723989964 CET	443	49740	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:22.724028111 CET	49742	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:22.724189997 CET	49740	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:22.724219084 CET	443	49742	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:22.724239111 CET	443	49740	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:22.724503994 CET	49742	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:22.724509954 CET	443	49742	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:22.724982977 CET	49742	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:22.725528002 CET	49750	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:22.725590944 CET	443	49750	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:22.726392031 CET	49743	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:22.726407051 CET	443	49743	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:22.726445913 CET	49743	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:22.726588964 CET	443	49743	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:22.731188059 CET	49739	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:22.731235981 CET	49742	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:22.731235981 CET	49740	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:22.731264114 CET	49742	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:22.731311083 CET	49750	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:22.731555939 CET	49750	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:22.731575012 CET	443	49750	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:22.732048988 CET	49743	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:23.324387074 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:23.325535059 CET	49752	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:23.325586081 CET	443	49752	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:23.326613903 CET	49752	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:23.328203917 CET	49752	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:23.328233004 CET	443	49752	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:23.443722963 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:23.639147043 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:23.690237045 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:23.949101925 CET	443	49750	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:23.949184895 CET	49750	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:24.252440929 CET	49750	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:24.252480984 CET	443	49750	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:24.252707005 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:24.252880096 CET	443	49750	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:24.313965082 CET	49750	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:24.372056007 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:24.537966013 CET	443	49752	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:24.538037062 CET	49752	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:24.567056894 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:24.614861012 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:25.183486938 CET	49750	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:25.183571100 CET	49750	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:25.183805943 CET	443	49750	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:25.186602116 CET	49750	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:25.327848911 CET	49752	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.327887058 CET	443	49752	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:25.327925920 CET	49752	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.328174114 CET	443	49752	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:25.328438044 CET	49752	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.330213070 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:25.343183041 CET	49758	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.343249083 CET	443	49758	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:25.343391895 CET	49759	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.343434095 CET	443	49759	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:25.344167948 CET	49758	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.344204903 CET	49759	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.344429016 CET	49758	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.344445944 CET	443	49758	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:25.344544888 CET	49759	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.344559908 CET	443	49759	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:25.344825983 CET	49760	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.344846964 CET	443	49760	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:25.346106052 CET	49760	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.346196890 CET	49760	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.346211910 CET	443	49760	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:25.348953009 CET	49761	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.348989964 CET	443	49761	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:25.351839066 CET	49761	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.352087021 CET	49761	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.352097988 CET	443	49761	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:25.356086016 CET	49762	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.356116056 CET	443	49762	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:25.357065916 CET	49762	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.358499050 CET	49762	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:25.358511925 CET	443	49762	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:25.449460983 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:25.644382954 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:25.647139072 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:25.696017027 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:25.766486883 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:25.961810112 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:26.019059896 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:26.562829018 CET	443	49758	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.562834978 CET	443	49760	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.562938929 CET	49760	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.563087940 CET	49758	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.563255072 CET	443	49761	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.563371897 CET	49761	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.563396931 CET	443	49759	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.563765049 CET	49759	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.566500902 CET	49760	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.566510916 CET	443	49760	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.566759109 CET	443	49760	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.569022894 CET	49758	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.569044113 CET	443	49758	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.569340944 CET	443	49758	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.569643021 CET	443	49762	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.571326971 CET	49759	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.571347952 CET	443	49759	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.571521997 CET	49762	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.571609974 CET	443	49759	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.573613882 CET	49761	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.573633909 CET	443	49761	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.573854923 CET	443	49761	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.579283953 CET	49760	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.579462051 CET	443	49760	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.579684019 CET	49760	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.579696894 CET	443	49760	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.579761028 CET	49758	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.579945087 CET	443	49758	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.579955101 CET	49758	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.579967022 CET	443	49758	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.580315113 CET	49759	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.580373049 CET	49759	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.580471039 CET	443	49759	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.580977917 CET	49759	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.580995083 CET	49758	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.620829105 CET	49761	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.728493929 CET	49761	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.728598118 CET	49761	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.728833914 CET	443	49761	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.730611086 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:26.731415033 CET	49761	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.731794119 CET	49762	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.731813908 CET	443	49762	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.731921911 CET	49762	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.732064962 CET	443	49762	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.733120918 CET	49762	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.787339926 CET	443	49760	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.787417889 CET	49760	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.849824905 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:26.854132891 CET	49768	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.854193926 CET	443	49768	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:26.855561972 CET	49768	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.857094049 CET	49768	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:26.857108116 CET	443	49768	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:27.044904947 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:27.047835112 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:27.100143909 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:27.167105913 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:27.362790108 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:27.423223972 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:28.066647053 CET	443	49768	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:28.066726923 CET	49768	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:28.070713997 CET	49768	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:28.070736885 CET	443	49768	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:28.070796967 CET	49768	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:28.070893049 CET	443	49768	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:28.070943117 CET	49768	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:28.074039936 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:28.076117039 CET	49774	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:28.076162100 CET	443	49774	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:28.076342106 CET	49774	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:28.077512026 CET	49774	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:28.077524900 CET	443	49774	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:28.193293095 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:28.388650894 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:28.392174006 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:28.441694975 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:28.511596918 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:28.709100008 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:28.758291006 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:29.392065048 CET	443	49774	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:29.392191887 CET	49774	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:29.396491051 CET	49774	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:29.396501064 CET	443	49774	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:29.396668911 CET	443	49774	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:29.396699905 CET	49774	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:29.396708012 CET	443	49774	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:29.400055885 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:29.603339911 CET	443	49774	34.120.208.123	192.168.2.7
Dec 10, 2024 04:32:29.603599072 CET	49774	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:32:29.627980947 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:29.724029064 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:29.728765011 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:29.777163029 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:29.848146915 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:30.043586969 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:30.093441010 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:33.677886009 CET	49785	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:33.677958965 CET	443	49785	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:33.678029060 CET	49785	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:33.679445982 CET	49785	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:33.679471016 CET	443	49785	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:34.891562939 CET	443	49785	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:34.891781092 CET	49785	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:34.901170015 CET	49785	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:34.901187897 CET	443	49785	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:34.901261091 CET	49785	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:34.901329994 CET	443	49785	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:34.901534081 CET	49785	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:34.903718948 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:35.023005962 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:35.218718052 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:35.222299099 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:35.261609077 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:35.341551065 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:35.536611080 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:35.578176022 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:37.446238995 CET	49796	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:37.446273088 CET	443	49796	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:37.446569920 CET	49797	443	192.168.2.7	35.190.72.216
Dec 10, 2024 04:32:37.446577072 CET	443	49797	35.190.72.216	192.168.2.7
Dec 10, 2024 04:32:37.449338913 CET	49796	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:37.449491024 CET	49797	443	192.168.2.7	35.190.72.216
Dec 10, 2024 04:32:37.449491024 CET	49796	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:37.449521065 CET	443	49796	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:37.450949907 CET	49797	443	192.168.2.7	35.190.72.216
Dec 10, 2024 04:32:37.450968027 CET	443	49797	35.190.72.216	192.168.2.7
Dec 10, 2024 04:32:37.569238901 CET	49798	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:37.569288969 CET	443	49798	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:37.569430113 CET	49798	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:37.569575071 CET	49798	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:37.569588900 CET	443	49798	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:37.678047895 CET	49799	443	192.168.2.7	151.101.193.91
Dec 10, 2024 04:32:37.678093910 CET	443	49799	151.101.193.91	192.168.2.7
Dec 10, 2024 04:32:37.678241968 CET	49799	443	192.168.2.7	151.101.193.91
Dec 10, 2024 04:32:37.678358078 CET	49799	443	192.168.2.7	151.101.193.91
Dec 10, 2024 04:32:37.678371906 CET	443	49799	151.101.193.91	192.168.2.7
Dec 10, 2024 04:32:37.761816978 CET	49800	443	192.168.2.7	35.201.103.21
Dec 10, 2024 04:32:37.761866093 CET	443	49800	35.201.103.21	192.168.2.7
Dec 10, 2024 04:32:37.762084961 CET	49800	443	192.168.2.7	35.201.103.21
Dec 10, 2024 04:32:37.763438940 CET	49800	443	192.168.2.7	35.201.103.21
Dec 10, 2024 04:32:37.763452053 CET	443	49800	35.201.103.21	192.168.2.7
Dec 10, 2024 04:32:38.659301996 CET	443	49796	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:38.659410954 CET	49796	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:38.660516977 CET	443	49797	35.190.72.216	192.168.2.7
Dec 10, 2024 04:32:38.660881996 CET	49797	443	192.168.2.7	35.190.72.216
Dec 10, 2024 04:32:38.662725925 CET	49796	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:38.662733078 CET	443	49796	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:38.662976027 CET	443	49796	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:38.667148113 CET	49796	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:38.667238951 CET	49796	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:38.667288065 CET	443	49796	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:38.667526960 CET	49797	443	192.168.2.7	35.190.72.216
Dec 10, 2024 04:32:38.667532921 CET	443	49797	35.190.72.216	192.168.2.7
Dec 10, 2024 04:32:38.667582035 CET	49797	443	192.168.2.7	35.190.72.216
Dec 10, 2024 04:32:38.667690992 CET	443	49797	35.190.72.216	192.168.2.7
Dec 10, 2024 04:32:38.667778015 CET	49796	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:38.667778015 CET	49797	443	192.168.2.7	35.190.72.216
Dec 10, 2024 04:32:38.670706987 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:38.779592991 CET	443	49798	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:38.787333965 CET	443	49798	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:38.789975882 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:38.794713020 CET	49798	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:38.798264980 CET	49798	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:38.798280001 CET	443	49798	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:38.798511028 CET	443	49798	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:38.801095963 CET	49798	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:38.801192999 CET	49798	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:38.801229954 CET	443	49798	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:38.801389933 CET	49798	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:38.922127008 CET	443	49799	151.101.193.91	192.168.2.7
Dec 10, 2024 04:32:38.922205925 CET	49799	443	192.168.2.7	151.101.193.91
Dec 10, 2024 04:32:38.925151110 CET	49799	443	192.168.2.7	151.101.193.91
Dec 10, 2024 04:32:38.925162077 CET	443	49799	151.101.193.91	192.168.2.7
Dec 10, 2024 04:32:38.925401926 CET	443	49799	151.101.193.91	192.168.2.7
Dec 10, 2024 04:32:38.928163052 CET	49799	443	192.168.2.7	151.101.193.91
Dec 10, 2024 04:32:38.928245068 CET	49799	443	192.168.2.7	151.101.193.91
Dec 10, 2024 04:32:38.928287983 CET	443	49799	151.101.193.91	192.168.2.7
Dec 10, 2024 04:32:38.934856892 CET	49799	443	192.168.2.7	151.101.193.91
Dec 10, 2024 04:32:38.977165937 CET	443	49800	35.201.103.21	192.168.2.7
Dec 10, 2024 04:32:38.977278948 CET	49800	443	192.168.2.7	35.201.103.21
Dec 10, 2024 04:32:38.981252909 CET	49800	443	192.168.2.7	35.201.103.21
Dec 10, 2024 04:32:38.981266022 CET	443	49800	35.201.103.21	192.168.2.7
Dec 10, 2024 04:32:38.981396914 CET	49800	443	192.168.2.7	35.201.103.21
Dec 10, 2024 04:32:38.981417894 CET	443	49800	35.201.103.21	192.168.2.7
Dec 10, 2024 04:32:38.981690884 CET	49800	443	192.168.2.7	35.201.103.21
Dec 10, 2024 04:32:38.984795094 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:38.985101938 CET	49806	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:38.985165119 CET	443	49806	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:38.985251904 CET	49806	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:38.985440969 CET	49806	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:38.985472918 CET	443	49806	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:38.988048077 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:39.028295994 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:39.107278109 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:39.302330017 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:39.328192949 CET	49807	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:39.328237057 CET	443	49807	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:39.328423023 CET	49808	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:39.328473091 CET	443	49808	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:39.328548908 CET	49809	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:39.328581095 CET	443	49809	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:39.328641891 CET	49807	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:39.328721046 CET	49808	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:39.328768015 CET	49807	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:39.328782082 CET	443	49807	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:39.328821898 CET	49809	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:39.328906059 CET	49808	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:39.328918934 CET	443	49808	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:39.329035044 CET	49809	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:39.329046011 CET	443	49809	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:39.344794035 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:40.194525957 CET	443	49806	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:40.194608927 CET	49806	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:40.201525927 CET	49806	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:40.201540947 CET	443	49806	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:40.201778889 CET	443	49806	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:40.204345942 CET	49806	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:40.204440117 CET	49806	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:40.204493999 CET	443	49806	34.149.100.209	192.168.2.7
Dec 10, 2024 04:32:40.205739021 CET	49806	443	192.168.2.7	34.149.100.209
Dec 10, 2024 04:32:40.207516909 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:40.400141954 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:40.570995092 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:40.574271917 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:40.579523087 CET	443	49807	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:40.579694986 CET	49807	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:40.580049038 CET	443	49809	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:40.580435038 CET	443	49808	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:40.582381010 CET	49808	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:40.582386017 CET	49807	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:40.582393885 CET	443	49807	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:40.582420111 CET	49809	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:40.582679033 CET	443	49807	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:40.584599018 CET	49808	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:40.584604979 CET	443	49808	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:40.584898949 CET	443	49808	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:40.586456060 CET	49809	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:40.586462975 CET	443	49809	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:40.586711884 CET	443	49809	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:40.590162039 CET	49807	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:40.590162039 CET	49807	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:40.590308905 CET	443	49807	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:40.590446949 CET	49809	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:40.590446949 CET	49809	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:40.590585947 CET	443	49809	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:40.591140985 CET	49808	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:40.591140985 CET	49808	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:40.591291904 CET	443	49808	35.244.181.201	192.168.2.7
Dec 10, 2024 04:32:40.592087984 CET	49807	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:40.592106104 CET	49808	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:40.592117071 CET	49809	443	192.168.2.7	35.244.181.201
Dec 10, 2024 04:32:40.595741034 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:40.693484068 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:40.714920044 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:40.888379097 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:40.910026073 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:40.913460016 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:40.964984894 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:41.032706022 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:41.228173971 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:41.281701088 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:50.922338963 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:51.041599035 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:51.238886118 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:51.358118057 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:55.201864004 CET	49846	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:55.201904058 CET	443	49846	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:55.202465057 CET	49846	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:55.203835964 CET	49846	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:55.203850031 CET	443	49846	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:56.413928986 CET	443	49846	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:56.414055109 CET	49846	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:56.418513060 CET	49846	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:56.418523073 CET	443	49846	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:56.418601036 CET	49846	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:56.418687105 CET	443	49846	34.107.243.93	192.168.2.7
Dec 10, 2024 04:32:56.419220924 CET	49846	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:32:56.421180964 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:56.540414095 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:56.735620022 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:56.738949060 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:56.777371883 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:32:56.858393908 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:57.053297043 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:32:57.093959093 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:06.736675024 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:06.855936050 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:07.075468063 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:07.194716930 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:07.215054989 CET	49873	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.215081930 CET	443	49873	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:07.215223074 CET	49874	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.215264082 CET	443	49874	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:07.215342045 CET	49875	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.215348959 CET	443	49875	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:07.215466022 CET	49876	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.215523005 CET	443	49876	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:07.215573072 CET	49877	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.215617895 CET	443	49877	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:07.215704918 CET	49878	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.215713978 CET	443	49878	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:07.215818882 CET	49873	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.215843916 CET	49874	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.215847015 CET	49875	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.215848923 CET	49877	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.215854883 CET	49876	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.215854883 CET	49878	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.216015100 CET	49873	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.216028929 CET	443	49873	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:07.216149092 CET	49878	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.216164112 CET	443	49878	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:07.216211081 CET	49877	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.216237068 CET	443	49877	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:07.216298103 CET	49876	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.216306925 CET	443	49876	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:07.216367006 CET	49875	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.216382027 CET	443	49875	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:07.216459036 CET	49874	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:07.216471910 CET	443	49874	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.426063061 CET	443	49877	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.426225901 CET	49877	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.426949978 CET	443	49873	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.427048922 CET	49873	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.427493095 CET	443	49875	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.427560091 CET	49875	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.428000927 CET	443	49876	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.428067923 CET	443	49878	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.428070068 CET	49876	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.428131104 CET	49878	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.428504944 CET	443	49874	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.428586006 CET	49874	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.429776907 CET	49877	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.429791927 CET	443	49877	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.430037022 CET	443	49877	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.432271957 CET	49878	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.432282925 CET	443	49878	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.432524920 CET	443	49878	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.434376955 CET	49876	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.434381008 CET	443	49876	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.434632063 CET	443	49876	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.436532021 CET	49875	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.436549902 CET	443	49875	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.436777115 CET	443	49875	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.438817978 CET	49874	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.438833952 CET	443	49874	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.439048052 CET	443	49874	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.440999031 CET	49873	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.441009998 CET	443	49873	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.441231966 CET	443	49873	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.447365046 CET	49877	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.447535992 CET	443	49877	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.447757006 CET	49877	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.448203087 CET	49877	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.448224068 CET	443	49877	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.448596954 CET	49878	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.448612928 CET	49876	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.448643923 CET	49875	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.448740005 CET	443	49878	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.448745966 CET	443	49876	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.448756933 CET	443	49875	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.448878050 CET	49875	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.448884964 CET	443	49875	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.448939085 CET	49876	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.448951960 CET	443	49876	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.448985100 CET	49878	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.448988914 CET	443	49878	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.449089050 CET	49874	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.449207067 CET	443	49874	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.449213028 CET	49874	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.449218988 CET	443	49874	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.449605942 CET	49884	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.449649096 CET	443	49884	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.449768066 CET	49885	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.449809074 CET	443	49885	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.453303099 CET	49873	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.453387976 CET	49873	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.453450918 CET	443	49873	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.454718113 CET	49876	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.454766035 CET	49875	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.454766989 CET	49884	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.454767942 CET	49874	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.454902887 CET	49884	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.454916000 CET	443	49884	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.455482006 CET	49873	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.455512047 CET	49885	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.455688000 CET	49885	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.455702066 CET	443	49885	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.456875086 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:08.576080084 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:08.655345917 CET	443	49878	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:08.655441999 CET	49878	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:08.771600962 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:08.775417089 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:08.827330112 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:08.894669056 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:09.090605021 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:09.143503904 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:09.675529957 CET	443	49884	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:09.675544024 CET	443	49885	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:09.675615072 CET	49884	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:09.675832987 CET	49885	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:09.678626060 CET	49884	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:09.678637981 CET	443	49884	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:09.678930044 CET	443	49884	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:09.680939913 CET	49885	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:09.680952072 CET	443	49885	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:09.681199074 CET	443	49885	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:09.683743000 CET	49884	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:09.683852911 CET	49884	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:09.683924913 CET	49885	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:09.683936119 CET	443	49884	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:09.683993101 CET	49885	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:09.684066057 CET	443	49885	34.120.208.123	192.168.2.7
Dec 10, 2024 04:33:09.684108019 CET	49884	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:09.685261965 CET	49885	443	192.168.2.7	34.120.208.123
Dec 10, 2024 04:33:09.686671019 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:09.808037043 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:10.000930071 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:10.003890038 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:10.046118021 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:10.123109102 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:10.318557978 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:10.384780884 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:20.011365891 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:20.130939960 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:20.327498913 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:20.446944952 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:30.137044907 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:30.256247997 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:30.454864025 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:30.574085951 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:36.437271118 CET	49949	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:33:36.437328100 CET	443	49949	34.107.243.93	192.168.2.7
Dec 10, 2024 04:33:36.437596083 CET	49949	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:33:36.438915014 CET	49949	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:33:36.438927889 CET	443	49949	34.107.243.93	192.168.2.7
Dec 10, 2024 04:33:37.649909019 CET	443	49949	34.107.243.93	192.168.2.7
Dec 10, 2024 04:33:37.650115967 CET	49949	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:33:37.655083895 CET	49949	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:33:37.655098915 CET	443	49949	34.107.243.93	192.168.2.7
Dec 10, 2024 04:33:37.655210972 CET	49949	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:33:37.655253887 CET	443	49949	34.107.243.93	192.168.2.7
Dec 10, 2024 04:33:37.655417919 CET	49949	443	192.168.2.7	34.107.243.93
Dec 10, 2024 04:33:37.657691956 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:37.777091026 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:37.972162008 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:37.975513935 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:38.014008999 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:38.095071077 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:38.290182114 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:38.352560043 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:47.978883982 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:48.098248959 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:48.311002016 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:48.430255890 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:58.107934952 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:58.228323936 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:33:58.440046072 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:33:58.559365034 CET	80	49724	34.107.221.82	192.168.2.7
Dec 10, 2024 04:34:08.239892006 CET	49718	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:34:08.359229088 CET	80	49718	34.107.221.82	192.168.2.7
Dec 10, 2024 04:34:08.578526020 CET	49724	80	192.168.2.7	34.107.221.82
Dec 10, 2024 04:34:08.697788000 CET	80	49724	34.107.221.82	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 04:32:09.644917965 CET	58202	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:09.652417898 CET	63201	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:09.782480001 CET	53	58202	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:09.787908077 CET	59991	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:09.812908888 CET	53277	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:09.924487114 CET	53	59991	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:09.925107956 CET	61080	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:09.953830004 CET	53	53277	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:09.954673052 CET	52907	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:09.993031025 CET	52105	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:10.063698053 CET	53	61080	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:10.073628902 CET	51444	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:10.091387987 CET	53	52907	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:10.129719019 CET	53	52105	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:10.212688923 CET	53	51444	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:10.390463114 CET	63280	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:10.391251087 CET	56961	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:10.391916990 CET	59811	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:10.527165890 CET	53	63280	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:10.527934074 CET	50284	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:10.529851913 CET	53	59811	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:10.530404091 CET	57998	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:10.622107029 CET	53	56961	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:10.622807980 CET	51990	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:10.664717913 CET	53	50284	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:10.667323112 CET	53	57998	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:10.718595028 CET	58575	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:10.759871960 CET	53	51990	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:10.802803993 CET	61044	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:11.020694017 CET	59310	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:11.042431116 CET	50849	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:11.106594086 CET	53	61044	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:11.107949018 CET	58047	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:11.177484035 CET	59451	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:11.179254055 CET	53	50849	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:11.179646015 CET	49245	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:11.314436913 CET	53	59451	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:11.335992098 CET	53	58047	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:11.362071991 CET	53	58575	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:11.368438959 CET	60269	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:11.505600929 CET	53	60269	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:11.507359982 CET	61107	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:11.645487070 CET	53	61107	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:11.909018040 CET	53	59030	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:12.508774996 CET	59782	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:12.646301031 CET	53	59782	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:12.647610903 CET	57616	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:12.785209894 CET	53	57616	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:12.785855055 CET	58128	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:12.922825098 CET	53	58128	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:13.291134119 CET	59075	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:13.428136110 CET	53	59075	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:13.456926107 CET	50368	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:13.520045996 CET	57976	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:13.593684912 CET	53	50368	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:13.619576931 CET	53472	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:13.656727076 CET	53	57976	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:13.682780027 CET	57117	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:13.756405115 CET	53	53472	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:13.820329905 CET	53	57117	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:16.047084093 CET	56529	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:16.475233078 CET	53	56529	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:17.270272017 CET	51170	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:17.660051107 CET	53	51170	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:17.660787106 CET	51268	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:17.798959017 CET	53	51268	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:20.760243893 CET	50013	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:20.806086063 CET	57194	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:20.807145119 CET	51828	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:20.896857977 CET	53	50013	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:20.897542000 CET	55115	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:20.942850113 CET	53	57194	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:20.943969965 CET	64167	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:20.944298983 CET	53	51828	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:20.944849968 CET	55856	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:21.034377098 CET	53	55115	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:21.035109997 CET	50238	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:21.080893993 CET	53	64167	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:21.081645966 CET	62409	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:21.081691027 CET	53	55856	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:21.082288027 CET	53171	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:21.219167948 CET	53	53171	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:21.219928026 CET	64955	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:21.220699072 CET	53	62409	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:21.223865032 CET	62532	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:21.232006073 CET	53	50238	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:21.232502937 CET	52182	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:21.357078075 CET	53	64955	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:21.357949972 CET	51659	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:21.360575914 CET	53	62532	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:21.361119986 CET	50559	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:21.445954084 CET	53	52182	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:21.497652054 CET	53	50559	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:21.499351025 CET	53055	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:21.565721989 CET	53	51659	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:21.566381931 CET	55255	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:21.635977983 CET	53	53055	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:21.637077093 CET	50355	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:21.776921988 CET	53	50355	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:21.782757998 CET	53	55255	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:26.854847908 CET	55530	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:26.992082119 CET	53	55530	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:33.678508043 CET	62696	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:33.815148115 CET	53	62696	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:37.442775965 CET	52459	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:37.451925039 CET	51205	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:37.676935911 CET	53	52459	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:37.678421021 CET	59965	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:37.706338882 CET	53501	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:37.760651112 CET	53	51205	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:37.815923929 CET	53	59965	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:37.816617012 CET	56632	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:37.842989922 CET	53	53501	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:37.843489885 CET	59583	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:37.843890905 CET	51730	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:37.955013990 CET	53	56632	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:37.980921030 CET	53	59583	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:38.044646978 CET	53	51730	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:38.045295954 CET	54873	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:38.183126926 CET	53	54873	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:55.061012030 CET	54588	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:55.197918892 CET	53	54588	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:55.202372074 CET	59230	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:32:55.339359045 CET	53	59230	1.1.1.1	192.168.2.7
Dec 10, 2024 04:32:56.421459913 CET	52501	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:33:07.215646029 CET	50628	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:33:07.426902056 CET	53	50628	1.1.1.1	192.168.2.7
Dec 10, 2024 04:33:36.437625885 CET	56927	53	192.168.2.7	1.1.1.1
Dec 10, 2024 04:33:36.574398994 CET	53	56927	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 10, 2024 04:32:09.644917965 CET	192.168.2.7	1.1.1.1	0x2edd	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:09.652417898 CET	192.168.2.7	1.1.1.1	0x6d2a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:09.787908077 CET	192.168.2.7	1.1.1.1	0xc0c2	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:09.812908888 CET	192.168.2.7	1.1.1.1	0x80f9	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:09.925107956 CET	192.168.2.7	1.1.1.1	0x8c1a	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 10, 2024 04:32:09.954673052 CET	192.168.2.7	1.1.1.1	0xb5bd	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 10, 2024 04:32:09.993031025 CET	192.168.2.7	1.1.1.1	0xad25	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:10.073628902 CET	192.168.2.7	1.1.1.1	0xb67b	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:10.390463114 CET	192.168.2.7	1.1.1.1	0x4a2c	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:10.391251087 CET	192.168.2.7	1.1.1.1	0x8641	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:10.391916990 CET	192.168.2.7	1.1.1.1	0x6a12	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:10.527934074 CET	192.168.2.7	1.1.1.1	0x7c06	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 10, 2024 04:32:10.530404091 CET	192.168.2.7	1.1.1.1	0x7f29	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 10, 2024 04:32:10.622807980 CET	192.168.2.7	1.1.1.1	0x82fb	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 10, 2024 04:32:10.718595028 CET	192.168.2.7	1.1.1.1	0x56b2	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:10.802803993 CET	192.168.2.7	1.1.1.1	0x989e	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:11.020694017 CET	192.168.2.7	1.1.1.1	0xe4aa	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:11.042431116 CET	192.168.2.7	1.1.1.1	0x32b2	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:11.107949018 CET	192.168.2.7	1.1.1.1	0x8afd	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 10, 2024 04:32:11.177484035 CET	192.168.2.7	1.1.1.1	0xdcb1	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:11.179646015 CET	192.168.2.7	1.1.1.1	0x9803	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:11.368438959 CET	192.168.2.7	1.1.1.1	0xc7ba	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:11.507359982 CET	192.168.2.7	1.1.1.1	0x660c	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 10, 2024 04:32:12.508774996 CET	192.168.2.7	1.1.1.1	0x2d26	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:12.647610903 CET	192.168.2.7	1.1.1.1	0x23d5	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:12.785855055 CET	192.168.2.7	1.1.1.1	0x6caf	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 10, 2024 04:32:13.291134119 CET	192.168.2.7	1.1.1.1	0x4e64	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:13.456926107 CET	192.168.2.7	1.1.1.1	0x821b	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:13.520045996 CET	192.168.2.7	1.1.1.1	0x2f4e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:13.619576931 CET	192.168.2.7	1.1.1.1	0x53e3	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 10, 2024 04:32:13.682780027 CET	192.168.2.7	1.1.1.1	0x8d9e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 10, 2024 04:32:16.047084093 CET	192.168.2.7	1.1.1.1	0xc259	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:17.270272017 CET	192.168.2.7	1.1.1.1	0x610c	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:17.660787106 CET	192.168.2.7	1.1.1.1	0x5170	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 10, 2024 04:32:20.760243893 CET	192.168.2.7	1.1.1.1	0xa552	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 10, 2024 04:32:20.806086063 CET	192.168.2.7	1.1.1.1	0xa5b	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:20.807145119 CET	192.168.2.7	1.1.1.1	0x4d02	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:20.897542000 CET	192.168.2.7	1.1.1.1	0x63c8	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:20.943969965 CET	192.168.2.7	1.1.1.1	0x8dda	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:20.944849968 CET	192.168.2.7	1.1.1.1	0xa0a0	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.035109997 CET	192.168.2.7	1.1.1.1	0xcbab	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.081645966 CET	192.168.2.7	1.1.1.1	0x5150	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 10, 2024 04:32:21.082288027 CET	192.168.2.7	1.1.1.1	0xce37	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 10, 2024 04:32:21.219928026 CET	192.168.2.7	1.1.1.1	0xf5e3	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.223865032 CET	192.168.2.7	1.1.1.1	0x2818	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.232502937 CET	192.168.2.7	1.1.1.1	0x84fe	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 10, 2024 04:32:21.357949972 CET	192.168.2.7	1.1.1.1	0xf619	Standard query (0)	dualstack.reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.361119986 CET	192.168.2.7	1.1.1.1	0xc1e7	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.499351025 CET	192.168.2.7	1.1.1.1	0xf527	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 10, 2024 04:32:21.566381931 CET	192.168.2.7	1.1.1.1	0x89d	Standard query (0)	dualstack.reddit.map.fastly.net	28	IN (0x0001)	false
Dec 10, 2024 04:32:21.637077093 CET	192.168.2.7	1.1.1.1	0x4da5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 10, 2024 04:32:26.854847908 CET	192.168.2.7	1.1.1.1	0x5dc8	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 10, 2024 04:32:33.678508043 CET	192.168.2.7	1.1.1.1	0x9e5a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 10, 2024 04:32:37.442775965 CET	192.168.2.7	1.1.1.1	0x10fe	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.451925039 CET	192.168.2.7	1.1.1.1	0xa2cd	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.678421021 CET	192.168.2.7	1.1.1.1	0xb2e8	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.706338882 CET	192.168.2.7	1.1.1.1	0x8e1a	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.816617012 CET	192.168.2.7	1.1.1.1	0xbbb5	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 10, 2024 04:32:37.843489885 CET	192.168.2.7	1.1.1.1	0x41ee	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 10, 2024 04:32:37.843890905 CET	192.168.2.7	1.1.1.1	0x14ee	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:38.045295954 CET	192.168.2.7	1.1.1.1	0x9575	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 10, 2024 04:32:55.061012030 CET	192.168.2.7	1.1.1.1	0xbd7b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:55.202372074 CET	192.168.2.7	1.1.1.1	0x832	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 10, 2024 04:32:56.421459913 CET	192.168.2.7	1.1.1.1	0x4d11	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:33:07.215646029 CET	192.168.2.7	1.1.1.1	0xce47	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 10, 2024 04:33:36.437625885 CET	192.168.2.7	1.1.1.1	0x4369	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 04:32:09.782480001 CET	1.1.1.1	192.168.2.7	0x2edd	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:09.791296005 CET	1.1.1.1	192.168.2.7	0x6d2a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:09.791296005 CET	1.1.1.1	192.168.2.7	0x6d2a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:09.924487114 CET	1.1.1.1	192.168.2.7	0xc0c2	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:09.953830004 CET	1.1.1.1	192.168.2.7	0x80f9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:10.063698053 CET	1.1.1.1	192.168.2.7	0x8c1a	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 10, 2024 04:32:10.091387987 CET	1.1.1.1	192.168.2.7	0xb5bd	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 10, 2024 04:32:10.128540993 CET	1.1.1.1	192.168.2.7	0x6eaf	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:10.128540993 CET	1.1.1.1	192.168.2.7	0x6eaf	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:10.129719019 CET	1.1.1.1	192.168.2.7	0xad25	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:10.129882097 CET	1.1.1.1	192.168.2.7	0x39c1	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:10.212688923 CET	1.1.1.1	192.168.2.7	0xb67b	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:10.212688923 CET	1.1.1.1	192.168.2.7	0xb67b	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:10.527165890 CET	1.1.1.1	192.168.2.7	0x4a2c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:10.529851913 CET	1.1.1.1	192.168.2.7	0x6a12	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:10.622107029 CET	1.1.1.1	192.168.2.7	0x8641	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:10.802107096 CET	1.1.1.1	192.168.2.7	0x1b9	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:11.106594086 CET	1.1.1.1	192.168.2.7	0x989e	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:11.179254055 CET	1.1.1.1	192.168.2.7	0x32b2	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:11.314436913 CET	1.1.1.1	192.168.2.7	0xdcb1	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:11.314436913 CET	1.1.1.1	192.168.2.7	0xdcb1	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:11.316956997 CET	1.1.1.1	192.168.2.7	0x9803	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:11.316956997 CET	1.1.1.1	192.168.2.7	0x9803	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:11.362071991 CET	1.1.1.1	192.168.2.7	0x56b2	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:11.362071991 CET	1.1.1.1	192.168.2.7	0x56b2	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:11.362071991 CET	1.1.1.1	192.168.2.7	0x56b2	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:11.396632910 CET	1.1.1.1	192.168.2.7	0xe4aa	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:11.505600929 CET	1.1.1.1	192.168.2.7	0xc7ba	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:11.645487070 CET	1.1.1.1	192.168.2.7	0x660c	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 10, 2024 04:32:12.646301031 CET	1.1.1.1	192.168.2.7	0x2d26	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:12.785209894 CET	1.1.1.1	192.168.2.7	0x23d5	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:13.418445110 CET	1.1.1.1	192.168.2.7	0xeb7c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:13.418445110 CET	1.1.1.1	192.168.2.7	0xeb7c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:13.428136110 CET	1.1.1.1	192.168.2.7	0x4e64	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:13.428136110 CET	1.1.1.1	192.168.2.7	0x4e64	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:13.506078005 CET	1.1.1.1	192.168.2.7	0x4deb	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:13.593684912 CET	1.1.1.1	192.168.2.7	0x821b	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:13.656727076 CET	1.1.1.1	192.168.2.7	0x2f4e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:16.475233078 CET	1.1.1.1	192.168.2.7	0xc259	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:16.475233078 CET	1.1.1.1	192.168.2.7	0xc259	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:16.475233078 CET	1.1.1.1	192.168.2.7	0xc259	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:17.660051107 CET	1.1.1.1	192.168.2.7	0x610c	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:20.756947041 CET	1.1.1.1	192.168.2.7	0x41d5	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:20.942850113 CET	1.1.1.1	192.168.2.7	0xa5b	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:20.942850113 CET	1.1.1.1	192.168.2.7	0xa5b	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:20.942850113 CET	1.1.1.1	192.168.2.7	0xa5b	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:20.942850113 CET	1.1.1.1	192.168.2.7	0xa5b	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:20.942850113 CET	1.1.1.1	192.168.2.7	0xa5b	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:20.942850113 CET	1.1.1.1	192.168.2.7	0xa5b	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:20.942850113 CET	1.1.1.1	192.168.2.7	0xa5b	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:20.942850113 CET	1.1.1.1	192.168.2.7	0xa5b	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:20.942850113 CET	1.1.1.1	192.168.2.7	0xa5b	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:20.942850113 CET	1.1.1.1	192.168.2.7	0xa5b	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:20.944298983 CET	1.1.1.1	192.168.2.7	0x4d02	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:20.944298983 CET	1.1.1.1	192.168.2.7	0x4d02	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.034377098 CET	1.1.1.1	192.168.2.7	0x63c8	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:21.034377098 CET	1.1.1.1	192.168.2.7	0x63c8	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.080893993 CET	1.1.1.1	192.168.2.7	0x8dda	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.080893993 CET	1.1.1.1	192.168.2.7	0x8dda	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.080893993 CET	1.1.1.1	192.168.2.7	0x8dda	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.080893993 CET	1.1.1.1	192.168.2.7	0x8dda	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.080893993 CET	1.1.1.1	192.168.2.7	0x8dda	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.080893993 CET	1.1.1.1	192.168.2.7	0x8dda	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.080893993 CET	1.1.1.1	192.168.2.7	0x8dda	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.080893993 CET	1.1.1.1	192.168.2.7	0x8dda	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.080893993 CET	1.1.1.1	192.168.2.7	0x8dda	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.081691027 CET	1.1.1.1	192.168.2.7	0xa0a0	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.219167948 CET	1.1.1.1	192.168.2.7	0xce37	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 10, 2024 04:32:21.220699072 CET	1.1.1.1	192.168.2.7	0x5150	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 10, 2024 04:32:21.220699072 CET	1.1.1.1	192.168.2.7	0x5150	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 10, 2024 04:32:21.220699072 CET	1.1.1.1	192.168.2.7	0x5150	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 10, 2024 04:32:21.220699072 CET	1.1.1.1	192.168.2.7	0x5150	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 10, 2024 04:32:21.232006073 CET	1.1.1.1	192.168.2.7	0xcbab	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.357078075 CET	1.1.1.1	192.168.2.7	0xf5e3	No error (0)	www.reddit.com	dualstack.reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:21.357078075 CET	1.1.1.1	192.168.2.7	0xf5e3	No error (0)	dualstack.reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.357078075 CET	1.1.1.1	192.168.2.7	0xf5e3	No error (0)	dualstack.reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.357078075 CET	1.1.1.1	192.168.2.7	0xf5e3	No error (0)	dualstack.reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.357078075 CET	1.1.1.1	192.168.2.7	0xf5e3	No error (0)	dualstack.reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.360575914 CET	1.1.1.1	192.168.2.7	0x2818	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.445954084 CET	1.1.1.1	192.168.2.7	0x84fe	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 10, 2024 04:32:21.497652054 CET	1.1.1.1	192.168.2.7	0xc1e7	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.565721989 CET	1.1.1.1	192.168.2.7	0xf619	No error (0)	dualstack.reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.565721989 CET	1.1.1.1	192.168.2.7	0xf619	No error (0)	dualstack.reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.565721989 CET	1.1.1.1	192.168.2.7	0xf619	No error (0)	dualstack.reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.565721989 CET	1.1.1.1	192.168.2.7	0xf619	No error (0)	dualstack.reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:21.782757998 CET	1.1.1.1	192.168.2.7	0x89d	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Dec 10, 2024 04:32:21.782757998 CET	1.1.1.1	192.168.2.7	0x89d	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Dec 10, 2024 04:32:21.782757998 CET	1.1.1.1	192.168.2.7	0x89d	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Dec 10, 2024 04:32:21.782757998 CET	1.1.1.1	192.168.2.7	0x89d	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Dec 10, 2024 04:32:37.568300962 CET	1.1.1.1	192.168.2.7	0x29cb	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:37.568300962 CET	1.1.1.1	192.168.2.7	0x29cb	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.676935911 CET	1.1.1.1	192.168.2.7	0x10fe	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.676935911 CET	1.1.1.1	192.168.2.7	0x10fe	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.676935911 CET	1.1.1.1	192.168.2.7	0x10fe	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.676935911 CET	1.1.1.1	192.168.2.7	0x10fe	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.705636024 CET	1.1.1.1	192.168.2.7	0x5b3d	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:37.705636024 CET	1.1.1.1	192.168.2.7	0x5b3d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.760651112 CET	1.1.1.1	192.168.2.7	0xa2cd	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:37.760651112 CET	1.1.1.1	192.168.2.7	0xa2cd	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.815923929 CET	1.1.1.1	192.168.2.7	0xb2e8	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.815923929 CET	1.1.1.1	192.168.2.7	0xb2e8	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.815923929 CET	1.1.1.1	192.168.2.7	0xb2e8	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.815923929 CET	1.1.1.1	192.168.2.7	0xb2e8	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.842989922 CET	1.1.1.1	192.168.2.7	0x8e1a	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:37.955013990 CET	1.1.1.1	192.168.2.7	0xbbb5	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 10, 2024 04:32:37.955013990 CET	1.1.1.1	192.168.2.7	0xbbb5	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 10, 2024 04:32:37.955013990 CET	1.1.1.1	192.168.2.7	0xbbb5	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 10, 2024 04:32:37.955013990 CET	1.1.1.1	192.168.2.7	0xbbb5	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 10, 2024 04:32:38.044646978 CET	1.1.1.1	192.168.2.7	0x14ee	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:39.327255964 CET	1.1.1.1	192.168.2.7	0x78c6	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:39.327255964 CET	1.1.1.1	192.168.2.7	0x78c6	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:41.200489044 CET	1.1.1.1	192.168.2.7	0x3a1e	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:41.200489044 CET	1.1.1.1	192.168.2.7	0x3a1e	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:55.197918892 CET	1.1.1.1	192.168.2.7	0xbd7b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:32:56.558840036 CET	1.1.1.1	192.168.2.7	0x4d11	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 04:32:56.558840036 CET	1.1.1.1	192.168.2.7	0x4d11	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 10, 2024 04:33:07.213733912 CET	1.1.1.1	192.168.2.7	0x162e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49708	34.107.221.82	80	4256	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 04:32:09.932145119 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:32:11.019855022 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 17:03:35 GMT Age: 37715 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49713	34.107.221.82	80	4256	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 04:32:11.439179897 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:32:12.525093079 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 03:34:26 GMT Age: 86266 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49718	34.107.221.82	80	4256	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 04:32:12.268920898 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:32:13.362489939 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 12:18:23 GMT Age: 54830 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 10, 2024 04:32:17.272762060 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:32:17.586901903 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 12:18:23 GMT Age: 54834 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 10, 2024 04:32:23.324387074 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:32:23.639147043 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 12:18:23 GMT Age: 54840 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 10, 2024 04:32:25.330213070 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:32:25.644382954 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 12:18:23 GMT Age: 54842 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 10, 2024 04:32:26.730611086 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:32:27.044904947 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 12:18:23 GMT Age: 54843 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 10, 2024 04:32:28.074039936 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:32:28.388650894 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 12:18:23 GMT Age: 54845 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 10, 2024 04:32:29.400055885 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:32:29.724029064 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 12:18:23 GMT Age: 54846 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 10, 2024 04:32:34.903718948 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:32:35.218718052 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 12:18:23 GMT Age: 54852 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 10, 2024 04:32:38.670706987 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:32:38.984795094 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 12:18:23 GMT Age: 54855 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 10, 2024 04:32:40.207516909 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:32:40.570995092 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 12:18:23 GMT Age: 54857 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 10, 2024 04:32:40.595741034 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:32:40.910026073 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 12:18:23 GMT Age: 54857 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 10, 2024 04:32:50.922338963 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 04:32:56.421180964 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:32:56.735620022 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 12:18:23 GMT Age: 54873 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 10, 2024 04:33:06.736675024 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 04:33:08.456875086 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:33:08.771600962 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 12:18:23 GMT Age: 54885 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 10, 2024 04:33:09.686671019 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:33:10.000930071 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 12:18:23 GMT Age: 54886 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 10, 2024 04:33:20.011365891 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 04:33:30.137044907 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 04:33:37.657691956 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 10, 2024 04:33:37.972162008 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 09 Dec 2024 12:18:23 GMT Age: 54914 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 10, 2024 04:33:47.978883982 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 04:33:58.107934952 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 04:34:08.239892006 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49724	34.107.221.82	80	4256	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 04:32:13.705203056 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:32:14.791850090 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 18:22:23 GMT Age: 32991 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 10, 2024 04:32:20.832235098 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:32:21.148940086 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 18:22:23 GMT Age: 32997 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 10, 2024 04:32:24.252707005 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:32:24.567056894 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 18:22:23 GMT Age: 33001 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 10, 2024 04:32:25.647139072 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:32:25.961810112 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 18:22:23 GMT Age: 33002 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 10, 2024 04:32:27.047835112 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:32:27.362790108 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 18:22:23 GMT Age: 33004 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 10, 2024 04:32:28.392174006 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:32:28.709100008 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 18:22:23 GMT Age: 33005 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 10, 2024 04:32:29.728765011 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:32:30.043586969 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 18:22:23 GMT Age: 33006 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 10, 2024 04:32:35.222299099 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:32:35.536611080 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 18:22:23 GMT Age: 33012 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 10, 2024 04:32:38.988048077 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:32:39.302330017 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 18:22:23 GMT Age: 33016 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 10, 2024 04:32:40.574271917 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:32:40.888379097 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 18:22:23 GMT Age: 33017 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 10, 2024 04:32:40.913460016 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:32:41.228173971 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 18:22:23 GMT Age: 33018 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 10, 2024 04:32:51.238886118 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 04:32:56.738949060 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:32:57.053297043 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 18:22:23 GMT Age: 33033 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 10, 2024 04:33:07.075468063 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 04:33:08.775417089 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:33:09.090605021 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 18:22:23 GMT Age: 33045 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 10, 2024 04:33:10.003890038 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:33:10.318557978 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 18:22:23 GMT Age: 33047 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 10, 2024 04:33:20.327498913 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 04:33:30.454864025 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 04:33:37.975513935 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 10, 2024 04:33:38.290182114 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 09 Dec 2024 18:22:23 GMT Age: 33075 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 10, 2024 04:33:48.311002016 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 04:33:58.440046072 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 10, 2024 04:34:08.578526020 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	22:32:00
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x200000
File size:	968'192 bytes
MD5 hash:	CD6FBD133B166F011EE0459DAB795A09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:32:01
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x3b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:32:01
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:32:03
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x3b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:32:03
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:32:04
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x3b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:32:04
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:32:04
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x3b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:32:04
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:32:04
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x3b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	22:32:04
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	22:32:04
Start date:	09/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:32:04
Start date:	09/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	22:32:04
Start date:	09/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	22:32:06
Start date:	09/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ff868d4-e876-4eb3-90fc-8f920c308aec} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 1dd4596e910 socket
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	22:32:07
Start date:	09/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3860 -parentBuildID 20230927232528 -prefsHandle 3868 -prefMapHandle 3068 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5d50ed7-ac4a-4dd8-8fac-bb1be5cc9d47} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 1dd57beff10 rdd
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	22:32:12
Start date:	09/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 5084 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f165d4fc-795c-42a0-aec5-4aaa0c03c649} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 1dd5763c310 utility
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.3%
Total number of Nodes:	1705
Total number of Limit Nodes:	52

Executed Functions

Function 002042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0020430D

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

GetCurrentProcess.KERNEL32(?,0029CB64,00000000,?,?), ref: 00204422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00204429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00204454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00204466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00204474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0020447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002044A0

Strings

|O, xrefs: 002436F8
GetNativeSystemInfo, xrefs: 00204460
kernel32.dll, xrefs: 0020444F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: f125783468705732e1a1fd483450d75bccb792d427c11c04d9a6ec856d1b3edd
Instruction ID: b5f4e8fbfd5a1230faa4e949849545b77afb23c47b743b20b99388fff50ee8b6
Opcode Fuzzy Hash: f125783468705732e1a1fd483450d75bccb792d427c11c04d9a6ec856d1b3edd
Instruction Fuzzy Hash: 22A1B4A2D2B3C1FFC795DB69BC4D1957FA5AB26300B1884DBE08193EA2D2704D74CB25

Function 002042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,002050AA,?,?,00000000,00000000), ref: 002042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002050AA,?,?,00000000,00000000), ref: 002042C9
LoadResource.KERNEL32(?,00000000,?,?,002050AA,?,?,00000000,00000000,?,?,?,?,?,?,00204F20), ref: 002435BE
SizeofResource.KERNEL32(?,00000000,?,?,002050AA,?,?,00000000,00000000,?,?,?,?,?,?,00204F20), ref: 002435D3
LockResource.KERNEL32(002050AA,?,?,002050AA,?,?,00000000,00000000,?,?,?,?,?,?,00204F20,?), ref: 002435E6

Strings

SCRIPT, xrefs: 002042BF

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a07192d9ebc03a546002cf8e5b243b4bf824004fe8a8be852f07706023eed763
Instruction ID: b9fdb8b1f72b58d9c632cb234651ff1dea647e89e0f30b6b6b82681ecfab84b3
Opcode Fuzzy Hash: a07192d9ebc03a546002cf8e5b243b4bf824004fe8a8be852f07706023eed763
Instruction Fuzzy Hash: 71117CB0610701BFEB219F65EC48F677BB9EBC5B51F20816AB902D6290DB71D8108630

Function 00242BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00202B6B

Part of subcall function 00203A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002D1418,?,00202E7F,?,?,?,00000000), ref: 00203A78

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,002C2224), ref: 00242C10
ShellExecuteW.SHELL32(00000000,?,?,002C2224), ref: 00242C17

Strings

runas, xrefs: 00242C0B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 270b6ff55fdb1a3114efe02f767d719401221876f74d85bbdb1ed92ee39a329c
Instruction ID: e2d84b4cf3d1b40a67042554838e3e5275669bb192ccffed00b284f6614f2e80
Opcode Fuzzy Hash: 270b6ff55fdb1a3114efe02f767d719401221876f74d85bbdb1ed92ee39a329c
Instruction Fuzzy Hash: 0011E731624341AAC704FF60D85AABE77A89B91304F44146EF042520E3CF20997DCB52

Function 0026D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0026D501
Process32FirstW.KERNEL32(00000000,?), ref: 0026D50F
Process32NextW.KERNEL32(00000000,?), ref: 0026D52F
CloseHandle.KERNEL32(00000000), ref: 0026D5DC

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 37a7c30cda129fa332607526741d628b0c144b36412e352baf7d41ea0e9d788b
Instruction ID: acf716b85e56ceb9e8dcc2f520fd5f717262e6ca4f1ee8d677d6b707976952cf
Opcode Fuzzy Hash: 37a7c30cda129fa332607526741d628b0c144b36412e352baf7d41ea0e9d788b
Instruction Fuzzy Hash: 9B31D1715183059FD300EF54D885AAFBBF8EF99344F50092DF586831E2EB719998CBA2

Function 0026DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00245222), ref: 0026DBCE
GetFileAttributesW.KERNEL32(?), ref: 0026DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0026DBEE
FindClose.KERNEL32(00000000), ref: 0026DBFA

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: fd828eed5a0bcbd6a32b21c402c1d106218d4211053b9e707bed1c3e14fb7d98
Instruction ID: 370967a2b6df8efbc8fe01203f399eb2f17250cb4667dbe982c407e33542ca17
Opcode Fuzzy Hash: fd828eed5a0bcbd6a32b21c402c1d106218d4211053b9e707bed1c3e14fb7d98
Instruction Fuzzy Hash: FBF0A030C2091857C220AF7CAC0D8AA376C9E01334BA04707F836C20E0EBB159E486D9

Function 0025D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0025D220

Strings

X64, xrefs: 0025D2A8
%.3d, xrefs: 0025D22B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 8a793c1add53c46158b806162ca752cfdde3bb9a462cdf76ae3984c0dd261f95
Instruction ID: 1017843061afbe1f380568bd68bc53b2fae006171860eb3fdeced72f99a12d7d
Opcode Fuzzy Hash: 8a793c1add53c46158b806162ca752cfdde3bb9a462cdf76ae3984c0dd261f95
Instruction Fuzzy Hash: 3DD01271C3C108EACBA097D0DC499FAB3BCAB18302F608456FC06D2041D6B4D56CAB65

Function 00224CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(002328E9,?,00224CBE,002328E9,002C88B8,0000000C,00224E15,002328E9,00000002,00000000,?,002328E9), ref: 00224D09
TerminateProcess.KERNEL32(00000000,?,00224CBE,002328E9,002C88B8,0000000C,00224E15,002328E9,00000002,00000000,?,002328E9), ref: 00224D10
ExitProcess.KERNEL32 ref: 00224D22

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8d2e686bf9d48ff451944051d3ee15c6a486f815e7a73de7d8b0c17119785020
Instruction ID: f31f16f49634838847a491df444bf2d251ed5f5aa7f012b978309fc07e3643f7
Opcode Fuzzy Hash: 8d2e686bf9d48ff451944051d3ee15c6a486f815e7a73de7d8b0c17119785020
Instruction Fuzzy Hash: 22E09271010158BBCB11BF94EE0AA583B69AB45B81B204055FC098A132CB35DA62CA94

Function 0025D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0025D28C

Strings

X64, xrefs: 0025D2A8

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: f4c2832eeef81a9d7d986b25419eea609fc3c7c0d14a79ba4ea48994428c03fb
Instruction ID: 2108f4551cf6f1aa3cef5bc8a15689748afd6871d35a2640900a6ae333e02347
Opcode Fuzzy Hash: f4c2832eeef81a9d7d986b25419eea609fc3c7c0d14a79ba4ea48994428c03fb
Instruction Fuzzy Hash: F0D0C9B482511DEFCB90CB90EC88DDEB3BCBB14305F100152F506E2000D7B095488F20

Function 0020BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#-, xrefs: 002507CE

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#-
API String ID: 3964851224-1355192918
Opcode ID: a46380344f855185615df5e424f2af7d11617a80fd88b8bd24bddfaa82912344
Instruction ID: 633399b70ab282d67fbb120002903cf61b229321b655fb36ae75d2e203c225c4
Opcode Fuzzy Hash: a46380344f855185615df5e424f2af7d11617a80fd88b8bd24bddfaa82912344
Instruction Fuzzy Hash: C5A25BB06283418FD714CF14C480B6AB7E1BF99304F24896DE99A9B392D771EC65CF92

Function 0028AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0028B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0028B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0028B1D4
_wcslen.LIBCMT ref: 0028B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0028B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0028B236
_wcslen.LIBCMT ref: 0028B332

Part of subcall function 002705A7: GetStdHandle.KERNEL32(000000F6), ref: 002705C6

_wcslen.LIBCMT ref: 0028B34B
_wcslen.LIBCMT ref: 0028B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0028B3B6
GetLastError.KERNEL32(00000000), ref: 0028B407
CloseHandle.KERNEL32(?), ref: 0028B439
CloseHandle.KERNEL32(00000000), ref: 0028B44A
CloseHandle.KERNEL32(00000000), ref: 0028B45C
CloseHandle.KERNEL32(00000000), ref: 0028B46E
CloseHandle.KERNEL32(?), ref: 0028B4E3

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 0fa3360ab8a5230950cb7b2bfe35bd450ead8ff0b5d27c525716fddad0403573
Instruction ID: 5c4a37476a7e900db099f32e5272ae6888969620ed2e7557a7690fcfdbccfc0b
Opcode Fuzzy Hash: 0fa3360ab8a5230950cb7b2bfe35bd450ead8ff0b5d27c525716fddad0403573
Instruction Fuzzy Hash: 19F1AB355293019FC725EF24C891B6ABBE4AF85310F18855DF8998B2E2CB31EC64CF52

Function 0020D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0020D807
timeGetTime.WINMM ref: 0020DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0020DB28
TranslateMessage.USER32(?), ref: 0020DB7B
DispatchMessageW.USER32(?), ref: 0020DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0020DB9F
Sleep.KERNEL32(0000000A), ref: 0020DBB1

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: dfc62ed0367304166c80774551b37b037a0ca5b2a0a8ec82ebe8b739e314891d
Instruction ID: e3ca565a883ca4d2c21e84e3a48bd78290862a7b30426520744f658d5457d2ad
Opcode Fuzzy Hash: dfc62ed0367304166c80774551b37b037a0ca5b2a0a8ec82ebe8b739e314891d
Instruction Fuzzy Hash: 8142F330629342EFD728CF64C848BAAB7E4BF46305F14855EE855872D2D770E868CF96

Function 00202CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00202D07
RegisterClassExW.USER32(00000030), ref: 00202D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00202D42
InitCommonControlsEx.COMCTL32(?), ref: 00202D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00202D6F
LoadIconW.USER32(000000A9), ref: 00202D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00202D94

Strings

0, xrefs: 00202CE9
AutoIt v3 GUI, xrefs: 00202D23
+, xrefs: 00202CF0
TaskbarCreated, xrefs: 00202D37

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8f5bd53e8581d377de13c2485013dc63e6965a3ab1f93a1293bc6fd721ac4995
Instruction ID: fe83d269493b22434e8f1a2cb25afb6b110d67f304db47637871b72e7f093244
Opcode Fuzzy Hash: 8f5bd53e8581d377de13c2485013dc63e6965a3ab1f93a1293bc6fd721ac4995
Instruction Fuzzy Hash: 6F21B2B5D52218AFEB00DFA4F85DADDBBB8FB08700F20411BE511A62A0D7B149548F91

Function 0024065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0024039A: CreateFileW.KERNEL32(00000000,00000000,?,00240704,?,?,00000000,?,00240704,00000000,0000000C), ref: 002403B7

GetLastError.KERNEL32 ref: 0024076F
__dosmaperr.LIBCMT ref: 00240776
GetFileType.KERNEL32(00000000), ref: 00240782
GetLastError.KERNEL32 ref: 0024078C
__dosmaperr.LIBCMT ref: 00240795
CloseHandle.KERNEL32(00000000), ref: 002407B5
CloseHandle.KERNEL32(?), ref: 002408FF
GetLastError.KERNEL32 ref: 00240931
__dosmaperr.LIBCMT ref: 00240938

Strings

H, xrefs: 002408BD

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: fa59d16149e8fc4844a7c033801ef29f764fe2b83bb36fa2f8271451863ed38f
Instruction ID: e8c93175ba515a2688bc1f8a870cf69565f8592be85ec70ae073dc6ccf5f84c0
Opcode Fuzzy Hash: fa59d16149e8fc4844a7c033801ef29f764fe2b83bb36fa2f8271451863ed38f
Instruction Fuzzy Hash: CCA14732A201158FDF1DAF68D895BAD7BB0EB06320F24015EF9159F291CB349C62CF91

Function 0020344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00203A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002D1418,?,00202E7F,?,?,?,00000000), ref: 00203A78

Part of subcall function 00203357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00203379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0020356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0024318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002431CE
RegCloseKey.ADVAPI32(?), ref: 00243210
_wcslen.LIBCMT ref: 00243277
_wcslen.LIBCMT ref: 00243286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00203560
Include, xrefs: 00243184, 002431C5
\Include\, xrefs: 00203527
\, xrefs: 0024328C

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 3277d00bfdedaa9a45ea9a9a067391dd7dd5cf7bddd316d9869a4a61ae9ad979
Instruction ID: fdca7d1f4d720d3dce842891ded1ce40520c3785b98803f47061ec0a8ec57c76
Opcode Fuzzy Hash: 3277d00bfdedaa9a45ea9a9a067391dd7dd5cf7bddd316d9869a4a61ae9ad979
Instruction Fuzzy Hash: 2071AD71925301DEC344EF69EC8686BBBE8FFA5340F40042EF545931A1EB708A58CF61

Function 00202B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00202B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00202B9D
LoadIconW.USER32(00000063), ref: 00202BB3
LoadIconW.USER32(000000A4), ref: 00202BC5
LoadIconW.USER32(000000A2), ref: 00202BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00202BEF
RegisterClassExW.USER32(?), ref: 00202C40

Part of subcall function 00202CD4: GetSysColorBrush.USER32(0000000F), ref: 00202D07
Part of subcall function 00202CD4: RegisterClassExW.USER32(00000030), ref: 00202D31
Part of subcall function 00202CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00202D42
Part of subcall function 00202CD4: InitCommonControlsEx.COMCTL32(?), ref: 00202D5F
Part of subcall function 00202CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00202D6F
Part of subcall function 00202CD4: LoadIconW.USER32(000000A9), ref: 00202D85
Part of subcall function 00202CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00202D94

Strings

#, xrefs: 00202C16
0, xrefs: 00202C0F
AutoIt v3, xrefs: 00202C2F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e22e853f66927e66dc865f623577199c5b5646ac90b61a184102b4277b2564f4
Instruction ID: 5431dd4643c46326e53ec13b3caaa388964e620f082a38e3002ada5343ed5413
Opcode Fuzzy Hash: e22e853f66927e66dc865f623577199c5b5646ac90b61a184102b4277b2564f4
Instruction Fuzzy Hash: C7213A70E52314BBDB509FE5FC4DAA9BFB8FB08B50F50019BE504A6AA0D3B10960CF90

Function 0020B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0020BB4E

Strings

p%-, xrefs: 0020B8DC
p#-, xrefs: 0025024F
x#-, xrefs: 00250168
x#-, xrefs: 00250207
p#-, xrefs: 00250263
p#-, xrefs: 0020BA72
p%-, xrefs: 0020BB32
p#-, xrefs: 0020BB6B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#-$p#-$p#-$p#-$p%-$p%-$x#-$x#-
API String ID: 1385522511-3262604249
Opcode ID: 17d381e14c5b0d908b7a63fcef0cfc404b671e6a4c5d8e048b153d3fd161d6a3
Instruction ID: 7c184062a8c4aee9e72af3f9c64e3334617ab75b72d159d3f6e06328b17f2679
Opcode Fuzzy Hash: 17d381e14c5b0d908b7a63fcef0cfc404b671e6a4c5d8e048b153d3fd161d6a3
Instruction Fuzzy Hash: 9932C135A2020AEFDB25CF54C894ABEB7B5EF44304F14809AED05AB2A2C774ED65CF51

Function 00203170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0020316A,?,?), ref: 002031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0020316A,?,?), ref: 00203204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00203227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0020316A,?,?), ref: 00203232
CreatePopupMenu.USER32 ref: 00203246
PostQuitMessage.USER32(00000000), ref: 00203267

Strings

TaskbarCreated, xrefs: 0020322D

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: e63a5d56a1fedd34d6c7477cb6b3b648738017ab63228933818738bc940245e7
Instruction ID: 6adff9a756f0fe4b13f0d3a40d49af829d6ed47bbe209577d08d3d60b33d7520
Opcode Fuzzy Hash: e63a5d56a1fedd34d6c7477cb6b3b648738017ab63228933818738bc940245e7
Instruction Fuzzy Hash: 89411735670301BBDB149FB8AC2DBB9775DEB09340F140117F906866E3CBA19EB09B61

Function 0020DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%-, xrefs: 0025302D
D%-, xrefs: 0020E1E0
Variable must be of type 'Object'., xrefs: 002532B7
D%-D%-, xrefs: 0020E27E
D%-, xrefs: 0020E4B1
D%-, xrefs: 00252FDA

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: D%-$D%-$D%-$D%-$D%-D%-$Variable must be of type 'Object'.
API String ID: 0-943184658
Opcode ID: 4a90c7def5c9baa37308d798494b80654bc4374e2921cc1f2dc012d6f9a3b7c8
Instruction ID: 4a1b9acc830406d9bfe6fa458a07455e17bdca2b4bd54d6569e0e13dbe938ea7
Opcode Fuzzy Hash: 4a90c7def5c9baa37308d798494b80654bc4374e2921cc1f2dc012d6f9a3b7c8
Instruction Fuzzy Hash: 76C28B71A20205CFCF24CF58D880AADB7B1BF18310F258969E955AB392D371EDA5CF91

Function 0020EC40 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0020FE66

Strings

D%-, xrefs: 0020F36A
D%-, xrefs: 0025491E
D%-, xrefs: 0020EFB7
D%-D%-, xrefs: 0020F05B
D%-, xrefs: 00254972

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%-$D%-$D%-$D%-$D%-D%-
API String ID: 1385522511-1705906001
Opcode ID: 40b4fdef5890ba7b2da985bf499f552039b3310f0a8846b3f5aa28806ac39a8e
Instruction ID: 1a3258a4495df9f26f47a32a37323eac00e60fa3e224841ebf7775de691a989c
Opcode Fuzzy Hash: 40b4fdef5890ba7b2da985bf499f552039b3310f0a8846b3f5aa28806ac39a8e
Instruction Fuzzy Hash: 13B2BD74A28341CFDB64CF14D580A2AB7E1BF99304F24486EE8858B792D771ECA5CF52

Function 00201410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00201459
CoUninitialize.COMBASE ref: 002014F8
UnregisterHotKey.USER32(?), ref: 002016DD
DestroyWindow.USER32(?), ref: 002424B9
FreeLibrary.KERNEL32(?), ref: 0024251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0024254B

Strings

close all, xrefs: 00201454

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: bd3c934521311b4dd1595a2be5f26a4b7b40a9c70d902b09fad71a293d92884b
Instruction ID: 0873fea78383b76c08d82c9a04c8ebfe87f2cae208ccb81571da52d66f6d00b2
Opcode Fuzzy Hash: bd3c934521311b4dd1595a2be5f26a4b7b40a9c70d902b09fad71a293d92884b
Instruction Fuzzy Hash: FFD18D31721212CFDB19EF15C899B29F7A4BF05700FA5419DE84A6B2A2CB31AD76CF50

Function 0026DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 0026DE42
gethostname.WS2_32(?,00000100), ref: 0026DE5C
gethostbyname.WS2_32(?), ref: 0026DE69
inet_ntoa.WSOCK32(?), ref: 0026DEAB
_strcat.LIBCMT ref: 0026DEB9
WSACleanup.WSOCK32 ref: 0026DEDE

Strings

0.0.0.0, xrefs: 0026DE87

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: b49db4581992220ff43ff29063f26de8903664ee3dd1b2e987678c6936e3a68b
Instruction ID: de266505030571122750fcbe83d8407d6a885b4843e95673b2e210135edf9dfd
Opcode Fuzzy Hash: b49db4581992220ff43ff29063f26de8903664ee3dd1b2e987678c6936e3a68b
Instruction Fuzzy Hash: D411DA71A24119BFCB24BBB0AC4AEDE77ACDF11711F11016AF54596091EFB18AE18E90

Function 00202C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00202C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00202CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00201CAD,?), ref: 00202CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00201CAD,?), ref: 00202CCF

Strings

edit, xrefs: 00202CAC
AutoIt v3, xrefs: 00202C89, 00202C8E, 00202C8F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 17e8d93ab04cc1e33a1029a0581574e5578bac405ab7bad86b76d56cbfb10844
Instruction ID: 0d53799a7e6c872a290403ec150b5017696ea61d65ec9b2ddc929fc00183478f
Opcode Fuzzy Hash: 17e8d93ab04cc1e33a1029a0581574e5578bac405ab7bad86b76d56cbfb10844
Instruction Fuzzy Hash: 84F0D475A412907BEB711B27BC0CEB76FBDD7CAF60B10009BF904A29A0C6611C60DAB0

Function 0025D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0025D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0025D3BF
FreeLibrary.KERNEL32(00000000), ref: 0025D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0025D3B9
X64, xrefs: 0025D2A8

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 09ca670627ac160d8b8e8a1ec72de63a4c5e9d2ba2e500c1b9c95ff17bcb3653
Instruction ID: 75be6c6a261e85b6938122070a1ac8536c7c379f44bc7ff4a6bcc251bb3a3421
Opcode Fuzzy Hash: 09ca670627ac160d8b8e8a1ec72de63a4c5e9d2ba2e500c1b9c95ff17bcb3653
Instruction Fuzzy Hash: 65F05C31835612EBD7715B209C0C9593314AF10703F644596FC06E2115D7B0CDF8CE9E

Function 00203B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00203B0F,SwapMouseButtons,00000004,?), ref: 00203B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00203B0F,SwapMouseButtons,00000004,?), ref: 00203B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00203B0F,SwapMouseButtons,00000004,?), ref: 00203B83

Strings

Control Panel\Mouse, xrefs: 00203B3E

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e2ecc2379685a33b730daa34e6c857ae43b0ed4ea0d309358c8f4e58b1530a48
Instruction ID: 9e47900dd3e12d35c13c3c61bb340637e7900188cc89ed6880f9a7a637f5e19f
Opcode Fuzzy Hash: e2ecc2379685a33b730daa34e6c857ae43b0ed4ea0d309358c8f4e58b1530a48
Instruction Fuzzy Hash: 17112AB5520209FFDB20CFA5DC89AAEBBBCEF04748B10445AA805D7250D2719E549760

Function 00203923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002433A2

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00203A04

Strings

Line: , xrefs: 002433EB

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: bf16a3a7c726686d613af1c4bf7320bc8c8bc4de97001c825f7e9926b6b466cb
Instruction ID: 63eeea5360f03d379867d46ee373b09189b14d54e30a257a5eadd1e38af5cf11
Opcode Fuzzy Hash: bf16a3a7c726686d613af1c4bf7320bc8c8bc4de97001c825f7e9926b6b466cb
Instruction Fuzzy Hash: 3331E371929305AAC324EF20EC49BEBB7DCAF40710F00456BF599825D2DB709A79CBC2

Function 00202DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00242C8C

Part of subcall function 00203AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00203A97,?,?,00202E7F,?,?,?,00000000), ref: 00203AC2

Part of subcall function 00202DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00202DC4

Strings

`e,, xrefs: 00242C85
X, xrefs: 00242C5A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e,
API String ID: 779396738-2207544159
Opcode ID: 51e431e46424df785fef84a9417dd50615fe4682161503707f1e18b31b916665
Instruction ID: 7d6d8763d6f572351b3f5f984012d0dde620c7e60b3ce5f2bd51e2f132ec22a1
Opcode Fuzzy Hash: 51e431e46424df785fef84a9417dd50615fe4682161503707f1e18b31b916665
Instruction Fuzzy Hash: 6821A871A203589FCB15EF94D849BDE7BFC9F49304F40405AE405B7282DBB459AD8F61

Function 0021FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00220668

Part of subcall function 002232A4: RaiseException.KERNEL32(?,?,?,0022068A,?,002D1444,?,?,?,?,?,?,0022068A,00201129,002C8738,00201129), ref: 00223304

__CxxThrowException@8.LIBVCRUNTIME ref: 00220685

Strings

Unknown exception, xrefs: 00220692

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 1f827c36c638bca9d09f11055417a9f0aeca54a3e2c8414bbdaf774f6a0479ca
Instruction ID: ef40377ad867358bd675dc8b8535461899ca59a42eb3576e7de9b31567624fc9
Opcode Fuzzy Hash: 1f827c36c638bca9d09f11055417a9f0aeca54a3e2c8414bbdaf774f6a0479ca
Instruction Fuzzy Hash: A4F0C83492021DB7CF00BAE4F886DAE776C5E00310B604575F924D5593EF75DA75C9C0

Function 002010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00201BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00201BF4
Part of subcall function 00201BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00201BFC
Part of subcall function 00201BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00201C07
Part of subcall function 00201BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00201C12
Part of subcall function 00201BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00201C1A
Part of subcall function 00201BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00201C22

Part of subcall function 00201B4A: RegisterWindowMessageW.USER32(00000004,?,002012C4), ref: 00201BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0020136A
OleInitialize.OLE32 ref: 00201388
CloseHandle.KERNEL32(00000000,00000000), ref: 002424AB

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: e6b6a9d50c3b5a2969e40fb3a50358c292d57b1d22507cef39b403762a859757
Instruction ID: 1f584e73b5f84667f27336408e1034a2c7389931cb7c901026690233d259918e
Opcode Fuzzy Hash: e6b6a9d50c3b5a2969e40fb3a50358c292d57b1d22507cef39b403762a859757
Instruction Fuzzy Hash: 0C718EB4E22340AED784DFB9B9496553BE5FB88344394826BD40AC7BA2E7384C74CF51

Function 0026C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00203923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00203A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0026C259
KillTimer.USER32(?,00000001,?,?), ref: 0026C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0026C270

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: fe10009e6e828d9b74a8c7c35ed2ea27cf8d9f3989f83eb33b08d430d19593f8
Instruction ID: 9c52610cd0b83a05dfc5c38d15e4d74d2ca642aed962885cbd3cf6fcb27699af
Opcode Fuzzy Hash: fe10009e6e828d9b74a8c7c35ed2ea27cf8d9f3989f83eb33b08d430d19593f8
Instruction Fuzzy Hash: 73319570914344AFEB22DF6498A9BE7BBEC9F06304F10049AD9DE97241C7745AD4CB51

Function 002386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,002385CC,?,002C8CC8,0000000C), ref: 00238704
GetLastError.KERNEL32(?,002385CC,?,002C8CC8,0000000C), ref: 0023870E
__dosmaperr.LIBCMT ref: 00238739

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 681662943b094bf9167319b499c87dfbeb5a1db6cc07b9d43b3cb8fc2328f258
Instruction ID: c4f1c1d6bad67e8b6f06377275dc36516d6238d375b8fb2d0fcf3d4d1d51549f
Opcode Fuzzy Hash: 681662943b094bf9167319b499c87dfbeb5a1db6cc07b9d43b3cb8fc2328f258
Instruction Fuzzy Hash: 9C016BB2A353302AD6206734694A77E675D4B82774F38015AF8198F0D2DEA0CC918950

Function 0020DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0020DB7B
DispatchMessageW.USER32(?), ref: 0020DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0020DB9F
Sleep.KERNEL32(0000000A), ref: 0020DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00251CC9

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 9d7687756aebccb6397eacadfdc1941134475f8f83d702450a9f76ce0f189c87
Instruction ID: 095e2f7b3e94998e781c151c7ed0f04f76db841a9ab2ea11f01897be79fddf8d
Opcode Fuzzy Hash: 9d7687756aebccb6397eacadfdc1941134475f8f83d702450a9f76ce0f189c87
Instruction Fuzzy Hash: 14F054306553419BE730CBA09C49FEA73ACEF44311F504516E609C30C0DB309468DB16

Function 00211310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002117F6

Strings

CALL, xrefs: 002117C6

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 862c2dcdd97a9705d57467ec95d0fffdabb81f53fd6cc763eea1898379b69386
Instruction ID: f157ad32bed1a4035642ae6364efa048bb86cb2a7340fad2bdca2cd61c0af1d9
Opcode Fuzzy Hash: 862c2dcdd97a9705d57467ec95d0fffdabb81f53fd6cc763eea1898379b69386
Instruction Fuzzy Hash: EE22BD706283029FC714CF14C484A6ABBF1BFA5304F64895DF9968B3A1D772E8A5CF42

Function 002101E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4afbac1b5ff4032904064564d05631f35dcec1db71d5ad7e7042ad789f0728
Instruction ID: def7afc6ee1f7706d32ba3753cc05a69510f40a4caf3113d8126d09d59f8aa78
Opcode Fuzzy Hash: 6e4afbac1b5ff4032904064564d05631f35dcec1db71d5ad7e7042ad789f0728
Instruction Fuzzy Hash: 6E32DD30A20615DFCB20DF54C895AEEB7F0AF24311F148469EC25AB2A1D7B1ADE4CF95

Function 0025D363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 0025D375

Strings

X64, xrefs: 0025D2A8

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: 8befc4b11fe66c8f27b9a1b8c7c957ee66a2799ed70257a2b21e9e2b12162a7a
Instruction ID: bee93cd8f6b82fb004bd6e22fd679bb0385453bffeea19a85a04367c9adaa3cd
Opcode Fuzzy Hash: 8befc4b11fe66c8f27b9a1b8c7c957ee66a2799ed70257a2b21e9e2b12162a7a
Instruction Fuzzy Hash: 99D0C9B5835118EFCBA0CB40DC88DDAB3BCBB14302F604292F802E2001D7B095989F15

Function 00203837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00203908

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 98df92bd9ca4676e0041a218f16650ff5ea2fff9baef7bd461c4b0e96bac0dab
Instruction ID: d629178ff3932365396016941a75e50fb8ce66dbc0b3755fde00d4ea42ae9315
Opcode Fuzzy Hash: 98df92bd9ca4676e0041a218f16650ff5ea2fff9baef7bd461c4b0e96bac0dab
Instruction Fuzzy Hash: 8231D770A15301DFD360DF24E888797BBE8FB49308F00096FF59983281D771AA64CB52

Function 0021F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0021F661

Part of subcall function 0020D730: GetInputState.USER32 ref: 0020D807

Sleep.KERNEL32(00000000), ref: 0025F2DE

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: d842ab8386338de74a01bb8bdcdbddb196921849ec610068fc9202c640e01a56
Instruction ID: 975073ee4153995e77e70d28d28ecd3bc372d15e9ed4f957b0900232307fd33e
Opcode Fuzzy Hash: d842ab8386338de74a01bb8bdcdbddb196921849ec610068fc9202c640e01a56
Instruction Fuzzy Hash: 85F058312502059FD354EF79E949BAABBE8AB49761F00006AE85DC72A1DB70A8108F94

Function 00204ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00204E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00204EDD,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E9C
Part of subcall function 00204E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00204EAE
Part of subcall function 00204E90: FreeLibrary.KERNEL32(00000000,?,?,00204EDD,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204EFD

Part of subcall function 00204E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00243CDE,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E62
Part of subcall function 00204E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00204E74
Part of subcall function 00204E59: FreeLibrary.KERNEL32(00000000,?,?,00243CDE,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E87

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: cf9902ab07751b88b9f657d32cb39e4e10c1988a222eae9ac77facd25183458a
Instruction ID: fe1fbf338bc439fe3193e8c34ea2fe7accdbcd4d63f17d8285719747a9f68557
Opcode Fuzzy Hash: cf9902ab07751b88b9f657d32cb39e4e10c1988a222eae9ac77facd25183458a
Instruction Fuzzy Hash: 58110471630306AACF14FF60DC46BAD77A59F40715F20842EF642A61C2DEB49A249F50

Function 00238402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00238440

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 7d1ea554090d43e850c88e0e2753520523b0111ddba6ae3f3ad7894c0b9b37cb
Instruction ID: 7db056eb6794f82da8ffb6a77147c61969770f1f1a816acd14ac1ae3b33db412
Opcode Fuzzy Hash: 7d1ea554090d43e850c88e0e2753520523b0111ddba6ae3f3ad7894c0b9b37cb
Instruction Fuzzy Hash: C31118B591420AAFCF15DF58E94199A7BF5EF48314F104059F908AB312DB31EA21CBA5

Function 0022E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: ae3882fba8a16c76af1098a80d040220e23d087ad03a24a866eb9356d4d1d3c0
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: ECF0F472530A34F6DA313EA9AC05B6A339C9F52331F110725F920961D2DBB4A8259EA5

Function 00233820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6,?,00201129), ref: 00233852

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 537aa0aec451b5a9935bcaab485025f070edb6a40ff1c66666822310097b3c04
Instruction ID: d9c1643096608bc7bb40f8381f9d099a0314a8c15fd514db3e83554ca552af77
Opcode Fuzzy Hash: 537aa0aec451b5a9935bcaab485025f070edb6a40ff1c66666822310097b3c04
Instruction Fuzzy Hash: 19E0E572631236A6E6216EA6AC04B9A3749AF427B0F150132BC04928A0CB50DF2185E4

Function 00204F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204F6D

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b26fa6113463d5867f8dec01e398e40dd05378e13acc85b57a23db45593773a4
Instruction ID: 2d40abbe2a1378e6fcee8b154590cdbb24066151b01a3d1bd9edc9f035588f22
Opcode Fuzzy Hash: b26fa6113463d5867f8dec01e398e40dd05378e13acc85b57a23db45593773a4
Instruction Fuzzy Hash: 4EF01CB1125753CFDB34AF64E498822B7E4AF14319320C96EE3DA82952C7719854DF10

Function 00292A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00292A66

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: e8686999528041152e1b79c53cc74ed22891c0d3dc8f61839a979e253a5d760b
Instruction ID: 0e6269281f0d5da05457045a7668c204b35c1e2ba2b58396a15d638d9c27220f
Opcode Fuzzy Hash: e8686999528041152e1b79c53cc74ed22891c0d3dc8f61839a979e253a5d760b
Instruction Fuzzy Hash: 42E04F77374116FACB14EA30EC808FA735CEF603957104536AC1AD2100DF3099B98AA0

Function 002030F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0020314E

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 1b2ed73e1deb44ac09fd2ebc51b8bdcbece604f4b053af408e524d808e05dd43
Instruction ID: 89c339c5362595cee083794805db926aadd324a66196ea298d7b4659a1fce347
Opcode Fuzzy Hash: 1b2ed73e1deb44ac09fd2ebc51b8bdcbece604f4b053af408e524d808e05dd43
Instruction Fuzzy Hash: 80F0A770A10354AFE792DF24EC497D57BBCAB01708F0000E6A14896182D7705B98CF41

Function 00202DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00202DC4

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: f8244720df200c6c657f6c74a186e182122680619bde9c270efe906f62c51c71
Instruction ID: 7c1f832b085b0a0e9eb3479f924c460f08853bbe187d5a2a5cd3c229d90d5fd5
Opcode Fuzzy Hash: f8244720df200c6c657f6c74a186e182122680619bde9c270efe906f62c51c71
Instruction Fuzzy Hash: DEE0CD72A002245BC720D7589C09FDA77DDDFC8790F050071FD09E7249D960AD948950

Function 00202B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00203837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00203908

Part of subcall function 0020D730: GetInputState.USER32 ref: 0020D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00202B6B

Part of subcall function 002030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0020314E

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: b9f547c598ff2f09b32fdfcbeb9f39114a3fc2cf6aa792e12f6d271806f6f8ee
Instruction ID: 3fb91a48a9474533e66ea5a734c2209e24c0cf998b3b34f43b1ca0942a9963cc
Opcode Fuzzy Hash: b9f547c598ff2f09b32fdfcbeb9f39114a3fc2cf6aa792e12f6d271806f6f8ee
Instruction Fuzzy Hash: 1EE0262132030417C704FB70A85657DB34D8BD1311F00053FF142836E3CE2049794A11

Function 0026DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0026DF40

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 3a4faa0a6b44a2c86eb7df239bbabac49cf1c881f64125d96ad62f64237bc7cd
Instruction ID: 97387ba69d7f161329e068eed56b529591812d5aa03365fffa2f8c4502821d93
Opcode Fuzzy Hash: 3a4faa0a6b44a2c86eb7df239bbabac49cf1c881f64125d96ad62f64237bc7cd
Instruction Fuzzy Hash: 76D05EE2A003282BDF60A6749C0DDF73AACC740214F0006A1786DD3192E920DD448AF0

Function 0024039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00240704,?,?,00000000,?,00240704,00000000,0000000C), ref: 002403B7

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 78044742d53e06dfd84add41016d4880685865009ef6ca2bec8c8bdaa21260f1
Instruction ID: da7ebe3b912759a88846c7a8b590f85ca7d37b2e91784f86eab2b38e0fa55ba8
Opcode Fuzzy Hash: 78044742d53e06dfd84add41016d4880685865009ef6ca2bec8c8bdaa21260f1
Instruction Fuzzy Hash: 0BD06C3204010DBBDF028F84ED06EDA3BAAFB48714F114000BE1856020C732E821AB94

Function 00201CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00201CBC

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 5596f8e02d39b58150911a0c866166a73979ff64f26e6ad2d3ff2ebbf7de2558
Instruction ID: 83c73bc3b50f6312f9a2379230ce82a2eacdf938060e0754e3a6ebaa1e72f3bd
Opcode Fuzzy Hash: 5596f8e02d39b58150911a0c866166a73979ff64f26e6ad2d3ff2ebbf7de2558
Instruction Fuzzy Hash: C3C09236681304EFF2188B84BC4EF107764E358B00F948003F609B99E3C3A22C20EA50

Non-executed Functions

Function 00299576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0029961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0029965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0029969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002996C9
SendMessageW.USER32 ref: 002996F2
GetKeyState.USER32(00000011), ref: 0029978B
GetKeyState.USER32(00000009), ref: 00299798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002997AE
GetKeyState.USER32(00000010), ref: 002997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002997E9
SendMessageW.USER32 ref: 00299810
SendMessageW.USER32(?,00001030,?,00297E95), ref: 00299918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0029992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00299941
SetCapture.USER32(?), ref: 0029994A
ClientToScreen.USER32(?,?), ref: 002999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002999D6
ReleaseCapture.USER32 ref: 002999E1
GetCursorPos.USER32(?), ref: 00299A19
ScreenToClient.USER32(?,?), ref: 00299A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00299A80
SendMessageW.USER32 ref: 00299AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00299AEB
SendMessageW.USER32 ref: 00299B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00299B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00299B4A
GetCursorPos.USER32(?), ref: 00299B68
ScreenToClient.USER32(?,?), ref: 00299B75
GetParent.USER32(?), ref: 00299B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00299BFA
SendMessageW.USER32 ref: 00299C2B
ClientToScreen.USER32(?,?), ref: 00299C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00299CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00299CDE
SendMessageW.USER32 ref: 00299D01
ClientToScreen.USER32(?,?), ref: 00299D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00299D82

Part of subcall function 00219944: GetWindowLongW.USER32(?,000000EB), ref: 00219952

GetWindowLongW.USER32(?,000000F0), ref: 00299E05

Strings

@GUI_DRAGID, xrefs: 0029997D
F, xrefs: 00299D07
p#-, xrefs: 00299990

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#-
API String ID: 3429851547-2933316088
Opcode ID: a8dffc416c9126e6ef83f799058f99d42559790e54779f897bf7c1c5d0d8cfa2
Instruction ID: 3409c0686f108de0dfbdcc1b6d42577c0a7edce1153e26b9a97666d6e1666e3d
Opcode Fuzzy Hash: a8dffc416c9126e6ef83f799058f99d42559790e54779f897bf7c1c5d0d8cfa2
Instruction Fuzzy Hash: 7D429071624201AFDB24CF68DC58AAABBE9FF49320F10461EF599872A1D771D8B0CF51

Function 00294873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00294908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00294927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0029494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0029495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0029497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00294A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00294A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00294A7E
IsMenu.USER32(?), ref: 00294A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00294AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00294B20
GetWindowLongW.USER32(?,000000F0), ref: 00294B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00294BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00294C82
wsprintfW.USER32 ref: 00294CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00294CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00294CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00294D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00294D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00294D5A

Strings

%d/%02d/%02d, xrefs: 00294CA8

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 43872fbe6f2bba982559546dff8afd9883ef99c4a26c54846e6a4013a9404592
Instruction ID: d9020543b743cb95b4c6abbb786103d2ce0cca5e31c7d5852f595f83023084b1
Opcode Fuzzy Hash: 43872fbe6f2bba982559546dff8afd9883ef99c4a26c54846e6a4013a9404592
Instruction Fuzzy Hash: 6B121371620215ABEF28AF24DC49FAE7BF8EF85310F10412AF915EB2E1D7749952CB50

Function 0021F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0021F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0025F474
IsIconic.USER32(00000000), ref: 0025F47D
ShowWindow.USER32(00000000,00000009), ref: 0025F48A
SetForegroundWindow.USER32(00000000), ref: 0025F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0025F4AA
GetCurrentThreadId.KERNEL32 ref: 0025F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0025F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0025F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0025F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0025F4DE
SetForegroundWindow.USER32(00000000), ref: 0025F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025F4F6
keybd_event.USER32(00000012,00000000), ref: 0025F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025F50B
keybd_event.USER32(00000012,00000000), ref: 0025F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025F519
keybd_event.USER32(00000012,00000000), ref: 0025F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025F528
keybd_event.USER32(00000012,00000000), ref: 0025F52D
SetForegroundWindow.USER32(00000000), ref: 0025F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0025F557

Strings

Shell_TrayWnd, xrefs: 0025F46F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 8a43b5215d6e4b3e2be2c72292cf23a4baacd14f74fb06a0a4ff74cb676b2ff1
Instruction ID: bb79609caa00881b8504aa4160283b57cb795ac918cd9fa6756c829ce8f89cb1
Opcode Fuzzy Hash: 8a43b5215d6e4b3e2be2c72292cf23a4baacd14f74fb06a0a4ff74cb676b2ff1
Instruction Fuzzy Hash: 00319071A50318BBEB206FB56D4EFBF7E6CEB44B50F600026FA04F61D1D6B05D10AAA4

Function 00261201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0026170D
Part of subcall function 002616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0026173A
Part of subcall function 002616C3: GetLastError.KERNEL32 ref: 0026174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00261286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002612A8
CloseHandle.KERNEL32(?), ref: 002612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002612D1
GetProcessWindowStation.USER32 ref: 002612EA
SetProcessWindowStation.USER32(00000000), ref: 002612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00261310

Part of subcall function 002610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002611FC), ref: 002610D4
Part of subcall function 002610BF: CloseHandle.KERNEL32(?,?,002611FC), ref: 002610E9

Strings

Z,, xrefs: 00261392
winsta0, xrefs: 002612CC
, xrefs: 0026125A
default, xrefs: 0026130B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z,
API String ID: 22674027-3239213951
Opcode ID: 8ba34e104df8b5d6db48e3db6953c62e35a0aa2a418b136df46c072359fad247
Instruction ID: 92de5ebcfe62b8706f938e08d600c66c48af3401f0caf2219645eb9457258aff
Opcode Fuzzy Hash: 8ba34e104df8b5d6db48e3db6953c62e35a0aa2a418b136df46c072359fad247
Instruction Fuzzy Hash: CC81AF71910249BFDF119FA4DC49FEE7BB9EF04704F18412AF910A61A0DB71A9B4CB61

Function 00260B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00261114
Part of subcall function 002610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261120
Part of subcall function 002610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 0026112F
Part of subcall function 002610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261136
Part of subcall function 002610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0026114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00260BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00260C00
GetLengthSid.ADVAPI32(?), ref: 00260C17
GetAce.ADVAPI32(?,00000000,?), ref: 00260C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00260C6D
GetLengthSid.ADVAPI32(?), ref: 00260C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00260C8C
HeapAlloc.KERNEL32(00000000), ref: 00260C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00260CB4
CopySid.ADVAPI32(00000000), ref: 00260CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00260CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00260D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00260D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260D45
HeapFree.KERNEL32(00000000), ref: 00260D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260D55
HeapFree.KERNEL32(00000000), ref: 00260D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260D65
HeapFree.KERNEL32(00000000), ref: 00260D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00260D78
HeapFree.KERNEL32(00000000), ref: 00260D7F

Part of subcall function 00261193: GetProcessHeap.KERNEL32(00000008,00260BB1,?,00000000,?,00260BB1,?), ref: 002611A1
Part of subcall function 00261193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00260BB1,?), ref: 002611A8
Part of subcall function 00261193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00260BB1,?), ref: 002611B7

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f33e3eeeea4306680abf170c900927efcfb0c2e7aa2e5659660e261f12301a66
Instruction ID: ee0fb0ee7a7647134d5820eb946b2558c828c8a29920e40da42ccfa74161674a
Opcode Fuzzy Hash: f33e3eeeea4306680abf170c900927efcfb0c2e7aa2e5659660e261f12301a66
Instruction Fuzzy Hash: 3A716B7291020AAFDF10DFA4EC88FAFBBB8FF05300F144626E918A6191D771A955DB60

Function 0027EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0029CC08), ref: 0027EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0027EB37
GetClipboardData.USER32(0000000D), ref: 0027EB43
CloseClipboard.USER32 ref: 0027EB4F
GlobalLock.KERNEL32(00000000), ref: 0027EB87
CloseClipboard.USER32 ref: 0027EB91
GlobalUnlock.KERNEL32(00000000), ref: 0027EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0027EBC9
GetClipboardData.USER32(00000001), ref: 0027EBD1
GlobalLock.KERNEL32(00000000), ref: 0027EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0027EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0027EC38
GetClipboardData.USER32(0000000F), ref: 0027EC44
GlobalLock.KERNEL32(00000000), ref: 0027EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0027EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0027EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0027ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0027ECF3
CountClipboardFormats.USER32 ref: 0027ED14
CloseClipboard.USER32 ref: 0027ED59

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 82f5057185b73262ade629c0ff893b92944c1a929fe86a22e264794ee6de55f3
Instruction ID: 8ae1f2b527ee85516679b1302af1942031d5d901b18228884b7c51e47b606eca
Opcode Fuzzy Hash: 82f5057185b73262ade629c0ff893b92944c1a929fe86a22e264794ee6de55f3
Instruction Fuzzy Hash: 6A61E5742143029FD710EF24D889F2A7BA8BF88704F15959EF85A872A2DB30DD55CB72

Function 0027698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002769BE
FindClose.KERNEL32(00000000), ref: 00276A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00276A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00276A75

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00276AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00276ADF

Strings

%02d, xrefs: 00276C00, 00276C0A, 00276C5A, 00276CAA, 00276CFA, 00276D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00276B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00276B32
%03d, xrefs: 00276DA2
%4d, xrefs: 00276BB1

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 82aabe15dd2b75aad9a300e848dd6617c0d343ad8ff761eec4b2c411dbbd87b3
Instruction ID: b499229ecbd52ab77bb5ce92905e9de8a4757077d39ed0fa9fedec7c3bbc5eea
Opcode Fuzzy Hash: 82aabe15dd2b75aad9a300e848dd6617c0d343ad8ff761eec4b2c411dbbd87b3
Instruction Fuzzy Hash: 66D173B1518301AFC310EFA0C985EABB7ECAF98704F44491EF589D7192EB74DA54CB62

Function 00279642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00279663
GetFileAttributesW.KERNEL32(?), ref: 002796A1
SetFileAttributesW.KERNEL32(?,?), ref: 002796BB
FindNextFileW.KERNEL32(00000000,?), ref: 002796D3
FindClose.KERNEL32(00000000), ref: 002796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0027974A
SetCurrentDirectoryW.KERNEL32(002C6B7C), ref: 00279768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00279772
FindClose.KERNEL32(00000000), ref: 0027977F
FindClose.KERNEL32(00000000), ref: 0027978F

Strings

*.*, xrefs: 002796F5

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 09b9ffb0dc0fb2e5b5b2b08a0fc98fbbf5fd984b2705b80eac4dbf9ea3a06912
Instruction ID: fe41aaead8092e5c80780116033f272872798f4d934faaaae5fc72f5aa7dc9df
Opcode Fuzzy Hash: 09b9ffb0dc0fb2e5b5b2b08a0fc98fbbf5fd984b2705b80eac4dbf9ea3a06912
Instruction Fuzzy Hash: 5D31A47256131A6ADB14DFB4EC4DEEE77AC9F09320F108256E819E2190DB30DD948A24

Function 0027979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 002797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00279819
FindClose.KERNEL32(00000000), ref: 00279824
FindFirstFileW.KERNEL32(*.*,?), ref: 00279840
SetCurrentDirectoryW.KERNEL32(?), ref: 00279890
SetCurrentDirectoryW.KERNEL32(002C6B7C), ref: 002798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002798B8
FindClose.KERNEL32(00000000), ref: 002798C5
FindClose.KERNEL32(00000000), ref: 002798D5

Part of subcall function 0026DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0026DB00

Strings

*.*, xrefs: 0027983B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 81321c90b2245b17f88db918110b17c8d5c3373eb49bcee8fadc31983af16056
Instruction ID: f2fac32b5af57790aeff84d32dd34c94c34fd2050e902e3568fe7630fe70b797
Opcode Fuzzy Hash: 81321c90b2245b17f88db918110b17c8d5c3373eb49bcee8fadc31983af16056
Instruction Fuzzy Hash: 5731A33155171A7ADF10EFB4EC48EDE77AC9F06324F2481A6E818A21D0DB70DDA4CE65

Function 0026D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00203AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00203A97,?,?,00202E7F,?,?,?,00000000), ref: 00203AC2

Part of subcall function 0026E199: GetFileAttributesW.KERNEL32(?,0026CF95), ref: 0026E19A

FindFirstFileW.KERNEL32(?,?), ref: 0026D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0026D1DD
MoveFileW.KERNEL32(?,?), ref: 0026D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0026D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0026D237

Part of subcall function 0026D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0026D21C,?,?), ref: 0026D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0026D253
FindClose.KERNEL32(00000000), ref: 0026D264

Strings

\*.*, xrefs: 0026D0CD, 0026D0D6, 0026D0EB

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 75e9c18b717e43ab1f5fbdbfaf04784604caa728a07e1ba74582b46e16c8c97f
Instruction ID: 7c848654d2a91b4ebbda4f86cbe7fb835233c97e3cb6f9191226c27024a3fe6b
Opcode Fuzzy Hash: 75e9c18b717e43ab1f5fbdbfaf04784604caa728a07e1ba74582b46e16c8c97f
Instruction Fuzzy Hash: 05615D31D1124D9BCF05EFA0D9929EEB7B9AF55300F6041A5E80677192EB305FA9CF60

Function 0027ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0027ED91
EmptyClipboard.USER32 ref: 0027ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0027EDAC
CloseClipboard.USER32 ref: 0027EEA3

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 17f5f723f55607e18e956f5bdd5b5156062a8e7cba9a15a471fe8d44cae5dec8
Instruction ID: 3dc440c794734e8f9cd0f380f552a6ec422f1e281056b010e6f76c3d3a4c3af2
Opcode Fuzzy Hash: 17f5f723f55607e18e956f5bdd5b5156062a8e7cba9a15a471fe8d44cae5dec8
Instruction Fuzzy Hash: 0E41F071614212AFD720CF15E88CF19BBE4FF48328F25C49AE4198B6A2C731EC51CBA0

Function 0026E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0026170D
Part of subcall function 002616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0026173A
Part of subcall function 002616C3: GetLastError.KERNEL32 ref: 0026174A

ExitWindowsEx.USER32(?,00000000), ref: 0026E932

Strings

, xrefs: 0026E920
, xrefs: 0026E95C
@, xrefs: 0026E925
SeShutdownPrivilege, xrefs: 0026E902

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 59567dece5c336f30380f49ecd9546589a9631a8900523e1ee3adf91fc52023c
Instruction ID: 304f633ac261cd2fcc31529a72fc8b0a20e994b101c254442e4de0aa60936800
Opcode Fuzzy Hash: 59567dece5c336f30380f49ecd9546589a9631a8900523e1ee3adf91fc52023c
Instruction Fuzzy Hash: BF01D676631211ABFF5466B4AC8AFBB736C9F14750F260522FC02E21D2E5A15CE085A0

Function 00281204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00281276
WSAGetLastError.WSOCK32 ref: 00281283
bind.WSOCK32(00000000,?,00000010), ref: 002812BA
WSAGetLastError.WSOCK32 ref: 002812C5
closesocket.WSOCK32(00000000), ref: 002812F4
listen.WSOCK32(00000000,00000005), ref: 00281303
WSAGetLastError.WSOCK32 ref: 0028130D
closesocket.WSOCK32(00000000), ref: 0028133C

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 6e56593340565237e796d518ed714f59cfd4cdefabeae0f5fbd0fa5eb6694c16
Instruction ID: dd1842c31087add5be9d8ae4e64c739e82c61ccb238f28b376fd7eddebf6d3b6
Opcode Fuzzy Hash: 6e56593340565237e796d518ed714f59cfd4cdefabeae0f5fbd0fa5eb6694c16
Instruction Fuzzy Hash: 8141B3356102119FD710EF24D488B69BBE9BF46318F288189D8568F2DBC771EC92CBE1

Function 0023B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0023B9D4
_free.LIBCMT ref: 0023B9F8
_free.LIBCMT ref: 0023BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,002A3700), ref: 0023BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,002D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0023BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,002D1270,000000FF,?,0000003F,00000000,?), ref: 0023BC36
_free.LIBCMT ref: 0023BD4B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: af09bfec680bfe6687a789ca50fd847807d1a8091ac4c224ef9fcc0456fb0130
Instruction ID: 0a2fb2c593c1c02ea9f73f7b53fd53802d0b06312e6fc4475f1a4ff2799e1503
Opcode Fuzzy Hash: af09bfec680bfe6687a789ca50fd847807d1a8091ac4c224ef9fcc0456fb0130
Instruction Fuzzy Hash: 9FC14BF1E24215AFCB22DF789C45BAABBB9EF41310F14419BEA94D7251DB308E61CB50

Function 0026D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00203AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00203A97,?,?,00202E7F,?,?,?,00000000), ref: 00203AC2

Part of subcall function 0026E199: GetFileAttributesW.KERNEL32(?,0026CF95), ref: 0026E19A

FindFirstFileW.KERNEL32(?,?), ref: 0026D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0026D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0026D481
FindClose.KERNEL32(00000000), ref: 0026D498
FindClose.KERNEL32(00000000), ref: 0026D4A1

Strings

\*.*, xrefs: 0026D3F2

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 217edb77a72acc4c4d3e5bf27aabd93806c0cab3a6a3ef44272d54bc7d834699
Instruction ID: c369c9f6a6a0b39d0092927713ab4bef54a45046d44f4ef926c3e4e67fc9acce
Opcode Fuzzy Hash: 217edb77a72acc4c4d3e5bf27aabd93806c0cab3a6a3ef44272d54bc7d834699
Instruction Fuzzy Hash: A53182315283459FC304EF64D8959AF77A8BE91310F844A1DF4D1531D2EB30AE69DB63

Function 0023E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0023E645

Strings

1#INF, xrefs: 0023F852
1#SNAN, xrefs: 0023F844
1#QNAN, xrefs: 0023F84B
1#IND, xrefs: 0023F83D

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c314f489ab77f10b59804579daa8b62ca372b3d6d37051438458a9349cd44e84
Instruction ID: caecc16030d62c46132a4f16895be630a36163e5a71ad5f0f8b4c88b85eec49e
Opcode Fuzzy Hash: c314f489ab77f10b59804579daa8b62ca372b3d6d37051438458a9349cd44e84
Instruction Fuzzy Hash: 4BC26BB1E286298FDF65CE28DD407EAB7B5EB44304F1541EAD80DE7280E774AE958F40

Function 0027648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002764DC
CoInitialize.OLE32(00000000), ref: 00276639
CoCreateInstance.OLE32(0029FCF8,00000000,00000001,0029FB68,?), ref: 00276650
CoUninitialize.OLE32 ref: 002768D4

Strings

.lnk, xrefs: 002764BA, 00276524, 002765E0

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 80d67746938b94b7253302c3082237b1ef5f0c50003f0b1e80b650ba6bba08e2
Instruction ID: 0bf6f2df67c557656579f393d7c3bfe993c0dab109d23c0f87e69be151e7ab7d
Opcode Fuzzy Hash: 80d67746938b94b7253302c3082237b1ef5f0c50003f0b1e80b650ba6bba08e2
Instruction Fuzzy Hash: CFD16A715287019FC304DF24C885D6BB7E9FF98304F50896DF5998B2A2EB30E959CB92

Function 002822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002822E8

Part of subcall function 0027E4EC: GetWindowRect.USER32(?,?), ref: 0027E504

GetDesktopWindow.USER32 ref: 00282312
GetWindowRect.USER32(00000000), ref: 00282319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00282355
GetCursorPos.USER32(?), ref: 00282381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002823DF

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 32f49451fa9e11a286ae004e1ecb9cbdaf189cccbd069d56b8ebb3b582349a1f
Instruction ID: 5ebbabdb7933a5776c440739a52277f1b006a89689fadd11e6ae4a4472e0095d
Opcode Fuzzy Hash: 32f49451fa9e11a286ae004e1ecb9cbdaf189cccbd069d56b8ebb3b582349a1f
Instruction Fuzzy Hash: 8931E376505315AFDB20EF54D849F5BB7E9FF84310F10091AF985A7181DB34E918CB92

Function 00279B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00279B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00279C8B

Part of subcall function 00273874: GetInputState.USER32 ref: 002738CB
Part of subcall function 00273874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00273966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00279BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00279C75

Strings

*.*, xrefs: 00279B5D

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 4fae808f6c74fd63f8eb84e938451373e22cd565f4ab5fbad847968268c592f1
Instruction ID: c6bdae87c018971171e747c277e7650ac72e38c0e7f92e2cc24fc3d3b5da2b22
Opcode Fuzzy Hash: 4fae808f6c74fd63f8eb84e938451373e22cd565f4ab5fbad847968268c592f1
Instruction Fuzzy Hash: 8B41697191430A9FDF15DF64D949AEE7BB4EF09314F24815AE809A3191D7309EE4CF60

Function 0021997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00219A4E
GetSysColor.USER32(0000000F), ref: 00219B23
SetBkColor.GDI32(?,00000000), ref: 00219B36

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 730842acfbafa2ec0f7f2f3b633877a155c8543fe9f102ede2170c9fcf9c49ac
Instruction ID: 4df060ef45dc90e63291c8373cba698a50b5f21fc53747539e8f959a6209b839
Opcode Fuzzy Hash: 730842acfbafa2ec0f7f2f3b633877a155c8543fe9f102ede2170c9fcf9c49ac
Instruction Fuzzy Hash: 25A13A70278401BEE7249E2CAC78EFB26DDDF56301B14010AF802C6A91CA769DF9C675

Function 00281806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0028304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0028307A
Part of subcall function 0028304E: _wcslen.LIBCMT ref: 0028309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0028185D
WSAGetLastError.WSOCK32 ref: 00281884
bind.WSOCK32(00000000,?,00000010), ref: 002818DB
WSAGetLastError.WSOCK32 ref: 002818E6
closesocket.WSOCK32(00000000), ref: 00281915

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0552754bea037944fee5c80252b646994d82b0b8320e5bfa4520270110b96407
Instruction ID: ece3afa10149c4ab1648603ab0a57c648391a281fc9d8826b4cf2c1a7aa32fb4
Opcode Fuzzy Hash: 0552754bea037944fee5c80252b646994d82b0b8320e5bfa4520270110b96407
Instruction Fuzzy Hash: 9E51C675A102009FE710EF24C8CAF6A77E9AB44718F548098F9055F3D3C771ADA2CBA1

Function 00291C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00291CC0
IsWindowEnabled.USER32 ref: 00291CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00291CDB
IsIconic.USER32 ref: 00291CE9
IsZoomed.USER32 ref: 00291CF7

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 4c59fadfc994500b76cea1d84aea92fac946c4adc404245600cb807093bf34bc
Instruction ID: a7dd05ebb21e55a9296c8986415c701ca4b13938c604a272748a89168c558193
Opcode Fuzzy Hash: 4c59fadfc994500b76cea1d84aea92fac946c4adc404245600cb807093bf34bc
Instruction Fuzzy Hash: 1921B5717502139FDB208F1BD888B6A7BE5EF85315F29806AE846CB351CB71DC62CB91

Function 00208060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0020813C
VUUU, xrefs: 0020843C
VUUU, xrefs: 002083E8
VUUU, xrefs: 00245DF0
VUUU, xrefs: 002083FA

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 46dd340bb041d4874ee5c11f64e6c5b01338ababc4b7e083b5ed2c5252b658a7
Instruction ID: d84a074567485f51afec8148eaa057087f7dffdcca1518150fc97d02290761a6
Opcode Fuzzy Hash: 46dd340bb041d4874ee5c11f64e6c5b01338ababc4b7e083b5ed2c5252b658a7
Instruction Fuzzy Hash: 57A2B470E2072ACBDF28CF58C8447AEB7B1BF45310F1581A6D895A7286DB709DA1CF51

Function 00268298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002682AA

Strings

tb,, xrefs: 002684F4
|, xrefs: 002682DA
(, xrefs: 002682F0

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb,$|
API String ID: 1659193697-4185060631
Opcode ID: 4a85cefba7b383a4c20a07be9eff533e8b8c9776d569b9bce846ac57ccc1fba3
Instruction ID: a44049b76034b658b3925d11b8cb51e8c90272bcba6dbc017fe5ff0b0ac11014
Opcode Fuzzy Hash: 4a85cefba7b383a4c20a07be9eff533e8b8c9776d569b9bce846ac57ccc1fba3
Instruction Fuzzy Hash: 39323774A106069FCB28CF19C080A6AB7F0FF48710B15C56EE49ADB3A1EB70E991CB40

Function 0026AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0026AAAC
SetKeyboardState.USER32(00000080), ref: 0026AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0026AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0026AB88

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 35d6a25e32b41630b8b85e92c44e860f4a1fa6f1561f9ed0d1d9b755b5cd695c
Instruction ID: 9c02e3bde8dce77f661e8516d4bb145a4b05739620f3fad1d8bfcc92213ec38b
Opcode Fuzzy Hash: 35d6a25e32b41630b8b85e92c44e860f4a1fa6f1561f9ed0d1d9b755b5cd695c
Instruction Fuzzy Hash: 6C312730A60249AEEB35CF648C05BFE7BAAAB65314F14421BE081621D0D3758DE1CB62

Function 0027CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0027CE89
GetLastError.KERNEL32(?,00000000), ref: 0027CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0027CEFE

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 50e0a069220b9ad181f5f5a9830179ffded317d449778ac7be87b17944fbba77
Instruction ID: 40a3799aa3728a2e44e42ab48651132b8b35ae23d68e7cf3879b2f355b1b7a95
Opcode Fuzzy Hash: 50e0a069220b9ad181f5f5a9830179ffded317d449778ac7be87b17944fbba77
Instruction Fuzzy Hash: 3021BDB1520706ABEB20DFA5D948BA6B7FCEF50314F20842EE64A92151E770EE548B64

Function 00232622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0023271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00232724
UnhandledExceptionFilter.KERNEL32(?), ref: 00232731

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a5fad59ce19c0776a29c247aecf3f6265b950eb8ff30a8a100e1ce29239474c0
Instruction ID: 175b198d0b54ddd57eb95c44ce6e2c2f6340899e342f4f7d011b7c0a3b0b990b
Opcode Fuzzy Hash: a5fad59ce19c0776a29c247aecf3f6265b950eb8ff30a8a100e1ce29239474c0
Instruction Fuzzy Hash: FA31B574911229ABCB21DF64EC8979DB7B8BF08310F5041EAE81CA7261E7709F958F45

Function 002751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00275238
SetErrorMode.KERNEL32(00000000), ref: 002752A1

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 7ed8b8166d5d9fd347b97840701a5536efae56948fe01f84bcb9c1956df45642
Instruction ID: b47063a02b30b12762fe9c13b57225eb004c032e6209844cd1b62c2e941160f8
Opcode Fuzzy Hash: 7ed8b8166d5d9fd347b97840701a5536efae56948fe01f84bcb9c1956df45642
Instruction Fuzzy Hash: 21318075A10619DFDB00DF54D888EADBBF4FF08314F148099E809AB3A2CB71E855CB61

Function 002616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0021FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00220668
Part of subcall function 0021FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00220685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0026170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0026173A
GetLastError.KERNEL32 ref: 0026174A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 9aa63fac227c399f1a9e76fd2d4096a091c03912b20a3f9e3d15d1fe9ae36cba
Instruction ID: 9505c85377d909eb9d238a240f560d44e2511dd911f9ac68178231ef38f278f8
Opcode Fuzzy Hash: 9aa63fac227c399f1a9e76fd2d4096a091c03912b20a3f9e3d15d1fe9ae36cba
Instruction Fuzzy Hash: EA1191B2424305AFD7189F54ECC6DAAB7FDEB44714B24852EE05657241EB70BCA18B20

Function 0026D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0026D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0026D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0026D650

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 4a04c5385163d2548193428399d42e815e43863aebef412bfaa4f3c6a01e531f
Instruction ID: 8377aeb8b1299e901bfae99a478c98041547cd5adb0bd1664d48d7a2a082bd97
Opcode Fuzzy Hash: 4a04c5385163d2548193428399d42e815e43863aebef412bfaa4f3c6a01e531f
Instruction Fuzzy Hash: 3F118475E05228BFDB108F95EC49FAFBFBCEB45B50F208156F908E7290D6704A058BA1

Function 00261663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0026168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002616A1
FreeSid.ADVAPI32(?), ref: 002616B1

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 44400746c314a44b21695ec271bdfadd0fdd3ba4b8f58840392490ab24f5a9b0
Instruction ID: d8db1d0d108a6cd3b580b9b0d1e8b041f68479eb148c561b0f1c4920ed428b50
Opcode Fuzzy Hash: 44400746c314a44b21695ec271bdfadd0fdd3ba4b8f58840392490ab24f5a9b0
Instruction Fuzzy Hash: 06F0F475950309FBDB00DFE4DD89AAEBBBCEB08604F504565E501E2191E774AA548A50

Function 0023C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0023C36C

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 9aeab5c7788ac20792ce47e5cf20b1600b3e99a73a2da606629d2a322b9bf5b0
Instruction ID: b9b7e50f025246183afdbc077eef236286e8ff8747b0d8c32c1f59eee25af277
Opcode Fuzzy Hash: 9aeab5c7788ac20792ce47e5cf20b1600b3e99a73a2da606629d2a322b9bf5b0
Instruction Fuzzy Hash: A4416CB2910219AFCB24EFB9DC4CEBB7778EB84314F2042A9F905E7180E670AD50CB50

Function 0022CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: e3c507fa5afdba5d94ef7283280647b1747e20863589cc71aff50f26374ba78a
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: DF023D71E10129AFDF14CFA9D9806ADFBF1EF48314F25416AD819E7384D731AA51CB80

Function 0020CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00250C40
p#-, xrefs: 0020CF7F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#-
API String ID: 0-336391000
Opcode ID: 9abf33acf3a5e98c8baefbaed72eecb1d8dc46a4e42de85ac6d879bb98a5466b
Instruction ID: d5710df6791532abb78029f175ab46fadb13570ab512456800e0066f1655429c
Opcode Fuzzy Hash: 9abf33acf3a5e98c8baefbaed72eecb1d8dc46a4e42de85ac6d879bb98a5466b
Instruction Fuzzy Hash: D2329CB092031ADBDF14DF90C885AEDB7B5FF05304F24415AE806AB2D2DB71AE69CB51

Function 002768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00276918
FindClose.KERNEL32(00000000), ref: 00276961

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3f15ce5778ed4360c56ce2296d2189bf87421f98dad41055adf42a2b0ce93228
Instruction ID: e9bcf443694005d575a2debf81a2dcf6271b998ba1c14d9c89dd524453f51cec
Opcode Fuzzy Hash: 3f15ce5778ed4360c56ce2296d2189bf87421f98dad41055adf42a2b0ce93228
Instruction Fuzzy Hash: F511D071614601DFC710CF29D888A16BBE0FF84328F14C69AE9698F6A2CB30EC05CB91

Function 002737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00284891,?,?,00000035,?), ref: 002737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00284891,?,?,00000035,?), ref: 002737F4

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8b8d1886517dbb21f4febd141f347084442352fc29c3fb4d02a75ee11065b2d9
Instruction ID: 9755b86fd64ed124af6ad8a0c80294710a17efc9c6c3566967deaaf374ba4c17
Opcode Fuzzy Hash: 8b8d1886517dbb21f4febd141f347084442352fc29c3fb4d02a75ee11065b2d9
Instruction Fuzzy Hash: 7AF0E5B1A143292AEB2057669C4DFEB7BAEEFC4761F000166F509D2282D9709944CAB0

Function 0026B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0026B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0026B270

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 0bc4ea288e117efce7c4ca6592e052d8bc9f47467341112fb040aab8bc233c6d
Instruction ID: d5b5d43994a7484c8f84f62c7549b0bca8c6b19f9552925111c8e879fee0d7e9
Opcode Fuzzy Hash: 0bc4ea288e117efce7c4ca6592e052d8bc9f47467341112fb040aab8bc233c6d
Instruction Fuzzy Hash: 85F01D7181428EABDB059FA0D805BEE7BB4FF04305F10801AF955A5192D3798651DF94

Function 002610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002611FC), ref: 002610D4
CloseHandle.KERNEL32(?,?,002611FC), ref: 002610E9

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 5ee1f09ab4dab961a70026feaf2370aeb9e1baf84ac9ff96b3b650af60e349c4
Instruction ID: d1d87a48abf19fce67c79a44b2b950b98f6c38020146cc892235817a9a0e9d0c
Opcode Fuzzy Hash: 5ee1f09ab4dab961a70026feaf2370aeb9e1baf84ac9ff96b3b650af60e349c4
Instruction Fuzzy Hash: 25E0BF72028611AEE7652B51FD09EB777E9EB04310F24882EF5A5804B1DB626CF0DB54

Function 0023676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00236766,?,?,00000008,?,?,0023FEFE,00000000), ref: 00236998

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ee9956abc92a82466a7e15ef4c0dac404ad5417e614a8c3da3248d31fa72c17d
Instruction ID: 57f2964c0202b4eed30d01d21cd88f2640729a013884cf829c6b8bbb6c40747e
Opcode Fuzzy Hash: ee9956abc92a82466a7e15ef4c0dac404ad5417e614a8c3da3248d31fa72c17d
Instruction Fuzzy Hash: 31B17DB1620609EFD715CF28C48AB647BE4FF09364F25C658E899CF2A2C335D9A5CB40

Function 0021B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0025851F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1ebb298d388e5596745a29918967fbb2affb455956f804fa875e06beba9a77e4
Instruction ID: 4e34c42dc4ccf22a6540ff7a190976bc360c04e16a47e7b9b53a9a8fe1935157
Opcode Fuzzy Hash: 1ebb298d388e5596745a29918967fbb2affb455956f804fa875e06beba9a77e4
Instruction Fuzzy Hash: BF128F719202299FDB25CF58C8806EEB7F5FF58310F14819AE809EB251EB709E95CF90

Function 0027EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0027EABD

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: d6efd647adadcde522955ede0652643037c9020c8d653b7b44321484b29acbd1
Instruction ID: 127ea2d72cea27f071e6b57e7015f05bcac37c05c5c57bd04ee99293d9857a1a
Opcode Fuzzy Hash: d6efd647adadcde522955ede0652643037c9020c8d653b7b44321484b29acbd1
Instruction Fuzzy Hash: ABE012712202059FC710DF59D804D5AB7D9AF98760F118456FC49C7291DA70E8508BA1

Function 002209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002203EE), ref: 002209DA

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 02470db930c495d5e270ae193fe86c8c445a0bb3d0c28595abe5fb1437522263
Instruction ID: 02d9af1e46af3c11420e80196b0d448b43e8d2f0f805d5443aa388ecd266ec9c
Opcode Fuzzy Hash: 02470db930c495d5e270ae193fe86c8c445a0bb3d0c28595abe5fb1437522263
Instruction Fuzzy Hash:

Function 0022781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0022798B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 6144aff7cb5cfcee4890abafac4d36b27463aa07c097e35cb4e8ebba113544a9
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 9151567163D7377ADB388DE8B85E7BE23899B02300F180519E982D7282C655DEB1E753

Function 00272046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&-, xrefs: 00272053

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: 0&-
API String ID: 0-1563157459
Opcode ID: 81dcc3ff8be4a5839db5bb3295c1243a7c2a539f5e23ba7f5f729f886139721e
Instruction ID: 5c7f4188d48a7cb3050ba8a27221ec6e62fa0b4eedebabcf83104e7b67812cee
Opcode Fuzzy Hash: 81dcc3ff8be4a5839db5bb3295c1243a7c2a539f5e23ba7f5f729f886139721e
Instruction Fuzzy Hash: 6E2196326216118BDB28CF79D81267A73E5A764310F198A2EE4A7C37D0DE35AD08CB90

Function 00236DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 535fbc71ca8415ee94fb6bdd6aa4220f0243e7796c943db3924fa4baa74ffea0
Instruction ID: 3b3579c17e7b9577025c8fff1b9cdb877a185b3b5f4f8b5150c2e8e63e1afc65
Opcode Fuzzy Hash: 535fbc71ca8415ee94fb6bdd6aa4220f0243e7796c943db3924fa4baa74ffea0
Instruction Fuzzy Hash: 083214A1D39F018EDB239638D926335A649AFB73C5F15C737E81AB5DA6EF29C4834100

Function 0021CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5956f5abd842e8f9f75d7addfe4be7970914f353435c64862c0b541b8bb791f
Instruction ID: 0228424eedf97e14405bb6d9e0b5d9d0255434fa95b1baf6c04aaea86b2cfa42
Opcode Fuzzy Hash: f5956f5abd842e8f9f75d7addfe4be7970914f353435c64862c0b541b8bb791f
Instruction Fuzzy Hash: CC32E635A3430A8FCF24CE68C4946BD7BE1EB85316F388567DC4997291F230DDA9DA48

Function 00207920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0315e431e4f2722f19944a679294e6a9a6836f52ccbb29333e924f1941555e58
Instruction ID: b97c11a3ecfb4e6101cc6964f2cb0397c085f21b144f3f0752ffbbff4a8ac62b
Opcode Fuzzy Hash: 0315e431e4f2722f19944a679294e6a9a6836f52ccbb29333e924f1941555e58
Instruction Fuzzy Hash: 8522D270E2061ADFDF18CF64D881AAEB7F5FF48300F144569E852A7292EB75AD60CB50

Function 002091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9870fc777237b61d98d0e2771efa5a30f5e0e963b2ade65412211c5b18cea4
Instruction ID: 021a48e6260d5bfa758b14a930e83a828341272bad3f999da1dc6cd5f2d243cc
Opcode Fuzzy Hash: 5a9870fc777237b61d98d0e2771efa5a30f5e0e963b2ade65412211c5b18cea4
Instruction Fuzzy Hash: BE02D7B0E20216EFDF04DF54D981AAEB7B5FF54300F118169E8169B291EB71AA70CF81

Function 00221C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 899cef7209ab897750f7dc496b8e619ec1108479a37621ad419802244a44f070
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: EE919A725280B35ADB2D4ABDA53483EFFE15A623A131A079ED4F2CB1C5FE14C974D620

Function 002219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 96a177e45dda001515ada277d0e6c5f0e272d10ae9495c4f775d0fca0e227d9b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: C59197722290F359DB2D4ABAA57483DFFF15AA23A131A07AED4F2CA1C1FD14C574D620

Function 00227A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bbed87b89ea7335b48e9b5d599a55c520fef5b8c9e6a0d86f44881fcc99b40e
Instruction ID: 7161a305cfb10834d3a10b5ccc49c4b11c7f10ca4ceeebf37f373a72d25edeb1
Opcode Fuzzy Hash: 3bbed87b89ea7335b48e9b5d599a55c520fef5b8c9e6a0d86f44881fcc99b40e
Instruction Fuzzy Hash: 7361673123C33BB6DE389DE8B895BBE2394EF41318F10091AF842CB291DA55DE728715

Function 00221706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: cce3cd50c4cb47b266466a901af235747817fbf257f83a280e059eeafad34f06
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F28198335280B31DEB2D4AB9957483EFFE15AA23A131A079DD4F2CB1C1EE14C974D620

Function 00282ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00282B30
DeleteObject.GDI32(00000000), ref: 00282B43
DestroyWindow.USER32 ref: 00282B52
GetDesktopWindow.USER32 ref: 00282B6D
GetWindowRect.USER32(00000000), ref: 00282B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00282CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00282CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282CF8
GetClientRect.USER32(00000000,?), ref: 00282D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00282D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282D80
GlobalLock.KERNEL32(00000000), ref: 00282D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282D98
GlobalUnlock.KERNEL32(00000000), ref: 00282DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282DA8
GlobalFree.KERNEL32(00000000), ref: 00282DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0029FC38,00000000), ref: 00282DDB
GlobalFree.KERNEL32(00000000), ref: 00282DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00282E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00282E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0028303F

Strings

DISPLAY, xrefs: 00282EA2
static, xrefs: 00282D3A, 00282E91
AutoIt v3, xrefs: 00282CF2
, xrefs: 00282FC5

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 708c9c3d063f1295e109d21a7d507030b666046ac76d4a7d0ded4b44e7c21004
Instruction ID: 9f0d5f537120d120c06474c330d84b27622552daa6f2ec7fb9ad17ff78d29b4e
Opcode Fuzzy Hash: 708c9c3d063f1295e109d21a7d507030b666046ac76d4a7d0ded4b44e7c21004
Instruction Fuzzy Hash: 38028875A11209EFDB14DFA4DC89EAE7BB9EF48314F108159F915AB2A1CB70AD10CF60

Function 002970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0029712F
GetSysColorBrush.USER32(0000000F), ref: 00297160
GetSysColor.USER32(0000000F), ref: 0029716C
SetBkColor.GDI32(?,000000FF), ref: 00297186
SelectObject.GDI32(?,?), ref: 00297195
InflateRect.USER32(?,000000FF,000000FF), ref: 002971C0
GetSysColor.USER32(00000010), ref: 002971C8
CreateSolidBrush.GDI32(00000000), ref: 002971CF
FrameRect.USER32(?,?,00000000), ref: 002971DE
DeleteObject.GDI32(00000000), ref: 002971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00297230
FillRect.USER32(?,?,?), ref: 00297262
GetWindowLongW.USER32(?,000000F0), ref: 00297284

Part of subcall function 002973E8: GetSysColor.USER32(00000012), ref: 00297421
Part of subcall function 002973E8: SetTextColor.GDI32(?,?), ref: 00297425
Part of subcall function 002973E8: GetSysColorBrush.USER32(0000000F), ref: 0029743B
Part of subcall function 002973E8: GetSysColor.USER32(0000000F), ref: 00297446
Part of subcall function 002973E8: GetSysColor.USER32(00000011), ref: 00297463
Part of subcall function 002973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00297471
Part of subcall function 002973E8: SelectObject.GDI32(?,00000000), ref: 00297482
Part of subcall function 002973E8: SetBkColor.GDI32(?,00000000), ref: 0029748B
Part of subcall function 002973E8: SelectObject.GDI32(?,?), ref: 00297498
Part of subcall function 002973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002974B7
Part of subcall function 002973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002974CE
Part of subcall function 002973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002974DB

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: ba34929dc2d1b0246b6ee40bea76d4cef437099f3f29563f86141583e00770f0
Instruction ID: 306d49d96c9f46b110fc587ac304982ac8aa5653585566d5da9949d44cc2e65d
Opcode Fuzzy Hash: ba34929dc2d1b0246b6ee40bea76d4cef437099f3f29563f86141583e00770f0
Instruction Fuzzy Hash: FDA19272428301AFDB009F60EC4CE5B7BA9FF89320F600A1AF966A61E1D771E954CF51

Function 00218D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00218E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00256AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00256AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00256F43

Part of subcall function 00218F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00218BE8,?,00000000,?,?,?,?,00218BBA,00000000,?), ref: 00218FC5

SendMessageW.USER32(?,00001053), ref: 00256F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00256F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00256FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00256FB7

Strings

0, xrefs: 00256DCF

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 09f9ff3f95f3462f65badff6e3fa59383a48f778995f675564795a3bb350b084
Instruction ID: 6e7f7a804f3281450ac733b170aa1cc6c8fae76e64fd25e270fda6915ead160a
Opcode Fuzzy Hash: 09f9ff3f95f3462f65badff6e3fa59383a48f778995f675564795a3bb350b084
Instruction Fuzzy Hash: 6812CD30621202AFDB25CF14D89CBA5B7F5FB54302F94442AF8859B662CB31ACB5CF95

Function 00282711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0028273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0028286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00282900
GetClientRect.USER32(00000000,?), ref: 0028290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00282955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00282964
GetStockObject.GDI32(00000011), ref: 00282974
SelectObject.GDI32(00000000,00000000), ref: 00282978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00282988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00282991
DeleteDC.GDI32(00000000), ref: 0028299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00282A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00282A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00282A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00282A77
GetStockObject.GDI32(00000011), ref: 00282A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00282A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00282A97

Strings

DISPLAY, xrefs: 0028295A
static, xrefs: 0028294F, 00282A71
msctls_progress32, xrefs: 00282A13
AutoIt v3, xrefs: 002828F8

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1b604673c0af74597684b826d20eaa6e4ebb9dabd9ab51b6e242b726bb565bf8
Instruction ID: 151616e88d5c8b074f565b57e2972f00e1864d721f9505f218909c94f6beea59
Opcode Fuzzy Hash: 1b604673c0af74597684b826d20eaa6e4ebb9dabd9ab51b6e242b726bb565bf8
Instruction Fuzzy Hash: 9CB17A75A11205BFEB14DFA8DC4AFAEBBA9EB08710F108155F914E72D1D770AD50CBA0

Function 00274ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00274AED
GetDriveTypeW.KERNEL32(?,0029CB68,?,\\.\,0029CC08), ref: 00274BCA
SetErrorMode.KERNEL32(00000000,0029CB68,?,\\.\,0029CC08), ref: 00274D36

Strings

CDROM, xrefs: 00274BFB
\\.\, xrefs: 00274B3F
SSD, xrefs: 00274C4A
RAID, xrefs: 00274CBB
USB, xrefs: 00274CB4
SSA, xrefs: 00274CA6
Network, xrefs: 00274C02
SATA, xrefs: 00274CD0
SAS, xrefs: 00274CC9
PhysicalDrive, xrefs: 00274B76
Removable, xrefs: 00274C10, 00274C15
ATAPI, xrefs: 00274C91
FileBackedVirtual, xrefs: 00274CEC
RAMDisk, xrefs: 00274BF4
ATA, xrefs: 00274C98
iSCSI, xrefs: 00274CC2
Fibre, xrefs: 00274CAD
SCSI, xrefs: 00274C8A
Fixed, xrefs: 00274C09
MMC, xrefs: 00274CDE
Virtual, xrefs: 00274CE5
Unknown, xrefs: 00274BED, 00274C83
1394, xrefs: 00274C9F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e6a2526a357866a9c4b58fd47fe29c1ee2d0004b74a2f4ef05d00fd649a2dbf2
Instruction ID: bddc948a7365641b362543c82940fb05e3b7329b2a633d046229cf88f419850e
Opcode Fuzzy Hash: e6a2526a357866a9c4b58fd47fe29c1ee2d0004b74a2f4ef05d00fd649a2dbf2
Instruction Fuzzy Hash: B561A2316352069BCB15EF24C985E6977A0AF06304B24C21FF80BAB692DB71EDB1DB51

Function 002973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00297421
SetTextColor.GDI32(?,?), ref: 00297425
GetSysColorBrush.USER32(0000000F), ref: 0029743B
GetSysColor.USER32(0000000F), ref: 00297446
CreateSolidBrush.GDI32(?), ref: 0029744B
GetSysColor.USER32(00000011), ref: 00297463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00297471
SelectObject.GDI32(?,00000000), ref: 00297482
SetBkColor.GDI32(?,00000000), ref: 0029748B
SelectObject.GDI32(?,?), ref: 00297498
InflateRect.USER32(?,000000FF,000000FF), ref: 002974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0029752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00297554
InflateRect.USER32(?,000000FD,000000FD), ref: 00297572
DrawFocusRect.USER32(?,?), ref: 0029757D
GetSysColor.USER32(00000011), ref: 0029758E
SetTextColor.GDI32(?,00000000), ref: 00297596
DrawTextW.USER32(?,002970F5,000000FF,?,00000000), ref: 002975A8
SelectObject.GDI32(?,?), ref: 002975BF
DeleteObject.GDI32(?), ref: 002975CA
SelectObject.GDI32(?,?), ref: 002975D0
DeleteObject.GDI32(?), ref: 002975D5
SetTextColor.GDI32(?,?), ref: 002975DB
SetBkColor.GDI32(?,?), ref: 002975E5

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 555b29d43f9dca42f005b6d77b0090e66dbfe5ab50833ecce048c283532074bc
Instruction ID: a7669c2c6deabc6563425a5cf208dc69b759647cbdd3b4893c1b6303fd375be4
Opcode Fuzzy Hash: 555b29d43f9dca42f005b6d77b0090e66dbfe5ab50833ecce048c283532074bc
Instruction Fuzzy Hash: 87616D72910219AFDF019FA4EC49EEEBFB9EB08320F214116F915BB2A1D7709950CF90

Function 00290FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00291128
GetDesktopWindow.USER32 ref: 0029113D
GetWindowRect.USER32(00000000), ref: 00291144
GetWindowLongW.USER32(?,000000F0), ref: 00291199
DestroyWindow.USER32(?), ref: 002911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0029120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0029121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00291232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00291245
IsWindowVisible.USER32(00000000), ref: 002912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002912D0
GetWindowRect.USER32(00000000,?), ref: 002912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0029130E
GetMonitorInfoW.USER32(00000000,?), ref: 00291328
CopyRect.USER32(?,?), ref: 0029133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002913AA

Strings

tooltips_class32, xrefs: 002911E6
(, xrefs: 0029131B
0, xrefs: 002910D3

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 93c31b664d82a4ed151a39726423f7f781830d978b65ed7b1b91e906441dd325
Instruction ID: 3a8dee615b0c2773bb1fd6df9105d14bad3c52cb55416420e35c2937de7011b6
Opcode Fuzzy Hash: 93c31b664d82a4ed151a39726423f7f781830d978b65ed7b1b91e906441dd325
Instruction Fuzzy Hash: 20B1BE71614342AFDB10DF25C888B6ABBE4FF88354F008959F9999B2A1C731E864CF91

Function 00290241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002902E5
_wcslen.LIBCMT ref: 0029031F
_wcslen.LIBCMT ref: 00290389
_wcslen.LIBCMT ref: 002903F1
_wcslen.LIBCMT ref: 00290475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002904C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00290504

Part of subcall function 0021F9F2: _wcslen.LIBCMT ref: 0021F9FD

Part of subcall function 0026223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00262258
Part of subcall function 0026223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0026228A

Strings

DESELECT, xrefs: 0029059C
GETSUBITEMCOUNT, xrefs: 00290384, 0029039F
ISSELECTED, xrefs: 002904DD
SELECTALL, xrefs: 00290515
VIEWCHANGE, xrefs: 00290675
SELECTINVERT, xrefs: 0029057E
FINDITEM, xrefs: 00290627
GETTEXT, xrefs: 002903EC, 00290407
SELECTCLEAR, xrefs: 0029052D
SELECT, xrefs: 00290548
GETSELECTEDCOUNT, xrefs: 00290470, 0029048B
GETITEMCOUNT, xrefs: 00290316, 00290337
GETSELECTED, xrefs: 002905E1

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 395ce7d143d021461ea89b52a943b29b08556880d5fc7da69313923cc666dc0b
Instruction ID: 5da908fdb6ebfd122a3b8be21a46ce18003103a66577f81500e6ab8b24217a97
Opcode Fuzzy Hash: 395ce7d143d021461ea89b52a943b29b08556880d5fc7da69313923cc666dc0b
Instruction Fuzzy Hash: BFE1A1312383068FCB14DF24C99092AB7E6BFD8714B54466DF8969B2A2DB30ED65CF41

Function 00218891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00218968
GetSystemMetrics.USER32(00000007), ref: 00218970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0021899B
GetSystemMetrics.USER32(00000008), ref: 002189A3
GetSystemMetrics.USER32(00000004), ref: 002189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00218A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00218A3C
GetClientRect.USER32(00000000,000000FF), ref: 00218A5A
GetStockObject.GDI32(00000011), ref: 00218A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00218A81

Part of subcall function 0021912D: GetCursorPos.USER32(?), ref: 00219141
Part of subcall function 0021912D: ScreenToClient.USER32(00000000,?), ref: 0021915E
Part of subcall function 0021912D: GetAsyncKeyState.USER32(00000001), ref: 00219183
Part of subcall function 0021912D: GetAsyncKeyState.USER32(00000002), ref: 0021919D

SetTimer.USER32(00000000,00000000,00000028,002190FC), ref: 00218AA8

Strings

AutoIt v3 GUI, xrefs: 00218A20

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: abe9e5b5ffe372c5fd24f56c74e59aedce325aadf2879aa539ea45dca5a343b0
Instruction ID: 2d8c93002c7d285d02646a02be7432f25b26cfe10bccf88904c270d42357ecbf
Opcode Fuzzy Hash: abe9e5b5ffe372c5fd24f56c74e59aedce325aadf2879aa539ea45dca5a343b0
Instruction Fuzzy Hash: 72B17031A1020AAFDB14DFA8DC99BEE7BB5FB48315F11421AFA15E7290DB709860CF54

Function 00260D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00261114
Part of subcall function 002610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261120
Part of subcall function 002610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 0026112F
Part of subcall function 002610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261136
Part of subcall function 002610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0026114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00260DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00260E29
GetLengthSid.ADVAPI32(?), ref: 00260E40
GetAce.ADVAPI32(?,00000000,?), ref: 00260E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00260E96
GetLengthSid.ADVAPI32(?), ref: 00260EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00260EB5
HeapAlloc.KERNEL32(00000000), ref: 00260EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00260EDD
CopySid.ADVAPI32(00000000), ref: 00260EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00260F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00260F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00260F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260F6E
HeapFree.KERNEL32(00000000), ref: 00260F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260F7E
HeapFree.KERNEL32(00000000), ref: 00260F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260F8E
HeapFree.KERNEL32(00000000), ref: 00260F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00260FA1
HeapFree.KERNEL32(00000000), ref: 00260FA8

Part of subcall function 00261193: GetProcessHeap.KERNEL32(00000008,00260BB1,?,00000000,?,00260BB1,?), ref: 002611A1
Part of subcall function 00261193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00260BB1,?), ref: 002611A8
Part of subcall function 00261193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00260BB1,?), ref: 002611B7

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 11a481cfd67781697a99df28221d1cae506c773850cf9b0ea3bc34958a34f033
Instruction ID: 8a744f30febf2ac4fe290bfe8c3e3905e7fefb689dd2b3567cdc8c4c780ddc5d
Opcode Fuzzy Hash: 11a481cfd67781697a99df28221d1cae506c773850cf9b0ea3bc34958a34f033
Instruction Fuzzy Hash: 71717B7291021AEBDF20DFA5EC88FAFBBB8BF04300F144125F919A6191DB319965DB60

Function 0028C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0029CC08,00000000,?,00000000,?,?), ref: 0028C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0028C5A4
_wcslen.LIBCMT ref: 0028C5F4
_wcslen.LIBCMT ref: 0028C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0028C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0028C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0028C84D
RegCloseKey.ADVAPI32(?), ref: 0028C881
RegCloseKey.ADVAPI32(00000000), ref: 0028C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0028C960

Strings

REG_QWORD, xrefs: 0028C8C3
REG_DWORD, xrefs: 0028C804
REG_BINARY, xrefs: 0028C913
REG_SZ, xrefs: 0028C644
REG_MULTI_SZ, xrefs: 0028C6F5
REG_EXPAND_SZ, xrefs: 0028C5CD

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 9689d7aa684fdffa2265abeb4df3d2fb923af8aec72b52a89e51b9e01ff5bec6
Instruction ID: de11a5bb8fba220eabef41395d182a58df17e35ef935f04ab98c86e51d24e38f
Opcode Fuzzy Hash: 9689d7aa684fdffa2265abeb4df3d2fb923af8aec72b52a89e51b9e01ff5bec6
Instruction Fuzzy Hash: BB1268356242019FCB14EF14C895A2ABBE5EF88714F14889DF84A9B3A2DB30FC51CF91

Function 0029091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002909C6
_wcslen.LIBCMT ref: 00290A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00290A54
_wcslen.LIBCMT ref: 00290A8A
_wcslen.LIBCMT ref: 00290B06
_wcslen.LIBCMT ref: 00290B81

Part of subcall function 0021F9F2: _wcslen.LIBCMT ref: 0021F9FD

Part of subcall function 00262BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00262BFA

Strings

GETTEXT, xrefs: 00290C97
EXPAND, xrefs: 00290BF8
COLLAPSE, xrefs: 00290B01, 00290B1C
SELECT, xrefs: 00290D11
GETTOTALCOUNT, xrefs: 002909F2, 00290A17
GETITEMCOUNT, xrefs: 00290C1E
EXISTS, xrefs: 00290B7C, 00290B97
GETSELECTED, xrefs: 00290C4E
UNCHECK, xrefs: 00290D3E
ISCHECKED, xrefs: 00290CE1
CHECK, xrefs: 00290A85, 00290AA0

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: c2cc53a7f0cb94630ae541b7a766b39dfe56fc0ddf086978e7ed7e657e25f104
Instruction ID: b700165ca8f8dc0612d83177d9db208a322864ae99466d5763bf3821efdb569a
Opcode Fuzzy Hash: c2cc53a7f0cb94630ae541b7a766b39dfe56fc0ddf086978e7ed7e657e25f104
Instruction Fuzzy Hash: 48E18D312287069FCB14DF24C49096AB7E1FF98318B14895DF8969B3A2D730EDA5CF91

Function 0028C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028B6AE,?,?), ref: 0028C9B5
_wcslen.LIBCMT ref: 0028C9F1
_wcslen.LIBCMT ref: 0028CA68
_wcslen.LIBCMT ref: 0028CA9E
_wcslen.LIBCMT ref: 0028CAF9
_wcslen.LIBCMT ref: 0028CB2F
_wcslen.LIBCMT ref: 0028CB7F

Strings

HKCU, xrefs: 0028CBCE
HKEY_LOCAL_MACHINE, xrefs: 0028CA62, 0028CA67
HKEY_CURRENT_CONFIG, xrefs: 0028CB79, 0028CB7E
HKLM, xrefs: 0028CA98, 0028CA9D
HKEY_USERS, xrefs: 0028CBDF
HKU, xrefs: 0028CBF0
HKEY_CURRENT_USER, xrefs: 0028CBBD
HKCR, xrefs: 0028CB29, 0028CB2E
HKEY_CLASSES_ROOT, xrefs: 0028CAF3, 0028CAF8
HKCC, xrefs: 0028CBAC

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 54baacbc45f7954de1f9ed1cd004d4a9c3a2e7b4a3866fc18b548d3ebb573b67
Instruction ID: c30036a0b2a9081a694331fc2a296c1a0c2fd3ddf9f858793c28ab8cac981588
Opcode Fuzzy Hash: 54baacbc45f7954de1f9ed1cd004d4a9c3a2e7b4a3866fc18b548d3ebb573b67
Instruction Fuzzy Hash: FE71253663152B8BCB20FE7CDD41ABA3395AB60754B310229F866972C5E771CDB487B0

Function 0029833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0029835A
_wcslen.LIBCMT ref: 0029836E
_wcslen.LIBCMT ref: 00298391
_wcslen.LIBCMT ref: 002983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00295BF2), ref: 0029844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00298487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00298501
FreeLibrary.KERNEL32(?), ref: 0029850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0029851D
DestroyIcon.USER32(?,?,?,?,?,00295BF2), ref: 0029852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00298549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00298555

Strings

.dll, xrefs: 002983AB
.exe, xrefs: 00298388
.icl, xrefs: 00298368

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 6b4a1f24850bf7dd12b85ac5bdb9ce7440abc589a461e61d5409cc638e8812e4
Instruction ID: d34085eb33f0035902aab4003a28af4ea9b3f8209206d4e1a55a627ff801a586
Opcode Fuzzy Hash: 6b4a1f24850bf7dd12b85ac5bdb9ce7440abc589a461e61d5409cc638e8812e4
Instruction Fuzzy Hash: 8F61F271920216BFEF14DF64DC45BBE77A8BF05720F60460AF815D60D1DBB4A9A4CBA0

Function 00207778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 00207873, 002078C5
', xrefs: 00245169
#include, xrefs: 00207847
#requireadmin, xrefs: 002077FF
#include-once, xrefs: 0020782F
#ce, xrefs: 002078ED
#pragma compile, xrefs: 002077D3
#comments-start, xrefs: 0020785F, 002078B1
#notrayicon, xrefs: 002077E7
", xrefs: 00245153
Bad directive syntax error, xrefs: 0024519A
Unterminated group of comments, xrefs: 0024528C
#comments-end, xrefs: 002078D9
#OnAutoItStartRegister, xrefs: 00207817
Cannot parse #include, xrefs: 00245279

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 3043aa3db7da1510ca6e4aae46520403c62578055a790f51584746fb5b6fc117
Instruction ID: 2c11021c0e6b86ccddffe0785ca6fc5b6b2534ae8fda5ba947eeef5ae4d86954
Opcode Fuzzy Hash: 3043aa3db7da1510ca6e4aae46520403c62578055a790f51584746fb5b6fc117
Instruction Fuzzy Hash: 1281E871A34315BBDB24AF60DC42FAE77A8AF55340F044025F909AA1D3EB70D971CAA1

Function 00265A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00265A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00265A40
SetWindowTextW.USER32(?,?), ref: 00265A57
GetDlgItem.USER32(?,000003EA), ref: 00265A6C
SetWindowTextW.USER32(00000000,?), ref: 00265A72
GetDlgItem.USER32(?,000003E9), ref: 00265A82
SetWindowTextW.USER32(00000000,?), ref: 00265A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00265AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00265AC3
GetWindowRect.USER32(?,?), ref: 00265ACC
_wcslen.LIBCMT ref: 00265B33
SetWindowTextW.USER32(?,?), ref: 00265B6F
GetDesktopWindow.USER32 ref: 00265B75
GetWindowRect.USER32(00000000), ref: 00265B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00265BD3
GetClientRect.USER32(?,?), ref: 00265BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00265C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00265C2F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 89de62350120ad461da6772865f7d1f64369955ca6ab217a3c402467a44b0014
Instruction ID: 912813132c3466eefdc5a163b34c9ffb2065129f78f14872fcb1cc00fb342c69
Opcode Fuzzy Hash: 89de62350120ad461da6772865f7d1f64369955ca6ab217a3c402467a44b0014
Instruction Fuzzy Hash: 71719031910B16EFDB20DFA8CE89AAEBBF5FF48704F100519E142A25A4D774E990CF50

Function 002630F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0026318D
_wcslen.LIBCMT ref: 002631F8

Strings

CLASS, xrefs: 00263188, 002631A5
INSTANCE, xrefs: 00263453
TEXT, xrefs: 0026347C
CLASSNN, xrefs: 002631F3, 00263204
NAME, xrefs: 00263335, 00263346
[,, xrefs: 0026339A
REGEXPCLASS, xrefs: 00263255, 00263266

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[,
API String ID: 176396367-3538303901
Opcode ID: af865e9831da34e8abb9063e02a7dff5bf74af327a9b0fb133d94e7ce3dcadff
Instruction ID: c160ecd0efd1ce232059a231d6a1719020498131b2f96a284b68189a9a7611d3
Opcode Fuzzy Hash: af865e9831da34e8abb9063e02a7dff5bf74af327a9b0fb133d94e7ce3dcadff
Instruction Fuzzy Hash: 79E1E532A20626ABCB14DFA8C451BEDFBB0BF54710F548259E456E7240DF70AEE58BD0

Function 002200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002200C6

Part of subcall function 002200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(002D070C,00000FA0,A1589F8C,?,?,?,?,002423B3,000000FF), ref: 0022011C
Part of subcall function 002200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002423B3,000000FF), ref: 00220127
Part of subcall function 002200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002423B3,000000FF), ref: 00220138
Part of subcall function 002200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0022014E
Part of subcall function 002200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0022015C
Part of subcall function 002200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0022016A
Part of subcall function 002200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00220195
Part of subcall function 002200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002201A0

___scrt_fastfail.LIBCMT ref: 002200E7

Part of subcall function 002200A3: __onexit.LIBCMT ref: 002200A9

Strings

InitializeConditionVariable, xrefs: 00220148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00220122
WakeAllConditionVariable, xrefs: 00220162
SleepConditionVariableCS, xrefs: 00220154
kernel32.dll, xrefs: 00220133

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 223a87bd37882a9ed9dc10872db4107550080ea65aa21800fe8813828183797b
Instruction ID: 3baa09bc26e6c9715c4b9970e1388c469dfcdf846567bb44d353c258ff07d27a
Opcode Fuzzy Hash: 223a87bd37882a9ed9dc10872db4107550080ea65aa21800fe8813828183797b
Instruction Fuzzy Hash: 5B212C32A653217BE7505FF4BD8DB5973D4DB05B51F10012BF809D62A2DB645C208AA4

Function 002744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0029CC08), ref: 00274527
_wcslen.LIBCMT ref: 0027453B
_wcslen.LIBCMT ref: 00274599
_wcslen.LIBCMT ref: 002745F4
_wcslen.LIBCMT ref: 0027463F
_wcslen.LIBCMT ref: 002746A7

Part of subcall function 0021F9F2: _wcslen.LIBCMT ref: 0021F9FD

GetDriveTypeW.KERNEL32(?,002C6BF0,00000061), ref: 00274743

Strings

fixed, xrefs: 00274635, 0027463A
all, xrefs: 00274531, 00274536
cdrom, xrefs: 0027458F, 00274594
ramdisk, xrefs: 002746F1
removable, xrefs: 002745EA, 002745EF
unknown, xrefs: 00274708
network, xrefs: 0027469D, 002746A2

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 6bbd1830a364af1e417b087f906de528a49d9a02ff670ecdf9e3f2942a126aa1
Instruction ID: 6976679628b3dd34864b1d0138d2062966839014a11e5fe562c48110316d6c2f
Opcode Fuzzy Hash: 6bbd1830a364af1e417b087f906de528a49d9a02ff670ecdf9e3f2942a126aa1
Instruction Fuzzy Hash: 54B104716283039FC714EF28C890A6AF7E5AFA5724F508A1DF49AC7292D770DC64CB52

Function 0029911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

DragQueryPoint.SHELL32(?,?), ref: 00299147

Part of subcall function 00297674: ClientToScreen.USER32(?,?), ref: 0029769A
Part of subcall function 00297674: GetWindowRect.USER32(?,?), ref: 00297710
Part of subcall function 00297674: PtInRect.USER32(?,?,00298B89), ref: 00297720

SendMessageW.USER32(?,000000B0,?,?), ref: 002991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00299225
SendMessageW.USER32(?,000000B0,?,?), ref: 0029923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00299255
SendMessageW.USER32(?,000000B1,?,?), ref: 00299277
DragFinish.SHELL32(?), ref: 0029927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00299371

Strings

@GUI_DRAGID, xrefs: 002992E9
@GUI_DRAGFILE, xrefs: 00299320
@GUI_DROPID, xrefs: 0029929E
p#-, xrefs: 002992BB

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#-
API String ID: 221274066-899051560
Opcode ID: 10fd8bba88a8abd26c7b72d194939ec85b6293a93362b0b6e920ac349d4a2fe7
Instruction ID: 8c307bb7ac8bcbd964786140333dac582805b9d6168002425e89c205744e8056
Opcode Fuzzy Hash: 10fd8bba88a8abd26c7b72d194939ec85b6293a93362b0b6e920ac349d4a2fe7
Instruction Fuzzy Hash: 82619C71518301AFD704DF64DC89DAFBBE8EF89350F500A1EF592921A1DB309A68CF62

Function 0020326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(002D1990), ref: 00242F8D
GetMenuItemCount.USER32(002D1990), ref: 0024303D
GetCursorPos.USER32(?), ref: 00243081
SetForegroundWindow.USER32(00000000), ref: 0024308A
TrackPopupMenuEx.USER32(002D1990,00000000,?,00000000,00000000,00000000), ref: 0024309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002430A9

Strings

0, xrefs: 0020327D

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 4c97d787f26c0a049d6685568c54cfb4c830cb04143293f93eaa80a685f5b6ef
Instruction ID: 5980bb2dd8bd166e17346aa4e23f1e683628a6f92aedb4a678db6f9b6c78b170
Opcode Fuzzy Hash: 4c97d787f26c0a049d6685568c54cfb4c830cb04143293f93eaa80a685f5b6ef
Instruction Fuzzy Hash: 09710771660206BEEB25CF65DC49F9ABF68FF01324F600206F914A61E1C7B1AD74CB50

Function 00296CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00296DEB

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00296E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00296E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00296E94
DestroyWindow.USER32(?), ref: 00296EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00200000,00000000), ref: 00296EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00296EFD
GetDesktopWindow.USER32 ref: 00296F16
GetWindowRect.USER32(00000000), ref: 00296F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00296F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00296F4D

Part of subcall function 00219944: GetWindowLongW.USER32(?,000000EB), ref: 00219952

Strings

tooltips_class32, xrefs: 00296E58, 00296EDD
0, xrefs: 00296D98

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 16eca1a57cb1155254f42bd96130f90294cf8c09a176cd221071541f56612506
Instruction ID: e7359b06937505a700b0a6adf4c8e789ad15350531799e1588e6ee1fd3474b2e
Opcode Fuzzy Hash: 16eca1a57cb1155254f42bd96130f90294cf8c09a176cd221071541f56612506
Instruction Fuzzy Hash: D2717670514341AFDB25CF18EC58FBABBE9FB89304F54041EF98A972A1C770A926CB11

Function 0027C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0027C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0027C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0027C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0027C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0027C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0027C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0027C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0027C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0027C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0027C5F0
InternetCloseHandle.WININET(00000000), ref: 0027C5FB

Strings

, xrefs: 0027C575

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 2e6397dd1c698c4bebb71b38a6ffe1fc7bdf46c2e48c191da232edea11091ed3
Instruction ID: 25df4dea2ab612fb0642716d1daaf70ceab3596bfe830c8cdc376ee277e53abc
Opcode Fuzzy Hash: 2e6397dd1c698c4bebb71b38a6ffe1fc7bdf46c2e48c191da232edea11091ed3
Instruction Fuzzy Hash: 64516CB1510609BFDB218FB1DD88AAB7BBCFF08754F60841EF949A6210DB31E9549B60

Function 0029856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00298592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985BA
GlobalLock.KERNEL32(00000000), ref: 002985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985D7
GlobalUnlock.KERNEL32(00000000), ref: 002985E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0029FC38,?), ref: 00298611
GlobalFree.KERNEL32(00000000), ref: 00298621
GetObjectW.GDI32(?,00000018,?), ref: 00298641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00298671
DeleteObject.GDI32(?), ref: 00298699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002986AF

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 6b36a7f2c663c164515bcf65e6e1b173a0b534e823ec1839ee52c261b7b68c52
Instruction ID: 4e58f95636561e6c5122b6a532d7587ff8910a54dd0666e81c22fdadbd6ae028
Opcode Fuzzy Hash: 6b36a7f2c663c164515bcf65e6e1b173a0b534e823ec1839ee52c261b7b68c52
Instruction Fuzzy Hash: 6A411975600205AFDB11DFA5DD4CEAA7BBCFF8A711F254059F909EB260DB709901CB60

Function 002714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00271502
VariantCopy.OLEAUT32(?,?), ref: 0027150B
VariantClear.OLEAUT32(?), ref: 00271517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00271657
VariantInit.OLEAUT32(?), ref: 00271708
SysFreeString.OLEAUT32(?), ref: 0027178C
VariantClear.OLEAUT32(?), ref: 002717D8
VariantClear.OLEAUT32(?), ref: 002717E7
VariantInit.OLEAUT32(00000000), ref: 00271823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00271625
Default, xrefs: 002716AF

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: b364fef89b816bdb9cea6b186881c5447913ae233fe1b96d1230e03bb658611a
Instruction ID: 09c7ac6c3a0d56e490b2a5ca25bd0d43cfabe3193680ffb7318f959238e37358
Opcode Fuzzy Hash: b364fef89b816bdb9cea6b186881c5447913ae233fe1b96d1230e03bb658611a
Instruction Fuzzy Hash: 7FD11371A20206EBDF189F69E889BB9B7B5BF45700F64C056E40AAB181DB70DC70DB61

Function 0028B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 0028C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028B6AE,?,?), ref: 0028C9B5
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028C9F1
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA68
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0028B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0028B80A
RegCloseKey.ADVAPI32(?), ref: 0028B87E
RegCloseKey.ADVAPI32(?), ref: 0028B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0028B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0028B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0028B922
FreeLibrary.KERNEL32(00000000), ref: 0028B983
RegCloseKey.ADVAPI32(00000000), ref: 0028B994

Strings

RegDeleteKeyExW, xrefs: 0028B8FE
advapi32.dll, xrefs: 0028B8ED

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 747dfc3abcee9289218d259a69465889a3acb34933b80d960e17c7fdb53669c5
Instruction ID: 2dc87e0fb4536e1c3e968f998065cf48fec7f75b99d696eae554275b2c964ad6
Opcode Fuzzy Hash: 747dfc3abcee9289218d259a69465889a3acb34933b80d960e17c7fdb53669c5
Instruction Fuzzy Hash: CBC18A35225302AFD711EF14C494F2ABBE5AF84308F24859CE59A8B6E2CB71E855CF91

Function 0028255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002825E8
CreateCompatibleDC.GDI32(?), ref: 002825F4
SelectObject.GDI32(00000000,?), ref: 00282601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0028266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002826D0
SelectObject.GDI32(?,?), ref: 002826D8
DeleteObject.GDI32(?), ref: 002826E1
DeleteDC.GDI32(?), ref: 002826E8
ReleaseDC.USER32(00000000,?), ref: 002826F3

Strings

(, xrefs: 0028268D

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: c002ae810e8fb7c6f9c255b9e1a3b29df906dd3fac65f282eb594c0c2630f047
Instruction ID: e49b6aa1cf289d6ad71710b5c69f9238c01f666466ab418f776b38e0d6e6959c
Opcode Fuzzy Hash: c002ae810e8fb7c6f9c255b9e1a3b29df906dd3fac65f282eb594c0c2630f047
Instruction Fuzzy Hash: 6F610675D10219EFCF04DFA4D884AAEBBF5FF48310F20852AE959A7250E770A951CF60

Function 0023DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0023DAA1

Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D659
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D66B
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D67D
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D68F
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6A1
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6B3
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6C5
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6D7
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6E9
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6FB
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D70D
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D71F
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D731

_free.LIBCMT ref: 0023DA96

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 0023DAB8
_free.LIBCMT ref: 0023DACD
_free.LIBCMT ref: 0023DAD8
_free.LIBCMT ref: 0023DAFA
_free.LIBCMT ref: 0023DB0D
_free.LIBCMT ref: 0023DB1B
_free.LIBCMT ref: 0023DB26
_free.LIBCMT ref: 0023DB5E
_free.LIBCMT ref: 0023DB65
_free.LIBCMT ref: 0023DB82
_free.LIBCMT ref: 0023DB9A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8749b419baa9afa0c21b940f82fd879044e322747e658473dc27e23030a6feea
Instruction ID: 055490cfbab14a94bf0009e45f620a94370ec595c82ce414ac804786e65ee05c
Opcode Fuzzy Hash: 8749b419baa9afa0c21b940f82fd879044e322747e658473dc27e23030a6feea
Instruction Fuzzy Hash: 90315AB1664206DFEB22AE39F845B5AB7E9FF00310F25545AE458D7191DE31EC648B20

Function 0026365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0026369C
_wcslen.LIBCMT ref: 002636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00263797
GetClassNameW.USER32(?,?,00000400), ref: 0026380C
GetDlgCtrlID.USER32(?), ref: 0026385D
GetWindowRect.USER32(?,?), ref: 00263882
GetParent.USER32(?), ref: 002638A0
ScreenToClient.USER32(00000000), ref: 002638A7
GetClassNameW.USER32(?,?,00000100), ref: 00263921
GetWindowTextW.USER32(?,?,00000400), ref: 0026395D

Strings

%s%u, xrefs: 00263734

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 367b9a853da9ea122e2933490ed5e936554f67e7b35842b86574dffc046e3170
Instruction ID: 2dc8ae45c62d9f4e2366540a111dc616839308e104bed954cadf3f55bba6d078
Opcode Fuzzy Hash: 367b9a853da9ea122e2933490ed5e936554f67e7b35842b86574dffc046e3170
Instruction Fuzzy Hash: 7091B171214607AFD719DF64C885BEAF7A8FF44350F108629F99AC2190DB30EAA5CF91

Function 00264954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00264994
GetWindowTextW.USER32(?,?,00000400), ref: 002649DA
_wcslen.LIBCMT ref: 002649EB
CharUpperBuffW.USER32(?,00000000), ref: 002649F7
_wcsstr.LIBVCRUNTIME ref: 00264A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00264A64
GetWindowTextW.USER32(?,?,00000400), ref: 00264A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00264AE6
GetClassNameW.USER32(?,?,00000400), ref: 00264B20
GetWindowRect.USER32(?,?), ref: 00264B8B

Strings

ThumbnailClass, xrefs: 00264A6F, 00264AF1

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: cd12908321d89152734300480c8470640807af8b30aa1cf92de53d703238cb68
Instruction ID: f299d5ad3d9aa67e83d8b3517cf6a1dac8cb94d747900e3b54727eb9c2cac367
Opcode Fuzzy Hash: cd12908321d89152734300480c8470640807af8b30aa1cf92de53d703238cb68
Instruction Fuzzy Hash: DD91D131424206AFDB04EF54D885FAA77E8FF84304F04846AFDC59A196DB30EDA5CBA1

Function 00298D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00298D5A
GetFocus.USER32 ref: 00298D6A
GetDlgCtrlID.USER32(00000000), ref: 00298D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00298E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00298ECF
GetMenuItemCount.USER32(?), ref: 00298EEC
GetMenuItemID.USER32(?,00000000), ref: 00298EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00298F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00298F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00298FA1

Strings

0, xrefs: 00298E9F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: dbb9f3a6ed6500fffb71b9b6e57594ba9c8ceb2a781c9eb71d039d9188bc46a3
Instruction ID: c26ba8a78b6fe0146e19808145f848efec0742b003f19d6953d2d016ccb7459f
Opcode Fuzzy Hash: dbb9f3a6ed6500fffb71b9b6e57594ba9c8ceb2a781c9eb71d039d9188bc46a3
Instruction Fuzzy Hash: B181A271528302AFDB10CF24D888AAB77E9FF8A754F18051EF99597291DB70D920CB62

Function 0026DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0026DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0026DC46
_wcslen.LIBCMT ref: 0026DC50
_wcsstr.LIBVCRUNTIME ref: 0026DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0026DCBC

Strings

StringFileInfo\, xrefs: 0026DC8F
\VarFileInfo\Translation, xrefs: 0026DCB4
%u.%u.%u.%u, xrefs: 0026DD9A
DefaultLangCodepage, xrefs: 0026DD1F
04090000, xrefs: 0026DCF2

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: ed151949b800a9a92c7e59e8be5779c2ae17d309bafa8e72fc444b479ccaa1fd
Instruction ID: a433a5b075c061e6d1d9cdc1fe797fcbe7b35b89b1521e68ccf62f5be7a23e12
Opcode Fuzzy Hash: ed151949b800a9a92c7e59e8be5779c2ae17d309bafa8e72fc444b479ccaa1fd
Instruction Fuzzy Hash: 1F412B32A642197BDB14BBB4EC47EFF77ACDF56710F100169F900A6182EB7099708BA4

Function 0028CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0028CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0028CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0028CD48

Part of subcall function 0028CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0028CCAA
Part of subcall function 0028CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0028CCBD
Part of subcall function 0028CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0028CCCF
Part of subcall function 0028CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0028CD05
Part of subcall function 0028CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0028CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0028CCF3

Strings

RegDeleteKeyExW, xrefs: 0028CCC9
advapi32.dll, xrefs: 0028CCB8

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f9eec2ec5fdd4194c75ef4b29ce49bedcb5b3339fcce21040cdb7b9d9a01ca38
Instruction ID: fa8ba2d9aa48b9f4445bbc415032f36c40a7ea98b0990c091e700c62c65c37bb
Opcode Fuzzy Hash: f9eec2ec5fdd4194c75ef4b29ce49bedcb5b3339fcce21040cdb7b9d9a01ca38
Instruction Fuzzy Hash: D3317E75912129BBD720AF55EC88EFFBB7CEF05750F200166A905E3280D7709A459BB0

Function 0026E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0026E6B4

Part of subcall function 0021E551: timeGetTime.WINMM(?,?,0026E6D4), ref: 0021E555

Sleep.KERNEL32(0000000A), ref: 0026E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0026E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0026E727
SetActiveWindow.USER32 ref: 0026E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0026E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0026E773
Sleep.KERNEL32(000000FA), ref: 0026E77E
IsWindow.USER32 ref: 0026E78A
EndDialog.USER32(00000000), ref: 0026E79B

Strings

BUTTON, xrefs: 0026E719

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 54c9c6eb4e9066e08173f3b42ed7bc9770bf3f332327145d4f9d3c85b3bd4319
Instruction ID: 5a942346356a83bdcda16e3681d2405f26705034edb4755ae94f254e8a76172e
Opcode Fuzzy Hash: 54c9c6eb4e9066e08173f3b42ed7bc9770bf3f332327145d4f9d3c85b3bd4319
Instruction Fuzzy Hash: C721C3B4A10301FFEF025F64FC8DA257B6DFB64348F210427F805821A1DB71AC688B64

Function 0026E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0026EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0026EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0026EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0026EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0026EAA7

Strings

close PlayMe, xrefs: 0026EA6E, 0026EA9B
play PlayMe wait, xrefs: 0026EA91
play PlayMe, xrefs: 0026EAA2
open , xrefs: 0026EA0C
status PlayMe mode, xrefs: 0026EA58
alias PlayMe, xrefs: 0026EA36

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 122cc089a6ecb8bfbe7b4873a8467e2630c5eb5564101b356d59fad0064efd0c
Instruction ID: 23af7a9d2ab9ebe4dcafbdd99319d06df712d03e2a84cda3bdce1b2487a86dc5
Opcode Fuzzy Hash: 122cc089a6ecb8bfbe7b4873a8467e2630c5eb5564101b356d59fad0064efd0c
Instruction Fuzzy Hash: B8117375A7025979DB20E7A5DD4EEFF6A7CEFD2B00F4005297401A20D2EEB04DA5C9B0

Function 00218BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00218F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00218BE8,?,00000000,?,?,?,?,00218BBA,00000000,?), ref: 00218FC5

DestroyWindow.USER32(?), ref: 00218C81
KillTimer.USER32(00000000,?,?,?,?,00218BBA,00000000,?), ref: 00218D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00256973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00218BBA,00000000,?), ref: 002569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00218BBA,00000000,?), ref: 002569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00218BBA,00000000), ref: 002569D4
DeleteObject.GDI32(00000000), ref: 002569E6

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 04ed6e7637067afffb6246b830e40e92ba1f909d32c51efd5957512b9e483274
Instruction ID: d6eb9db1da939038816d9e428bedeaa346fddf284cd4c2b94fd39a04bdcedbb2
Opcode Fuzzy Hash: 04ed6e7637067afffb6246b830e40e92ba1f909d32c51efd5957512b9e483274
Instruction Fuzzy Hash: 3A61AD30922601EFDB298F14E99CBA5B7F1FB60312F60451AE44297960CB71ACF4CF94

Function 00219838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00219944: GetWindowLongW.USER32(?,000000EB), ref: 00219952

GetSysColor.USER32(0000000F), ref: 00219862

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 121ddbae2e11e528b0377a2215d425d1d80542dfff4e4d67a09bf387e27743b3
Instruction ID: 44ed04bdf05a0cd0fc05541ab5f23553d9cfed6dd13b1b754889b216d3280791
Opcode Fuzzy Hash: 121ddbae2e11e528b0377a2215d425d1d80542dfff4e4d67a09bf387e27743b3
Instruction Fuzzy Hash: BA41E231115604AFDB205F38AC98BF93BA5FB16331F654606F9A6872E1D7319CE2DB10

Function 00238D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.", xrefs: 0023903A, 00238FD0, 00238FF2

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: ."
API String ID: 0-2093358890
Opcode ID: 6abc513fb8774535d42bdbb3f32a51959381014d87ec1fa4d8d72b437da0ee20
Instruction ID: cd1fd830ae6981305fd929292d8100f6e6581af475ba2efbe8d375054771e535
Opcode Fuzzy Hash: 6abc513fb8774535d42bdbb3f32a51959381014d87ec1fa4d8d72b437da0ee20
Instruction Fuzzy Hash: FAC1E4B4D2434AEFDB15DFA8D845BADBBB0AF0A310F144199F814AB392C7748991CF60

Function 002696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0024F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00269717
LoadStringW.USER32(00000000,?,0024F7F8,00000001), ref: 00269720

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0024F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00269742
LoadStringW.USER32(00000000,?,0024F7F8,00000001), ref: 00269745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00269866

Strings

Line %d:, xrefs: 002697A0
%s (%d) : ==> %s: %s %s, xrefs: 0026984A
^ ERROR, xrefs: 002697FB
Line %d (File "%s"):, xrefs: 0026978F
Error: , xrefs: 0026981D

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 744b5f32cbbf2d55d5707173681e05a2bbfd145d1c9caed888a8603ed3224a8c
Instruction ID: db76490c07261d2d3b7dcf1e3eaa51bc72919821ab71a7dc9a5e920723127a58
Opcode Fuzzy Hash: 744b5f32cbbf2d55d5707173681e05a2bbfd145d1c9caed888a8603ed3224a8c
Instruction Fuzzy Hash: 28412F72820209AACB14EBE0DD86EEE777CAF55340F500165B606720D3EE356FA8CF61

Function 002606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00260804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0026082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00260837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0026083C

Strings

SOFTWARE\Classes\, xrefs: 0026070E
\IPC$, xrefs: 00260784
\CLSID, xrefs: 00260724

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: ae041debc516c7f70bd9177cfbec16f1b3912b519d0474c0ef2460306a77196f
Instruction ID: 6b9ed930f1853023b56b503a5992d157ed9b65cc3b03e88b3b5aea8769a63d52
Opcode Fuzzy Hash: ae041debc516c7f70bd9177cfbec16f1b3912b519d0474c0ef2460306a77196f
Instruction Fuzzy Hash: 4A41E972D20229ABDF15EFA4DC95DEEB778BF04350F544169E901A31A1EB309E64CFA0

Function 00283C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00283C5C
CoInitialize.OLE32(00000000), ref: 00283C8A
CoUninitialize.OLE32 ref: 00283C94
_wcslen.LIBCMT ref: 00283D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00283DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00283ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00283F0E
CoGetObject.OLE32(?,00000000,0029FB98,?), ref: 00283F2D
SetErrorMode.KERNEL32(00000000), ref: 00283F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00283FC4
VariantClear.OLEAUT32(?), ref: 00283FD8

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: f57b734fede1fc753982c3518747a7f993b023549a43e0310dd471c06c065a33
Instruction ID: d5f0273135176d32096a9a496bec8d8c8b7586013444a675379c2746c7b64d10
Opcode Fuzzy Hash: f57b734fede1fc753982c3518747a7f993b023549a43e0310dd471c06c065a33
Instruction Fuzzy Hash: 24C157756283019FD700EF68C88492BBBE9FF89B48F10491DF98A9B291D730ED55CB52

Function 00277A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00277AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00277B8F
SHGetDesktopFolder.SHELL32(?), ref: 00277BA3
CoCreateInstance.OLE32(0029FD08,00000000,00000001,002C6E6C,?), ref: 00277BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00277C74
CoTaskMemFree.OLE32(?,?), ref: 00277CCC
SHBrowseForFolderW.SHELL32(?), ref: 00277D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00277D7A
CoTaskMemFree.OLE32(00000000), ref: 00277D81
CoTaskMemFree.OLE32(00000000), ref: 00277DD6
CoUninitialize.OLE32 ref: 00277DDC

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 9577a8d705eb507a9f61337077de33c041b24d0014077b9d357490995d3074fe
Instruction ID: 080be1f639ffb31f5c6032c17892269504678ceb009b89a86631df1acced2cfc
Opcode Fuzzy Hash: 9577a8d705eb507a9f61337077de33c041b24d0014077b9d357490995d3074fe
Instruction Fuzzy Hash: 61C10C75A14209AFDB14DF64C888DAEBBF9FF48304B148499E81ADB262D730ED55CF90

Function 0029541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00295504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00295515
CharNextW.USER32(00000158), ref: 00295544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00295585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0029559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002955AC

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 2c2fce9ecc6b721b5253da8f2af76fc6f6c0680f65e67768d0318a43666ceba9
Instruction ID: 34badd4e33f1bed74df64064c2e7693c58d9753000f3ac0c294e7a42c374b35b
Opcode Fuzzy Hash: 2c2fce9ecc6b721b5253da8f2af76fc6f6c0680f65e67768d0318a43666ceba9
Instruction Fuzzy Hash: B761B031A20629EFEF168F50DC849FE7BB9FF09720F104145F925A7291D7749AA0DBA0

Function 0025FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0025FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0025FB08
VariantInit.OLEAUT32(?), ref: 0025FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0025FB3A
VariantCopy.OLEAUT32(?,?), ref: 0025FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0025FBA1
VariantClear.OLEAUT32(?), ref: 0025FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0025FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0025FBCC
VariantClear.OLEAUT32(?), ref: 0025FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0025FBE9

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 96b76c3b789e824f6a56a03e0648c92c3519277013da70f96b684e8a48ad6b37
Instruction ID: 591663224a8dd33ee05a5ad5cb6fa0b86cad633ed5fb51993bd6b2f28257cba5
Opcode Fuzzy Hash: 96b76c3b789e824f6a56a03e0648c92c3519277013da70f96b684e8a48ad6b37
Instruction Fuzzy Hash: 96418075A10219DFCF00DF68D9589AEBBB9FF08345F10806AF906A7261DB30A955CFA1

Function 00269C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00269CA1
GetAsyncKeyState.USER32(000000A0), ref: 00269D22
GetKeyState.USER32(000000A0), ref: 00269D3D
GetAsyncKeyState.USER32(000000A1), ref: 00269D57
GetKeyState.USER32(000000A1), ref: 00269D6C
GetAsyncKeyState.USER32(00000011), ref: 00269D84
GetKeyState.USER32(00000011), ref: 00269D96
GetAsyncKeyState.USER32(00000012), ref: 00269DAE
GetKeyState.USER32(00000012), ref: 00269DC0
GetAsyncKeyState.USER32(0000005B), ref: 00269DD8
GetKeyState.USER32(0000005B), ref: 00269DEA

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fbad9eb74a2b38df89bf52a375e0474b1ec6d6e8fb5ca1c127318e63ea2621b6
Instruction ID: 4b9ffc5fd51dccf08d250f1ca2f60d0e8d7c646688f840e6e462f5ccb343dfc4
Opcode Fuzzy Hash: fbad9eb74a2b38df89bf52a375e0474b1ec6d6e8fb5ca1c127318e63ea2621b6
Instruction Fuzzy Hash: 1F41F6305147CB69FF309F64C8043B5BEA8AF16304F44806BCAC6561C2DFB599E8C7A2

Function 0028055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002805BC
inet_addr.WSOCK32(?), ref: 0028061C
gethostbyname.WSOCK32(?), ref: 00280628
IcmpCreateFile.IPHLPAPI ref: 00280636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002807B9
WSACleanup.WSOCK32 ref: 002807BF

Strings

Ping, xrefs: 00280676

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 9a7e1958ea08620283c11090cf69704dfb36951774629bdf13938d8d99f81f36
Instruction ID: 0cb65a619fcfad3dd13b20b96ecf357bf0bfcd384fb2178931c43c7333a3068c
Opcode Fuzzy Hash: 9a7e1958ea08620283c11090cf69704dfb36951774629bdf13938d8d99f81f36
Instruction Fuzzy Hash: 2191AF786192029FD360EF15D4C8F1ABBE4AF44318F1485A9F46A8B6E2C770EC59CF91

Function 00288CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00288CF3

Part of subcall function 00268E54: _wcslen.LIBCMT ref: 00268E77

_wcslen.LIBCMT ref: 00288D4E
_wcslen.LIBCMT ref: 00288D9C
_wcslen.LIBCMT ref: 00288DDC
_wcslen.LIBCMT ref: 00288E6E

Strings

stdcall, xrefs: 00288DD6, 00288DDB
cdecl, xrefs: 00288D48, 00288D4D
winapi, xrefs: 00288D96, 00288D9B
none, xrefs: 00288E65, 00288E6A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 4c80c6062a96d96ca84536f92c72d0b1dce1c98189418e3bab5b6f2a50bcd9d8
Instruction ID: 1c255510acafcf807fd3b4a9b396523a39171364ef969ee0df0205b828cfe311
Opcode Fuzzy Hash: 4c80c6062a96d96ca84536f92c72d0b1dce1c98189418e3bab5b6f2a50bcd9d8
Instruction Fuzzy Hash: E751B435A211179BCF14EF6CC9409BEB7A5BF64720BA04229F426E72C5DB71ED60CB90

Function 0028372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00283774
CoUninitialize.OLE32 ref: 0028377F
CoCreateInstance.OLE32(?,00000000,00000017,0029FB78,?), ref: 002837D9
IIDFromString.OLE32(?,?), ref: 0028384C
VariantInit.OLEAUT32(?), ref: 002838E4
VariantClear.OLEAUT32(?), ref: 00283936

Strings

NULL Pointer assignment, xrefs: 0028381E
Failed to create object, xrefs: 002837E4, 0028389A
Invalid parameter, xrefs: 00283865

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 17a2d655a968f1cba2098203f7eee8cebcd300541063f48cf56005b842880a05
Instruction ID: 1998f77e57c6406b7c6ea0f5e12e4255c95056f447ba3d40a9a587ab1cc0b917
Opcode Fuzzy Hash: 17a2d655a968f1cba2098203f7eee8cebcd300541063f48cf56005b842880a05
Instruction Fuzzy Hash: 9F61A074629301AFD311EF54C888F5ABBE8EF49B14F100919F8859B2D1C770EE68CB92

Function 00278195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00278257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00278267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00278273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00278310
SetCurrentDirectoryW.KERNEL32(?), ref: 00278324
SetCurrentDirectoryW.KERNEL32(?), ref: 00278356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0027838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00278395

Strings

*.*, xrefs: 0027839B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 5c69197f6291fa83c634ff62643d92503b8bfc92d589f420210a5b7da329f2fe
Instruction ID: e0a64cdc8e2ab870bec09fcdc79919d2311982fd8a38bbb179a1db156fd42273
Opcode Fuzzy Hash: 5c69197f6291fa83c634ff62643d92503b8bfc92d589f420210a5b7da329f2fe
Instruction Fuzzy Hash: 7E618CB15243459FC710EF64C8489AEB3E8FF89314F04895EF98987252DB31E965CF92

Function 00298B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

Part of subcall function 0021912D: GetCursorPos.USER32(?), ref: 00219141
Part of subcall function 0021912D: ScreenToClient.USER32(00000000,?), ref: 0021915E
Part of subcall function 0021912D: GetAsyncKeyState.USER32(00000001), ref: 00219183
Part of subcall function 0021912D: GetAsyncKeyState.USER32(00000002), ref: 0021919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00298B6B
ImageList_EndDrag.COMCTL32 ref: 00298B71
ReleaseCapture.USER32 ref: 00298B77
SetWindowTextW.USER32(?,00000000), ref: 00298C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00298C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00298CFF

Strings

p#-, xrefs: 00298C71
@GUI_DRAGFILE, xrefs: 00298C9A
@GUI_DROPID, xrefs: 00298C51

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#-
API String ID: 1924731296-962097240
Opcode ID: 7258e8dce28f1542bb5de1a8b8b1c23daba508f571f8548b1f9f0bc83bc05519
Instruction ID: a28e087b9761bede69b98adb85a6e2daa05c016e3c5ad5dd88c6f6fef515f0f7
Opcode Fuzzy Hash: 7258e8dce28f1542bb5de1a8b8b1c23daba508f571f8548b1f9f0bc83bc05519
Instruction Fuzzy Hash: EA519971515300AFDB04DF14D86AFAA77E4BB89710F50062EF952A72E2CB709D64CB62

Function 00273388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002733CF

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002733F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00273522
"%s" (%d) : ==> %s:%s%s, xrefs: 00273504
Line %d (File "%s"):, xrefs: 00273443, 0027345C
^ ERROR , xrefs: 0027349E
Incorrect parameters to object property !, xrefs: 002734AB
Error: , xrefs: 002734D1

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 285256d0439452e78a70e2c6d8a6e26f52527d9fba0e2a453ba1be008f01bbee
Instruction ID: 29c4df02931a2f3175015840b74966944b2e0b4997aded10e88f0f9d24ef7d73
Opcode Fuzzy Hash: 285256d0439452e78a70e2c6d8a6e26f52527d9fba0e2a453ba1be008f01bbee
Instruction Fuzzy Hash: D5516F71D20209AADF15EBA0DD46EEEB778AF18340F504165F50572192EB316FB8DF60

Function 0026B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0026B5FC
_wcslen.LIBCMT ref: 0026B608
_wcslen.LIBCMT ref: 0026B64D
_wcslen.LIBCMT ref: 0026B68C
_wcslen.LIBCMT ref: 0026B6C7

Strings

EXISTS, xrefs: 0026B686, 0026B68B
REMOVE, xrefs: 0026B602, 0026B607
APPEND, xrefs: 0026B6C1, 0026B6C6
KEYS, xrefs: 0026B647, 0026B64C

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d91c77a2ed3ebe5caba8d1c942a3d98e8c28d19e46a79e2b28f96236d04bc51f
Instruction ID: 8b059530a2d3700057dc1254374c991316acb6ce59d4045d5bbf8f4ce471f437
Opcode Fuzzy Hash: d91c77a2ed3ebe5caba8d1c942a3d98e8c28d19e46a79e2b28f96236d04bc51f
Instruction Fuzzy Hash: B641E633A201279BCB216F7DC9905BEB7A9EFA0754B244229E421DB284F731CDE1C790

Function 00275393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00275416
GetLastError.KERNEL32 ref: 00275420
SetErrorMode.KERNEL32(00000000,READY), ref: 002754A7

Strings

NOTREADY, xrefs: 0027544B
READONLY, xrefs: 00275452
INVALID, xrefs: 00275459
UNKNOWN, xrefs: 00275444
READY, xrefs: 00275460, 00275468

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4a5f2857751da8cf281517561f7d5be47c15edb217f32f135657e6c7bfc23dbf
Instruction ID: e204eb1b7999a388c2b9dd8a4f4ddc1d572a317da6d087d6abcae100374ee1c5
Opcode Fuzzy Hash: 4a5f2857751da8cf281517561f7d5be47c15edb217f32f135657e6c7bfc23dbf
Instruction Fuzzy Hash: 9331B335A206159FD710DF68C498FAABBB4EF45305F14C05AE40ACB292DBB1DD92CBA0

Function 00293C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00293C79
SetMenu.USER32(?,00000000), ref: 00293C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00293D10
IsMenu.USER32(?), ref: 00293D24
CreatePopupMenu.USER32 ref: 00293D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00293D5B
DrawMenuBar.USER32 ref: 00293D63

Strings

F, xrefs: 00293D4E
0, xrefs: 00293C54

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 1ff70632c699b6f5b34b349b3732d137c31e902f4bfb60eefdb9550b007ef1d6
Instruction ID: 478db9e154555affbe2ebeb61d79aeeb1c706f2bb0e30ae66ff52ede07f87810
Opcode Fuzzy Hash: 1ff70632c699b6f5b34b349b3732d137c31e902f4bfb60eefdb9550b007ef1d6
Instruction Fuzzy Hash: D0415EB5A1120AEFDF14CFA4E858AEA77B5FF49350F140029F946A7360D770AA20CF64

Function 00293A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00293A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00293AA0
GetWindowLongW.USER32(?,000000F0), ref: 00293AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00293AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00293B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00293BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00293BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00293BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00293BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00293C13

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 7333431280abf6895c433e0981a8ba487344cf1fb37428861175dc73a4344b27
Instruction ID: c2e5ae1743374004f1660a10d84d2f66b043707e5389e9d8fbf3febceb7ed651
Opcode Fuzzy Hash: 7333431280abf6895c433e0981a8ba487344cf1fb37428861175dc73a4344b27
Instruction Fuzzy Hash: 91618A75910208AFDB10DFA8CC95EEE77B8EB09704F10409AFA15E72A2C770AE65DF50

Function 0026B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0026B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B165
GetWindowThreadProcessId.USER32(00000000), ref: 0026B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0026B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B21D

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 886d65431e57ac8dc6773691d981c61d2a77543b1d3af5773c745bd1d4f821c6
Instruction ID: bab7ea95d77f94cfee73cab6694aaa9adbebcfe7a60ebcb069c6aa881c56e401
Opcode Fuzzy Hash: 886d65431e57ac8dc6773691d981c61d2a77543b1d3af5773c745bd1d4f821c6
Instruction Fuzzy Hash: 8031AD75920205BFDB12DF64EC5CBAE7BADBB51312F208026FA05D6190D7B49ED08F61

Function 00232C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00232C94

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 00232CA0
_free.LIBCMT ref: 00232CAB
_free.LIBCMT ref: 00232CB6
_free.LIBCMT ref: 00232CC1
_free.LIBCMT ref: 00232CCC
_free.LIBCMT ref: 00232CD7
_free.LIBCMT ref: 00232CE2
_free.LIBCMT ref: 00232CED
_free.LIBCMT ref: 00232CFB

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8ccd0ed4a9f06add234823515cf65c1da38ab55948c148dc9711978d13f2893c
Instruction ID: 1e451bd44fb7aa55ada498cab69c517e7b40f9beab49d842aff8d4cf0cb82b46
Opcode Fuzzy Hash: 8ccd0ed4a9f06add234823515cf65c1da38ab55948c148dc9711978d13f2893c
Instruction Fuzzy Hash: 9111A7B6120118EFCB02EF54E842EDD7BA5FF05350F5154A5F9485F222DA31EE649F90

Function 00205BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00205C7A

Part of subcall function 00205D0A: GetClientRect.USER32(?,?), ref: 00205D30
Part of subcall function 00205D0A: GetWindowRect.USER32(?,?), ref: 00205D71
Part of subcall function 00205D0A: ScreenToClient.USER32(?,?), ref: 00205D99

GetDC.USER32 ref: 002446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00244708
SelectObject.GDI32(00000000,00000000), ref: 00244716
SelectObject.GDI32(00000000,00000000), ref: 0024472B
ReleaseDC.USER32(?,00000000), ref: 00244733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002447C4

Strings

U, xrefs: 00244693

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7f9bc4322ad85c6f7cd7799226e8e94d41d1df53b76bc7c7d02c5b4ca0f52326
Instruction ID: 4194e1196402455f125b79d1d0ea31954de88c57752f929059e7351d50bcbd2c
Opcode Fuzzy Hash: 7f9bc4322ad85c6f7cd7799226e8e94d41d1df53b76bc7c7d02c5b4ca0f52326
Instruction Fuzzy Hash: F1710430420206DFDF29AF64C984BBA7BB5FF4A320F24426AED555A1A6C7309C62DF50

Function 0027359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002735E4

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

LoadStringW.USER32(002D2390,?,00000FFF,?), ref: 0027360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00273742
"%s" (%d) : ==> %s:%s%s, xrefs: 00273724
^ ERROR, xrefs: 002736C9
Line %d (File "%s"):, xrefs: 0027366B
Error: , xrefs: 002736EF

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 25937bd08b3483543fed06f199d94c84809e8ee1ff47e6fca74785d57b3cff52
Instruction ID: 340d4d4c4d64299019939b4f6bd81c24addae6f883a9ea0aa6452700edef8638
Opcode Fuzzy Hash: 25937bd08b3483543fed06f199d94c84809e8ee1ff47e6fca74785d57b3cff52
Instruction Fuzzy Hash: 9C516E71D2020ABADF14EBA0DC46EEEBB78AF04300F144165F105721A2EB315AF9DFA0

Function 0027C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0027C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0027C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0027C2CA
GetLastError.KERNEL32 ref: 0027C322
SetEvent.KERNEL32(?), ref: 0027C336
InternetCloseHandle.WININET(00000000), ref: 0027C341

Strings

, xrefs: 0027C2BB

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 09c4631b8312456807400e477f982b628fa82ae2af6f5aa51775b57948aa15f0
Instruction ID: 8511ed11a2c78bc7f7e4b701934e94af947f290a3ac6c08ff5eccc159ce3cdb6
Opcode Fuzzy Hash: 09c4631b8312456807400e477f982b628fa82ae2af6f5aa51775b57948aa15f0
Instruction Fuzzy Hash: B3317AB1620608AFD7219FB49C88AAB7BFCEB49744B20C51EF84A92201DB34DD149B61

Function 0026989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00243AAF,?,?,Bad directive syntax error,0029CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002698BC
LoadStringW.USER32(00000000,?,00243AAF,?), ref: 002698C3

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00269987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 002698F1
Line %d:, xrefs: 00269912
., xrefs: 0026996D
Line %d (File "%s"):, xrefs: 0026992D
Error: , xrefs: 00269955

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 749958d662eec63e95b198e34a9a520728f9c6ff1e76a4762f57a6e30f299d8f
Instruction ID: 054339f9f17b3ae2b931850cf0717b28d8b3fc0348c92088253e5c7276cf4503
Opcode Fuzzy Hash: 749958d662eec63e95b198e34a9a520728f9c6ff1e76a4762f57a6e30f299d8f
Instruction Fuzzy Hash: EE216D3182021AABCF25EF90CC4AEEE7779BF18704F04445AF515620A2EA7196B8DF50

Function 0026209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0026214D

Strings

list, xrefs: 0026212F
SHELLDLL_DefView, xrefs: 002620CC
details, xrefs: 002620FB
smallicons, xrefs: 00262115
largeicons, xrefs: 002620E1

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: ac7ebb06afc64fc932cb1a55bdefb7218ed53883b9fc1ec24f4d59af4fcc2805
Instruction ID: 3516b20bb19b858d56c7b596be31790fad81d0b5d8cd06b78c664a56065d4afd
Opcode Fuzzy Hash: ac7ebb06afc64fc932cb1a55bdefb7218ed53883b9fc1ec24f4d59af4fcc2805
Instruction Fuzzy Hash: 28113D761BCB17F5F6056620EC0AEA6379CCB16314B30015AFB08A40D2EEA1ACF55914

Function 0023CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0023CEB7
_free.LIBCMT ref: 0023CF22
_free.LIBCMT ref: 0023CF48
_free.LIBCMT ref: 0023CF71
_free.LIBCMT ref: 0023CFA9
_free.LIBCMT ref: 0023CFDA
_free.LIBCMT ref: 0023D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0023D09C
_free.LIBCMT ref: 0023D0B5

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 542e54b8c8c84a39b49dc02f924234f2cb075b717f605d7f821e6d1cd255a924
Instruction ID: f99b1b6b2554c905084ea2ae6035166cfd0e06a448d1aefb916ab53cd1ad115c
Opcode Fuzzy Hash: 542e54b8c8c84a39b49dc02f924234f2cb075b717f605d7f821e6d1cd255a924
Instruction Fuzzy Hash: 5A6178F1924312EFDB25AFB4A885B697BA5EF05710F24416FF800B7281D6329D21CB90

Function 002950D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00295186
ShowWindow.USER32(?,00000000), ref: 002951C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002951CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002951D1

Part of subcall function 00296FBA: DeleteObject.GDI32(00000000), ref: 00296FE6

GetWindowLongW.USER32(?,000000F0), ref: 0029520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0029521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0029524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00295287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00295296

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: fe214a2b3d57bfa31788f56ef223ba7723a9e5bc757142bbae6628d36b188c92
Instruction ID: 62c7e20c92417e31c18b10adc719b78111bf15f70ef814e05ff1ca60d171f91d
Opcode Fuzzy Hash: fe214a2b3d57bfa31788f56ef223ba7723a9e5bc757142bbae6628d36b188c92
Instruction Fuzzy Hash: 3251B430B70A29BFEF269F24DC49BD87BA5EB05321F244012F919962E0C3B599B1DF40

Function 00218B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00256890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00218874,00000000,00000000,00000000,000000FF,00000000), ref: 00256901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0025691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00218874,00000000,00000000,00000000,000000FF,00000000), ref: 0025692D

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 70d981a8f4ca0880564bf028cd59721386994c55fbdd1ca831d83e9481192ee7
Instruction ID: f39946b9b976e9c05e3f865951aabd0674d84feac7c48998ae5c9052a90e49c2
Opcode Fuzzy Hash: 70d981a8f4ca0880564bf028cd59721386994c55fbdd1ca831d83e9481192ee7
Instruction Fuzzy Hash: AD518C70A20206AFDB20CF24DC99BAA77F5EF64354F104519F906D72A0DB70EEA4DB50

Function 0027C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0027C182
GetLastError.KERNEL32 ref: 0027C195
SetEvent.KERNEL32(?), ref: 0027C1A9

Part of subcall function 0027C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0027C272
Part of subcall function 0027C253: GetLastError.KERNEL32 ref: 0027C322
Part of subcall function 0027C253: SetEvent.KERNEL32(?), ref: 0027C336
Part of subcall function 0027C253: InternetCloseHandle.WININET(00000000), ref: 0027C341

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: cedd59a60037792d68f66452d212f83af573bdcddc38143ce8c913f11d215196
Instruction ID: cab528fee6bd2e54987ca317091b5d75b896cfa01936946ba9ea9bc170a41ddc
Opcode Fuzzy Hash: cedd59a60037792d68f66452d212f83af573bdcddc38143ce8c913f11d215196
Instruction Fuzzy Hash: 0C318F71610601AFDB219FB5EC48A67BBF8FF58300B60842EF95E82611D730E9249F60

Function 002625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00263A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00263A57
Part of subcall function 00263A3D: GetCurrentThreadId.KERNEL32 ref: 00263A5E
Part of subcall function 00263A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002625B3), ref: 00263A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00262601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00262605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0026260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00262623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00262627

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: c25aeff79cd81b0caffcebf731bd101220db5349c798646d6b4b606b208e339e
Instruction ID: abe096c3d5676a025bb2dfccd11241b436393c182962d6074f92e10c5495aefb
Opcode Fuzzy Hash: c25aeff79cd81b0caffcebf731bd101220db5349c798646d6b4b606b208e339e
Instruction Fuzzy Hash: 2001B530690610BBFB106769DC8EF593E59DF4AB51F200012F318AE0D1C9E11454DA69

Function 00261803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00261449,?,?,00000000), ref: 0026180C
HeapAlloc.KERNEL32(00000000,?,00261449,?,?,00000000), ref: 00261813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00261449,?,?,00000000), ref: 00261828
GetCurrentProcess.KERNEL32(?,00000000,?,00261449,?,?,00000000), ref: 00261830
DuplicateHandle.KERNEL32(00000000,?,00261449,?,?,00000000), ref: 00261833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00261449,?,?,00000000), ref: 00261843
GetCurrentProcess.KERNEL32(00261449,00000000,?,00261449,?,?,00000000), ref: 0026184B
DuplicateHandle.KERNEL32(00000000,?,00261449,?,?,00000000), ref: 0026184E
CreateThread.KERNEL32(00000000,00000000,00261874,00000000,00000000,00000000), ref: 00261868

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8b3d7f7523ad2fa593f3cf907a9b633de630007244ba9f06421004631769fb7b
Instruction ID: 95165ff2e12377315a7bd2ce340db0abf2bdcc5c793bf6214184fb7db20d1a56
Opcode Fuzzy Hash: 8b3d7f7523ad2fa593f3cf907a9b633de630007244ba9f06421004631769fb7b
Instruction Fuzzy Hash: 1001BF75240304BFE710AB65ED4DF5B3B6CEB89B11F504411FA05DB1A1C6709810CB34

Function 0028A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0026D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0026D501
Part of subcall function 0026D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0026D50F
Part of subcall function 0026D4DC: CloseHandle.KERNEL32(00000000), ref: 0026D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0028A16D
GetLastError.KERNEL32 ref: 0028A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0028A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0028A268
GetLastError.KERNEL32(00000000), ref: 0028A273
CloseHandle.KERNEL32(00000000), ref: 0028A2C4

Strings

SeDebugPrivilege, xrefs: 0028A18F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 54bd882dc95e932a62bf6d03e54c378f75b0c5af50eb64764f8d07aaa919f3ba
Instruction ID: 63a08e5707a6ce1488827adb728d6c7bfae3326312ae410798bf4b7d45c4d787
Opcode Fuzzy Hash: 54bd882dc95e932a62bf6d03e54c378f75b0c5af50eb64764f8d07aaa919f3ba
Instruction Fuzzy Hash: 2861A3742152429FE720EF18C498F15BBE1AF44318F14849DE45A4B7E3CB76EC55CB92

Function 00293886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00293925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0029393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00293954
_wcslen.LIBCMT ref: 00293999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002939F4

Strings

SysListView32, xrefs: 002938F7

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: cc669bf940d7ee94b14753056a4e4a5ee426e6c467528f0e9708fb88b2ec950c
Instruction ID: aa8ffd2f809e7ca2a8673a7212e12a4d757a7553384f6c48c8370e87466290ae
Opcode Fuzzy Hash: cc669bf940d7ee94b14753056a4e4a5ee426e6c467528f0e9708fb88b2ec950c
Instruction Fuzzy Hash: F4418671A10219ABEF21DF64CC49FEA77A9FF48350F10052AF958E7281D7719DA4CB90

Function 0026BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0026BCFD
IsMenu.USER32(00000000), ref: 0026BD1D
CreatePopupMenu.USER32 ref: 0026BD53
GetMenuItemCount.USER32(00B657B0), ref: 0026BDA4
InsertMenuItemW.USER32(00B657B0,?,00000001,00000030), ref: 0026BDCC

Strings

2, xrefs: 0026BD37
0, xrefs: 0026BCA8

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2a7c2b2283fe95f2e150f7d086fd803451643a84c34c963d83b563868be5e12f
Instruction ID: cd8656b3c311226e36f9298f0c46ecd48a0dc4a97650beef4c7919db0798a343
Opcode Fuzzy Hash: 2a7c2b2283fe95f2e150f7d086fd803451643a84c34c963d83b563868be5e12f
Instruction Fuzzy Hash: 0451B270A20206DBDF12DFA8D8C8BAEBBF8BF45314F24415AE441EB291D77099E1CB51

Function 00222D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00222D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00222D53
_ValidateLocalCookies.LIBCMT ref: 00222DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00222E0C
_ValidateLocalCookies.LIBCMT ref: 00222E61

Strings

&H", xrefs: 00222DFE, 00222E07, 00222E18
csm, xrefs: 00222DF6

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H"$csm
API String ID: 1170836740-3377455284
Opcode ID: 8f37e769d6cf6c3f4cba72849423acdcfafc803c848c3b3c27650dd0ea3140b9
Instruction ID: 6461f5830f3acf12e13545faef51e69044e4f4e3fb583f77d27c958bf3ac7127
Opcode Fuzzy Hash: 8f37e769d6cf6c3f4cba72849423acdcfafc803c848c3b3c27650dd0ea3140b9
Instruction Fuzzy Hash: 6B41D634A20229FBCF10DFA8E844A9EBBA4BF45324F148155E8145B352D736AA29CF91

Function 0026C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0026C913

Strings

blank, xrefs: 0026C895
question, xrefs: 0026C8CC
warning, xrefs: 0026C8FC
stop, xrefs: 0026C8E4
info, xrefs: 0026C8B4

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9f323c43d92b0351aefde7d34df590abc9a920277b0e849c5a3743ee23a4ce40
Instruction ID: acdad67ae5d5de3cb70d96512d953514d0d50df0026f45de71da1bbef66e9974
Opcode Fuzzy Hash: 9f323c43d92b0351aefde7d34df590abc9a920277b0e849c5a3743ee23a4ce40
Instruction Fuzzy Hash: 59112B316BA307BAA705BB54EC86DBA679CDF16354B30002FF944A7282D7F05DA05664

Function 0026ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0026ED2A
_wcslen.LIBCMT ref: 0026ED3B
_wcslen.LIBCMT ref: 0026ED79
_wcslen.LIBCMT ref: 0026EDAF
_wcslen.LIBCMT ref: 0026EDDF
_wcslen.LIBCMT ref: 0026EDEF
_wcslen.LIBCMT ref: 0026EE2B
_wcslen.LIBCMT ref: 0026EE5A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: e3580494bdcba734a6ca4a871af36f62dd9bc19bbb202ba90e5d722a3fe47704
Instruction ID: 5d73230382ec574176e0f869b59e7f68c371a15fb59a13f1d36aeba6741149f2
Opcode Fuzzy Hash: e3580494bdcba734a6ca4a871af36f62dd9bc19bbb202ba90e5d722a3fe47704
Instruction Fuzzy Hash: 40417566C20128B5CB11FBF4988AACF77ACAF45710F514562F914E3122FB34E2A5C7E5

Function 0021F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0025682C,00000004,00000000,00000000), ref: 0021F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0025682C,00000004,00000000,00000000), ref: 0025F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0025682C,00000004,00000000,00000000), ref: 0025F454

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e088928c4ffd86515b32ceac4c105f44ab4d19681825441df2664794cec17c48
Instruction ID: 651cfdc978ba3509d7111bb548fd455d33f9e9eb806fb4a7d1d4ff411c54ce1c
Opcode Fuzzy Hash: e088928c4ffd86515b32ceac4c105f44ab4d19681825441df2664794cec17c48
Instruction Fuzzy Hash: 7C417B306382C1BAD7B4AF28DB8C7EA7BD1AB66320F58443DE46752560C671A8E1CB50

Function 00292D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00292D1B
GetDC.USER32(00000000), ref: 00292D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00292D2E
ReleaseDC.USER32(00000000,00000000), ref: 00292D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00292D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00292D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00295A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00292DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00292DE1

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 309304c2a5f8a8c734937adb27be1e8fd5bd633e3ab327038b23c470fdf7a724
Instruction ID: 86693869f5a15bc50b309851238edd1230b380be1809f6d14cc7f7562a78d97a
Opcode Fuzzy Hash: 309304c2a5f8a8c734937adb27be1e8fd5bd633e3ab327038b23c470fdf7a724
Instruction Fuzzy Hash: D3316772211214BBEF258F50DC8AFEB3BADEF49715F144066FE089A291C6759C50CBB4

Function 00265622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00265637
_memcmp.LIBVCRUNTIME ref: 00265659
_memcmp.LIBVCRUNTIME ref: 00265671
_memcmp.LIBVCRUNTIME ref: 00265684
_memcmp.LIBVCRUNTIME ref: 0026569E
_memcmp.LIBVCRUNTIME ref: 002656B1
_memcmp.LIBVCRUNTIME ref: 002656C9
_memcmp.LIBVCRUNTIME ref: 002656E4

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f12ec4c756314b31198a939e3b1e112b9c43dda5ff755ed087892c27bce36f48
Instruction ID: a76b5554d6860fe30e97bf5f8e6dcd6ea138874c35c5ee983acd8d7df74d4d4e
Opcode Fuzzy Hash: f12ec4c756314b31198a939e3b1e112b9c43dda5ff755ed087892c27bce36f48
Instruction Fuzzy Hash: AB212661670A3A7BD668DA20EE82FFA334DAF31394F444021FD04AA685F760ED70C5A5

Function 00284FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0028502E, 00285383
Not an Object type, xrefs: 00285007

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: a7214f28df04b3f4c751e339d61abf97efa036ea880363955df1c5d686a6f621
Instruction ID: 915e19ef58ad51eb871dc8cb191ac73a87e7fb37807e0df261c8993c59b66ece
Opcode Fuzzy Hash: a7214f28df04b3f4c751e339d61abf97efa036ea880363955df1c5d686a6f621
Instruction Fuzzy Hash: 0BD1E279A1161AAFDF10EFA8C884BAEB7B5FF48344F148069E915AB2C0E770DD51CB50

Function 00241522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002417FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002415CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00241651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002417FB,?,002417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002416E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002416FB

Part of subcall function 00233820: RtlAllocateHeap.NTDLL(00000000,?,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6,?,00201129), ref: 00233852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00241777
__freea.LIBCMT ref: 002417A2
__freea.LIBCMT ref: 002417AE

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: c6511dad6a8d6c71e87463dd4290172509f1204eb4ee04de4ebbc4a20224df54
Instruction ID: b9f922caafce395c090eb7c264840ba5de1beb4007d276aafb48984d656b56ec
Opcode Fuzzy Hash: c6511dad6a8d6c71e87463dd4290172509f1204eb4ee04de4ebbc4a20224df54
Instruction Fuzzy Hash: 5F91D471E302169ADF288F74CC81AEEBBB9AF49750F584659E805E7181D735CDB0CB60

Function 00284523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00284648
VariantInit.OLEAUT32(?), ref: 00284749
VariantClear.OLEAUT32(?), ref: 00284753
VariantClear.OLEAUT32(?), ref: 002847B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 002845D8, 00284706, 002847BE
Incorrect Object type in FOR..IN loop, xrefs: 0028472C

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 5ee0894d53be1af761babfb70ab23b8dc434f8dc70727ee26365435bcdc93642
Instruction ID: 3bf92312edea8db2baac7b382aba1b7c8384202e5fab1a18095b0114ede9c480
Opcode Fuzzy Hash: 5ee0894d53be1af761babfb70ab23b8dc434f8dc70727ee26365435bcdc93642
Instruction Fuzzy Hash: 7891A174A21216AFDF20EFA4C844FAEBBB8EF46714F108559F505AB280D7709951CFA0

Function 00271187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0027125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00271284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0027135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00271430

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 60a13a833ff4033e0e5be52a142b7548544ac47fca0b861042089f1bab6aa629
Instruction ID: 126072bb23f09667f871955bcca36162377ee997781f6e440e82903a2a20dc0b
Opcode Fuzzy Hash: 60a13a833ff4033e0e5be52a142b7548544ac47fca0b861042089f1bab6aa629
Instruction Fuzzy Hash: 6B911771A20219AFEB00DF98D895BBE77B5FF45314F108029E908EB292D774A971CF50

Function 0021948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a485ccfd925479ed631c4c5689a452f74cb53985abeef0d5b8e2526f4d975f20
Instruction ID: afcdd22d45c8a3b2fa1c75af37d4ead3ff3c3be7c07391fc43982cb4796a502a
Opcode Fuzzy Hash: a485ccfd925479ed631c4c5689a452f74cb53985abeef0d5b8e2526f4d975f20
Instruction Fuzzy Hash: DA912671D5021AEFCB10CFA9CC88AEEBBB9FF49320F148055E915B7251D374AA91CB60

Function 00283947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0028396B
CharUpperBuffW.USER32(?,?), ref: 00283A7A
_wcslen.LIBCMT ref: 00283A8A
VariantClear.OLEAUT32(?), ref: 00283C1F

Part of subcall function 00270CDF: VariantInit.OLEAUT32(00000000), ref: 00270D1F
Part of subcall function 00270CDF: VariantCopy.OLEAUT32(?,?), ref: 00270D28
Part of subcall function 00270CDF: VariantClear.OLEAUT32(?), ref: 00270D34

Strings

AUTOIT.ERROR, xrefs: 00283A80, 00283A85
Incorrect Parameter format, xrefs: 002839A6, 00283BA1

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b5b5b31b035152f7804d5458314f9fb867d47f914e1a4b5eb8dfe668c3ffb216
Instruction ID: ee559c15eccad877249ec435f9e8ce7afdbaeb7fdb19ccd173419c17b6afd191
Opcode Fuzzy Hash: b5b5b31b035152f7804d5458314f9fb867d47f914e1a4b5eb8dfe668c3ffb216
Instruction Fuzzy Hash: 7B9149756283019FC704EF24C48096AB7E4BF89714F14892EF88A97392DB31EE55CF92

Function 00284BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0026000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?,?,0026035E), ref: 0026002B
Part of subcall function 0026000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?), ref: 00260046
Part of subcall function 0026000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?), ref: 00260054
Part of subcall function 0026000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?), ref: 00260064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00284C51
_wcslen.LIBCMT ref: 00284D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00284DCF
CoTaskMemFree.OLE32(?), ref: 00284DDA

Strings

NULL Pointer assignment, xrefs: 00284E23, 00284E52

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a9faae874e68b641d70777975292fc2277f8e01a5e29df06b2ac62d76a6061d3
Instruction ID: 00ff83c1e7553728162c2f75b498411606df534c0a5138a8c11ab040ab362ff0
Opcode Fuzzy Hash: a9faae874e68b641d70777975292fc2277f8e01a5e29df06b2ac62d76a6061d3
Instruction Fuzzy Hash: D8913B71D1121EEFDF14EFA4D891AEEB7B8BF08304F10816AE915A7291DB705A64CF60

Function 002920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00292183
GetMenuItemCount.USER32(00000000), ref: 002921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002921DD
_wcslen.LIBCMT ref: 00292213
GetMenuItemID.USER32(?,?), ref: 0029224D
GetSubMenu.USER32(?,?), ref: 0029225B

Part of subcall function 00263A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00263A57
Part of subcall function 00263A3D: GetCurrentThreadId.KERNEL32 ref: 00263A5E
Part of subcall function 00263A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002625B3), ref: 00263A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002922E3

Part of subcall function 0026E97B: Sleep.KERNEL32 ref: 0026E9F3

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: d5f3740806ee9a0991ce91495efc82e873cc9f223d1e93f3deba9adc45361b15
Instruction ID: eacbe45099eb37a0878b525d2ee0320ac4c5dab45d3e6076682ded945f315ee1
Opcode Fuzzy Hash: d5f3740806ee9a0991ce91495efc82e873cc9f223d1e93f3deba9adc45361b15
Instruction Fuzzy Hash: 9D716C75E20205EFCF14EFA4C845AAEB7F5AF48310F1484A9E816EB352DB34AD558F90

Function 0026AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0026AEF9
GetKeyboardState.USER32(?), ref: 0026AF0E
SetKeyboardState.USER32(?), ref: 0026AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0026AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0026AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0026AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0026B020

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bc7916c1d1e2e81171c14adbdf6776a72c592e166d39fe9389cb52960aa7cdda
Instruction ID: 03e1394504649676075fda1ec98571eaeefe3e47ff57b4526d6d2372a1d24b97
Opcode Fuzzy Hash: bc7916c1d1e2e81171c14adbdf6776a72c592e166d39fe9389cb52960aa7cdda
Instruction Fuzzy Hash: 1451D6A0A247D63DFB3746348C45BBA7EE95B06304F088489F1D9958C3C3E9ACE4DB52

Function 0026ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0026AD19
GetKeyboardState.USER32(?), ref: 0026AD2E
SetKeyboardState.USER32(?), ref: 0026AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0026ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0026ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0026AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0026AE38

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b45834b49a133c99352d1bc100898ac193c68cbe09298bcf29905353c59e52ef
Instruction ID: d8577cf24d1e68b6f0e7327228a31125d737790f9fc562504d610e84e665733a
Opcode Fuzzy Hash: b45834b49a133c99352d1bc100898ac193c68cbe09298bcf29905353c59e52ef
Instruction Fuzzy Hash: 085107A1A247D23DFB378B348C95B7A7EE85B46300F088499E1D5668C3C295ECE4DB52

Function 0023542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00243CD6,?,?,?,?,?,?,?,?,00235BA3,?,?,00243CD6,?,?), ref: 00235470
__fassign.LIBCMT ref: 002354EB
__fassign.LIBCMT ref: 00235506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00243CD6,00000005,00000000,00000000), ref: 0023552C
WriteFile.KERNEL32(?,00243CD6,00000000,00235BA3,00000000,?,?,?,?,?,?,?,?,?,00235BA3,?), ref: 0023554B
WriteFile.KERNEL32(?,?,00000001,00235BA3,00000000,?,?,?,?,?,?,?,?,?,00235BA3,?), ref: 00235584

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 236ede0a8de2565c96b13a0bbd10b21bcb1e4b5c7ab7cf42b3fdf285ee34b73d
Instruction ID: 8b3ea8c3cd2a28ec3a4fedbcbb967552aea303fb18b377d494be74500cf6eeef
Opcode Fuzzy Hash: 236ede0a8de2565c96b13a0bbd10b21bcb1e4b5c7ab7cf42b3fdf285ee34b73d
Instruction Fuzzy Hash: 5B51E6B09106199FDB10CFA8D885BEEBBF9EF08300F14451AF559E7291D730AA51CB60

Function 002810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0028304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0028307A
Part of subcall function 0028304E: _wcslen.LIBCMT ref: 0028309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00281112
WSAGetLastError.WSOCK32 ref: 00281121
WSAGetLastError.WSOCK32 ref: 002811C9
closesocket.WSOCK32(00000000), ref: 002811F9

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 95e140219bc9c77dc83af5aa70d17c130118dc3730f0a596d1b08b56d81df2f3
Instruction ID: 509c32dfa16d8a5d953ec580a001cb70d4c9f64307607324c60c5712eed601aa
Opcode Fuzzy Hash: 95e140219bc9c77dc83af5aa70d17c130118dc3730f0a596d1b08b56d81df2f3
Instruction Fuzzy Hash: 95411475610205AFDB10AF54D888BA9BBEDFF44364F248059FD099B2D2C770AD62CFA1

Function 0026CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0026DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0026CF22,?), ref: 0026DDFD

Part of subcall function 0026DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0026CF22,?), ref: 0026DE16

lstrcmpiW.KERNEL32(?,?), ref: 0026CF45
MoveFileW.KERNEL32(?,?), ref: 0026CF7F
_wcslen.LIBCMT ref: 0026D005
_wcslen.LIBCMT ref: 0026D01B
SHFileOperationW.SHELL32(?), ref: 0026D061

Strings

\*.*, xrefs: 0026CFF3

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 7dffea95af215f97728d8eedade91e163de979278d422f90ed782f74aba1c9ff
Instruction ID: 03584ffc534bed83918abfb92d45aab2c8ed75f16b34326e48a92c1eb7a4d3e6
Opcode Fuzzy Hash: 7dffea95af215f97728d8eedade91e163de979278d422f90ed782f74aba1c9ff
Instruction Fuzzy Hash: 48415771D5521D9FDF12EFA4D981AED77B8AF08380F1000E6E545EB142EA34A6D4CF50

Function 00292DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00292E1C
GetWindowLongW.USER32(?,000000F0), ref: 00292E4F
GetWindowLongW.USER32(?,000000F0), ref: 00292E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00292EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00292EE0
GetWindowLongW.USER32(?,000000F0), ref: 00292EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00292F0B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 61a31b96192e944f411042143a53bf1fef2218ad92a5d1b931aab5bf4f861c63
Instruction ID: 1b99c32d0bc19f27d6f0ef58f22fcafd25b0b2c268b8cccb3b18a158d15661ea
Opcode Fuzzy Hash: 61a31b96192e944f411042143a53bf1fef2218ad92a5d1b931aab5bf4f861c63
Instruction Fuzzy Hash: E9312335A15151EFDF21CF18ECD8FA537A4EB8A710F140065F9409B2B2CB60BC649B10

Function 00267726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00267769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0026778F
SysAllocString.OLEAUT32(00000000), ref: 00267792
SysAllocString.OLEAUT32(?), ref: 002677B0
SysFreeString.OLEAUT32(?), ref: 002677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002677DE
SysAllocString.OLEAUT32(?), ref: 002677EC

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: cc7139802495e583e9217ce71822f790facb3eb81fbf077f241850a20b4d91c6
Instruction ID: 9d5c3bbcfc84a9dfa5145f709c32d9697506e9f7efc82d9a62cfb0a0c61fae8a
Opcode Fuzzy Hash: cc7139802495e583e9217ce71822f790facb3eb81fbf077f241850a20b4d91c6
Instruction Fuzzy Hash: CB21D676618219AFDF11EFA8ED88CBBB7ECEB093687148026F914DB150D674DC818B64

Function 002677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00267842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00267868
SysAllocString.OLEAUT32(00000000), ref: 0026786B
SysAllocString.OLEAUT32 ref: 0026788C
SysFreeString.OLEAUT32 ref: 00267895
StringFromGUID2.OLE32(?,?,00000028), ref: 002678AF
SysAllocString.OLEAUT32(?), ref: 002678BD

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6c1d3cf27623f58ff252d067c50d1c21125c604a3c730f0abdc3a5babf2adb6a
Instruction ID: 028f68fbf32979ad94a2c7d2bb51b53dd7ceac1de655216134c387d5725101dc
Opcode Fuzzy Hash: 6c1d3cf27623f58ff252d067c50d1c21125c604a3c730f0abdc3a5babf2adb6a
Instruction Fuzzy Hash: 36218331618205AFDF10AFB8EC8CDBA77ECEB097647208125F915CB2A1D670DC91DB64

Function 002704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0027052E

Strings

nul, xrefs: 00270567

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: cebd83e7f8d1f2ef9a74994b696572de563c3bfb8cc83161f1e2dc703e72b671
Instruction ID: ffcc8db309baecbae283d07fff7631dadbf4c75f3aff8a9af816cbbb4917ff30
Opcode Fuzzy Hash: cebd83e7f8d1f2ef9a74994b696572de563c3bfb8cc83161f1e2dc703e72b671
Instruction Fuzzy Hash: 59217475920306DFDB209F29DC88A5A77B4BF44724F608A19F8A5D72E0D7709968CF20

Function 002705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00270601

Strings

nul, xrefs: 00270639

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e26f6e4cc217c19acb54042327fb92d6429898cfa63d6bd4bafdeeae8bd594b0
Instruction ID: afcd86e6047930d5fc77053945af4f45985f41e23860b2a836ea108dd6bb9caa
Opcode Fuzzy Hash: e26f6e4cc217c19acb54042327fb92d6429898cfa63d6bd4bafdeeae8bd594b0
Instruction Fuzzy Hash: 9121B575510306DBDB209F69DC94A5A77E8BF85720F208B1AFCA5E72D0D7B09874CB20

Function 002940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0020600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0020604C
Part of subcall function 0020600E: GetStockObject.GDI32(00000011), ref: 00206060
Part of subcall function 0020600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0020606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00294112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0029411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0029412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00294139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00294145

Strings

Msctls_Progress32, xrefs: 002940E3

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8486173a11265a30346fbf1cc3034a585bed54784ff04f20866dff5e97335287
Instruction ID: bfc928d075c3bdd5951d175d84737ff923e79abbe9ecebe51ef131c7c5a5c52c
Opcode Fuzzy Hash: 8486173a11265a30346fbf1cc3034a585bed54784ff04f20866dff5e97335287
Instruction Fuzzy Hash: 5C11B2B215021ABEFF119F64CC85EE77F5DEF09798F004111BA18A2090C6729C31DBA4

Function 0023D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0023D7A3: _free.LIBCMT ref: 0023D7CC

_free.LIBCMT ref: 0023D82D

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 0023D838
_free.LIBCMT ref: 0023D843
_free.LIBCMT ref: 0023D897
_free.LIBCMT ref: 0023D8A2
_free.LIBCMT ref: 0023D8AD
_free.LIBCMT ref: 0023D8B8

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 55137dc936421f38ba08708b797a44cb7214c60cae8e99b732186d554bc01a85
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 611151B1960B14EAD521BFB0EC47FCBBBDC6F00700F400825B699A6192DA65B5254E50

Function 0026DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0026DA74
LoadStringW.USER32(00000000), ref: 0026DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0026DA91
LoadStringW.USER32(00000000), ref: 0026DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0026DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0026DAB9

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 732f966f55684d88f56d0ecc4f6a7f8cf3e1594262337eb5efc9482995ad5942
Instruction ID: 4cb0417765d89ee55769c09894293d6240c7969499d1beaded8a19a7941a3f5d
Opcode Fuzzy Hash: 732f966f55684d88f56d0ecc4f6a7f8cf3e1594262337eb5efc9482995ad5942
Instruction Fuzzy Hash: 870162F29142087FEB10DBE4AD8DEE7766CEB08301F500497B746E2041EA749E844F74

Function 0027096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00B5AEF0,00B5AEF0), ref: 0027097B
EnterCriticalSection.KERNEL32(00B5AED0,00000000), ref: 0027098D
TerminateThread.KERNEL32(?,000001F6), ref: 0027099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 002709A9
CloseHandle.KERNEL32(?), ref: 002709B8
InterlockedExchange.KERNEL32(00B5AEF0,000001F6), ref: 002709C8
LeaveCriticalSection.KERNEL32(00B5AED0), ref: 002709CF

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ffb467ffe08306f70b6412416a5740ce87c69a4d04112d67b05cf05324eaaceb
Instruction ID: ff90028451c412b349333f639339ca3ab684b8ce721a740e7cb6d150345570eb
Opcode Fuzzy Hash: ffb467ffe08306f70b6412416a5740ce87c69a4d04112d67b05cf05324eaaceb
Instruction Fuzzy Hash: 43F0CD31442912EBD7515FA4EE8DAD67A25BF05702F901026F601508A1C775A475CFA4

Function 00281C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00281DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00281DE1
WSAGetLastError.WSOCK32 ref: 00281DF2
htons.WSOCK32(?,?,?,?,?), ref: 00281EDB
inet_ntoa.WSOCK32(?), ref: 00281E8C

Part of subcall function 002639E8: _strlen.LIBCMT ref: 002639F2

Part of subcall function 00283224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0027EC0C), ref: 00283240

_strlen.LIBCMT ref: 00281F35

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 48498bd52f9b8fe0ea68c3a7cb53c1ed5f96cf05f5901f8213c0043731b0b4f0
Instruction ID: ceefc5d3f14aa9d2630367f87e082296c5b03f4dfd6a689bddab4d9a4e69e773
Opcode Fuzzy Hash: 48498bd52f9b8fe0ea68c3a7cb53c1ed5f96cf05f5901f8213c0043731b0b4f0
Instruction Fuzzy Hash: 7FB1D134214301AFC324EF24C885E2A7BE9AF94318F54894CF5565B2E3DB71EDA2CB91

Function 002301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002300D6
__allrem.LIBCMT ref: 002300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0023010B
__allrem.LIBCMT ref: 00230122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00230140

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 2ec66ab2f6e24f4617ca530a946c3ac76555d257ac6ad620aca9e94e24465cab
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 42815AB2A20716ABE7249F78CD91B6B73F8AF41720F24413AF550D76C1E770D9208B60

Function 002361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002282D9,002282D9,?,?,?,0023644F,00000001,00000001,8BE85006), ref: 00236258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0023644F,00000001,00000001,8BE85006,?,?,?), ref: 002362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002363D8
__freea.LIBCMT ref: 002363E5

Part of subcall function 00233820: RtlAllocateHeap.NTDLL(00000000,?,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6,?,00201129), ref: 00233852

__freea.LIBCMT ref: 002363EE
__freea.LIBCMT ref: 00236413

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: fca6f3fe5332b4bf7b7633487996f90805860d20a302c46f2b4c5a42eaa038dc
Instruction ID: 6377692ffc90f60b07327207322f2e3d3dc1db9d8e71c6cbb0b8bc7fb5bd7e0e
Opcode Fuzzy Hash: fca6f3fe5332b4bf7b7633487996f90805860d20a302c46f2b4c5a42eaa038dc
Instruction Fuzzy Hash: A551E3B2A20217BBDB258FA4DC89EBF77ADEB44B10F158669FD05D6140DB34DC60CA60

Function 0028BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 0028C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028B6AE,?,?), ref: 0028C9B5
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028C9F1
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA68
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0028BD25
RegCloseKey.ADVAPI32(00000000), ref: 0028BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0028BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0028BDF3
RegCloseKey.ADVAPI32(?), ref: 0028BDFF

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 7f76feed140f259ccb625a5a50b52aac1e20c755178feaec1164e32ab113b84d
Instruction ID: 4e72a214fbef1c028f2079a3c4cfce09aeed313a97c09375879aa4d11edddacb
Opcode Fuzzy Hash: 7f76feed140f259ccb625a5a50b52aac1e20c755178feaec1164e32ab113b84d
Instruction Fuzzy Hash: E0819B34228241AFD715EF24C885E2ABBE5FF84308F14855DF4594B2A2CB31ED55CB92

Function 0025F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0025F7B9
SysAllocString.OLEAUT32(00000001), ref: 0025F860
VariantCopy.OLEAUT32(0025FA64,00000000), ref: 0025F889
VariantClear.OLEAUT32(0025FA64), ref: 0025F8AD
VariantCopy.OLEAUT32(0025FA64,00000000), ref: 0025F8B1
VariantClear.OLEAUT32(?), ref: 0025F8BB

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e67054c15fabebbbcacbcfdd10a59af534d8df6c7270826cdc949b6cd8ab9458
Instruction ID: ed94fb1a76cc77b72f308c236dccd85f1e93fd006a45e9f86a2ac984e192904f
Opcode Fuzzy Hash: e67054c15fabebbbcacbcfdd10a59af534d8df6c7270826cdc949b6cd8ab9458
Instruction Fuzzy Hash: 8851D931630310ABCF90AF65D995B29B3A8EF45312B245467ED05DF292DB708CA4CB5A

Function 0027910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00207620: _wcslen.LIBCMT ref: 00207625

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002794E5
_wcslen.LIBCMT ref: 00279506
_wcslen.LIBCMT ref: 0027952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00279585

Strings

X, xrefs: 00279412

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 242766da692eeeeb1a52ef6dc6d7bb2156496f122e0d7cfdc756d84666d35dc0
Instruction ID: 20d93f676d4f2e047267c755e844e50046a74681f22c6732ad5326cc74ec3386
Opcode Fuzzy Hash: 242766da692eeeeb1a52ef6dc6d7bb2156496f122e0d7cfdc756d84666d35dc0
Instruction Fuzzy Hash: AAE1D3315283518FC724EF24C881A6AB7E4FF85314F04896DF8899B2A2DB30DD95CF92

Function 0021920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

BeginPaint.USER32(?,?,?), ref: 00219241
GetWindowRect.USER32(?,?), ref: 002192A5
ScreenToClient.USER32(?,?), ref: 002192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002192D3
EndPaint.USER32(?,?,?,?,?), ref: 00219321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002571EA

Part of subcall function 00219339: BeginPath.GDI32(00000000), ref: 00219357

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 356c92a20ea1115673d82f258e244b3dc1578801094514999741baa6b14402e1
Instruction ID: fba255d965e0fa0df06b6127249dbfd0fab281992bedf365ca47a9361980fc6d
Opcode Fuzzy Hash: 356c92a20ea1115673d82f258e244b3dc1578801094514999741baa6b14402e1
Instruction Fuzzy Hash: 5A41EF30115201AFD710DF24ECA8FEA7BE8EF55320F14026AF968872A1C7309CA5DB61

Function 002707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0027080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00270847
EnterCriticalSection.KERNEL32(?), ref: 00270863
LeaveCriticalSection.KERNEL32(?), ref: 002708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00270921

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 707f739f4b2bd23b601e469d31e2347df4006632f6823383631354ba763ff3da
Instruction ID: 35b5bb286c6d2e61699d1f84a7fa9dd078a2d9bdc2c75322af44b474e6d0c346
Opcode Fuzzy Hash: 707f739f4b2bd23b601e469d31e2347df4006632f6823383631354ba763ff3da
Instruction Fuzzy Hash: 4A416871A10205EFDF14AF54EC85AAA77B8FF04300F1480A5ED049A29BDB70DE64DBA4

Function 002981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0025F3AB,00000000,?,?,00000000,?,0025682C,00000004,00000000,00000000), ref: 0029824C
EnableWindow.USER32(?,00000000), ref: 00298272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002982D1
ShowWindow.USER32(?,00000004), ref: 002982E5
EnableWindow.USER32(?,00000001), ref: 0029830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0029832F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: aed7596a581cf31bf7a25bf45ccae85217d0664642cb00a2be2f4e13f11380f2
Instruction ID: a9381927f95995e968fe7768548a34e3e5e80c4727d89b5def12acc6f8ac0cd3
Opcode Fuzzy Hash: aed7596a581cf31bf7a25bf45ccae85217d0664642cb00a2be2f4e13f11380f2
Instruction Fuzzy Hash: D3418434A01685AFDF15CF15D899BF47BE1BB4B714F1C41AAE9084B262CB31AC61CB54

Function 00264C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00264C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00264CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00264CEA
_wcslen.LIBCMT ref: 00264D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00264D10
_wcsstr.LIBVCRUNTIME ref: 00264D1A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 880f8d269e8c71a56aeab1aeb7ef7a45462bedbb65a0ce8575b600e9f108cad2
Instruction ID: a8b957a6571d1c812396dd9b8dd82bbd6257fe968e9a7ee4254ddd61c79ddd44
Opcode Fuzzy Hash: 880f8d269e8c71a56aeab1aeb7ef7a45462bedbb65a0ce8575b600e9f108cad2
Instruction Fuzzy Hash: FF213B32614201BBEB196F35EC49E7F7BDCDF45750F10403AF805CA191DA61DCA0D6A0

Function 0027581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00203AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00203A97,?,?,00202E7F,?,?,?,00000000), ref: 00203AC2

_wcslen.LIBCMT ref: 0027587B
CoInitialize.OLE32(00000000), ref: 00275995
CoCreateInstance.OLE32(0029FCF8,00000000,00000001,0029FB68,?), ref: 002759AE
CoUninitialize.OLE32 ref: 002759CC

Strings

.lnk, xrefs: 00275876, 002758C1, 00275985

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 15402c81334bb7730c188d0d51ac5d2e2fa771c2a66fd04673cf6a94a4927196
Instruction ID: c734a2951abe96e8d21f514a1af01f8830fbc28ecc2e7942c34062274bf3467d
Opcode Fuzzy Hash: 15402c81334bb7730c188d0d51ac5d2e2fa771c2a66fd04673cf6a94a4927196
Instruction Fuzzy Hash: C6D15270624712DFC714DF24C484A2ABBE1EF89314F14885DF88A9B3A2DB71EC55CB92

Function 0026175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00260FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00260FCA
Part of subcall function 00260FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00260FD6
Part of subcall function 00260FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00260FE5
Part of subcall function 00260FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00260FEC
Part of subcall function 00260FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00261002

GetLengthSid.ADVAPI32(?,00000000,00261335), ref: 002617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002617BA
HeapAlloc.KERNEL32(00000000), ref: 002617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002617DA
GetProcessHeap.KERNEL32(00000000,00000000,00261335), ref: 002617EE
HeapFree.KERNEL32(00000000), ref: 002617F5

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c751e22dcca042c2293f5829e7d13df12ea0924f979a7c82b1b53c279a80338b
Instruction ID: f1ccfcac824d004210253ca1da8368ebab47bf2919e377f5f55880751fb810e7
Opcode Fuzzy Hash: c751e22dcca042c2293f5829e7d13df12ea0924f979a7c82b1b53c279a80338b
Instruction Fuzzy Hash: AE11E231520206FFDB119FA4DC49FAFBBB9EF45355F284029F4459B210D735AAA0CBA0

Function 002614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00261506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00261515
CloseHandle.KERNEL32(00000004), ref: 00261520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0026154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00261563

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 45eeb34148aa68d5d28ce6d56abdc7d2142f7054fd6d865bb6235b8cef5387a3
Instruction ID: 3cac5aba750a9e5552a5eb050730850109012b1d33ddec74c52fb3a777f4f6a5
Opcode Fuzzy Hash: 45eeb34148aa68d5d28ce6d56abdc7d2142f7054fd6d865bb6235b8cef5387a3
Instruction Fuzzy Hash: D7113A7250120EABDF119FA8EE49FDE7BA9EF48744F184055FA05A2060C375DEA0DB61

Function 00223382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00223379,00222FE5), ref: 00223390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0022339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002233B7
SetLastError.KERNEL32(00000000,?,00223379,00222FE5), ref: 00223409

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2e8af743786a458fac122f56a58b7e4ef679d952e67df588f3fe5a00e99d472b
Instruction ID: 498fdeee2f69e65951c14025709a4902c53ce91a67844879ac8c813bc3281ede
Opcode Fuzzy Hash: 2e8af743786a458fac122f56a58b7e4ef679d952e67df588f3fe5a00e99d472b
Instruction Fuzzy Hash: B0012832238332BEA614BBF47C899762A98EB057757300269F410801F0EF154E329988

Function 00232D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00235686,00243CD6,?,00000000,?,00235B6A,?,?,?,?,?,0022E6D1,?,002C8A48), ref: 00232D78
_free.LIBCMT ref: 00232DAB
_free.LIBCMT ref: 00232DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0022E6D1,?,002C8A48,00000010,00204F4A,?,?,00000000,00243CD6), ref: 00232DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0022E6D1,?,002C8A48,00000010,00204F4A,?,?,00000000,00243CD6), ref: 00232DEC
_abort.LIBCMT ref: 00232DF2

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a7e76e4d323d1b88fdf16350b0ac9497f11bb713541104a3ed1f99696c8a6abd
Instruction ID: 94900ab5e88fdf8e39134279a70cf0c5495d033146d747cafa3f0cefc4ebfb1d
Opcode Fuzzy Hash: a7e76e4d323d1b88fdf16350b0ac9497f11bb713541104a3ed1f99696c8a6abd
Instruction Fuzzy Hash: EDF028B1535605EBC2123B34BC0AF1B2559AFC27A0F34045AF828922E2EE708C3A5520

Function 00298A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00219639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00219693
Part of subcall function 00219639: SelectObject.GDI32(?,00000000), ref: 002196A2
Part of subcall function 00219639: BeginPath.GDI32(?), ref: 002196B9
Part of subcall function 00219639: SelectObject.GDI32(?,00000000), ref: 002196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00298A4E
LineTo.GDI32(?,00000003,00000000), ref: 00298A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00298A70
LineTo.GDI32(?,00000000,00000003), ref: 00298A80
EndPath.GDI32(?), ref: 00298A90
StrokePath.GDI32(?), ref: 00298AA0

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 72391f6df5d3b5fccb4f58a4dba5373120b80d27dcd79b56b71725a6cac81b52
Instruction ID: 41ddbd880f125183e80b51225999d3f5780b77d705cbdbeb74c58d6d606edd34
Opcode Fuzzy Hash: 72391f6df5d3b5fccb4f58a4dba5373120b80d27dcd79b56b71725a6cac81b52
Instruction Fuzzy Hash: D2110976000149FFDF129F90EC88EEA7F6DEB08350F148012FA199A1A1C7719D65DFA0

Function 002651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00265218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00265229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00265230
ReleaseDC.USER32(00000000,00000000), ref: 00265238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0026524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00265261

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0c91e4b001f4d0ca1aef9396cfadf1cd8fa641c6866cc8dd7df0aa8e82b19fce
Instruction ID: 31f6457b7628f26114b768d1ec513bc377b40d0695b5bfb2b7b5391bc35de128
Opcode Fuzzy Hash: 0c91e4b001f4d0ca1aef9396cfadf1cd8fa641c6866cc8dd7df0aa8e82b19fce
Instruction Fuzzy Hash: 0F016275E00719BBEF109FA59C49E5EBFB8EF48751F144066FA04A7281D6709C10CFA0

Function 00201BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00201BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00201BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00201C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00201C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00201C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00201C22

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ff3bb8eb46e1535816a4f8892caa6c225968d967fb262f99664bb7a0acf73991
Instruction ID: d87174f940dbecd3e824e4ca31f4fdb61fbf10d3aafa3fd6d22cacd732618e96
Opcode Fuzzy Hash: ff3bb8eb46e1535816a4f8892caa6c225968d967fb262f99664bb7a0acf73991
Instruction Fuzzy Hash: AD0167B0902B5ABDE3008F6A8C85B52FFA8FF59354F00411BA15C4BA42C7F5A864CBE5

Function 0026EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0026EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0026EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0026EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0026EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0026EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0026EB75

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 639160ba26d4ba407768260fee7d870f1e7348312614c2556323d4bd00cf58f1
Instruction ID: 545945ae881785dbff2de54a40bd4ddc3649753f41090e57ffaec2fae8b87608
Opcode Fuzzy Hash: 639160ba26d4ba407768260fee7d870f1e7348312614c2556323d4bd00cf58f1
Instruction Fuzzy Hash: 16F05E72240158BBE7215B62EC0EEEF3E7CEFCAB11F10015AF601D1091D7A05A01C6B9

Function 00257439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00257452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00257469
GetWindowDC.USER32(?), ref: 00257475
GetPixel.GDI32(00000000,?,?), ref: 00257484
ReleaseDC.USER32(?,00000000), ref: 00257496
GetSysColor.USER32(00000005), ref: 002574B0

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 037d1e545685816caa5016b9f3d8df11ed66624ce235fad75037e39bf1ce91c5
Instruction ID: c8234c0f2c582b08af70960f1adeca04b8e3e428e8b415aa472d191229edf109
Opcode Fuzzy Hash: 037d1e545685816caa5016b9f3d8df11ed66624ce235fad75037e39bf1ce91c5
Instruction Fuzzy Hash: F2014B31410215EFDB515FA4EC0CBAA7BB5FB04312FA14165FD1AA21A1CB311E61AB50

Function 00261874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0026187F
UnloadUserProfile.USERENV(?,?), ref: 0026188B
CloseHandle.KERNEL32(?), ref: 00261894
CloseHandle.KERNEL32(?), ref: 0026189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002618A5
HeapFree.KERNEL32(00000000), ref: 002618AC

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: cecfb7ed86c8ac90e0ba1b8300c6079599e216d10c2a2733f83479e443e7a208
Instruction ID: 2668381d55c485d975060431e656ac394c82ce665641a439c73edc281d004c47
Opcode Fuzzy Hash: cecfb7ed86c8ac90e0ba1b8300c6079599e216d10c2a2733f83479e443e7a208
Instruction Fuzzy Hash: 3DE0E536004101BBDB016FA1FE0C94ABF39FF49B22B208222F22981070CB329420DF68

Function 0020BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0020BEB3

Strings

D%-, xrefs: 0020BCA2
D%-D%-, xrefs: 0020BCA5
D%-, xrefs: 0020BE9A
D%-, xrefs: 0020BDED, 0020BD91, 0020BD1B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%-$D%-$D%-$D%-D%-
API String ID: 1385522511-1171869334
Opcode ID: 00e3efd833e8018ca6b4a7034095d41f8a1cba6fb197a49dc40a47ffafc91e64
Instruction ID: cdc163256b648c07231792a5213400e74abca8dfdc9ca3e28dee56ae1dc30a32
Opcode Fuzzy Hash: 00e3efd833e8018ca6b4a7034095d41f8a1cba6fb197a49dc40a47ffafc91e64
Instruction Fuzzy Hash: 6E916B75A2030ADFCB29CF58C090AA9B7F1FF58310F64416AD941AB392D771ADA1CB90

Function 00287B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00220242: EnterCriticalSection.KERNEL32(002D070C,002D1884,?,?,0021198B,002D2518,?,?,?,002012F9,00000000), ref: 0022024D
Part of subcall function 00220242: LeaveCriticalSection.KERNEL32(002D070C,?,0021198B,002D2518,?,?,?,002012F9,00000000), ref: 0022028A

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 002200A3: __onexit.LIBCMT ref: 002200A9

__Init_thread_footer.LIBCMT ref: 00287BFB

Part of subcall function 002201F8: EnterCriticalSection.KERNEL32(002D070C,?,?,00218747,002D2514), ref: 00220202
Part of subcall function 002201F8: LeaveCriticalSection.KERNEL32(002D070C,?,00218747,002D2514), ref: 00220235

Strings

G, xrefs: 00287C7F
Variable must be of type 'Object'., xrefs: 00287C3A
+T%, xrefs: 00287E2E
5, xrefs: 00287C78

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T%$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2187542652
Opcode ID: e0dd10e6e1a63d3e356d3ba2521feafc3857f8105631036ea170d8d1670c9b94
Instruction ID: 8ddf2989590a2623cd45d5f87f0b79f6ae24b564e2cece9352dcbd0f0a44ac2d
Opcode Fuzzy Hash: e0dd10e6e1a63d3e356d3ba2521feafc3857f8105631036ea170d8d1670c9b94
Instruction Fuzzy Hash: 28917E78A25209EFCB14EF54D891DADB7B1FF45300F60805AF8069B292DB71EE61CB51

Function 0026C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00207620: _wcslen.LIBCMT ref: 00207625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0026C6EE
_wcslen.LIBCMT ref: 0026C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0026C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0026C7CA

Strings

0, xrefs: 0026C6AF

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 4cce0c6df6f28ecb338a6f22adde5c12a4150a27e2295a10cca24e0e87630699
Instruction ID: 9fcf6455bb8ed4adc80cbb49b5a02f7a483f3dbad4d3528fa358d6dd8fc422a5
Opcode Fuzzy Hash: 4cce0c6df6f28ecb338a6f22adde5c12a4150a27e2295a10cca24e0e87630699
Instruction Fuzzy Hash: 1B51E0716243029BD712AF28C885A7AB7E8AB85314F240A2AF5E5D31D1DB60DCA48F56

Function 0028AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0028AEA3

Part of subcall function 00207620: _wcslen.LIBCMT ref: 00207625

GetProcessId.KERNEL32(00000000), ref: 0028AF38
CloseHandle.KERNEL32(00000000), ref: 0028AF67

Strings

<, xrefs: 0028AE6B
@, xrefs: 0028AE72

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 62a07ccb9fa69eac9842019bbfb572322fee8500ae05188e738a37009f9167b9
Instruction ID: ad7168f954805dea8fb1d55313d4d5a507b2f5615b83efb66a4bd1fa54e8a22f
Opcode Fuzzy Hash: 62a07ccb9fa69eac9842019bbfb572322fee8500ae05188e738a37009f9167b9
Instruction Fuzzy Hash: E7717974A10615DFDB14EF54C484A9EBBF0BF08310F0484AAE816AB7A2CB75ED91CF91

Function 0026719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00267206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0026723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0026724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002672CF

Strings

DllGetClassObject, xrefs: 00267242

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: cfcd329648fb2ff5d952ae03b1eded2d827412db3cb21ad80bf385581e6d959f
Instruction ID: 3202e08c1204e2c86e84e2b889e02eb842275f7ec519ab05436eb9716efb6435
Opcode Fuzzy Hash: cfcd329648fb2ff5d952ae03b1eded2d827412db3cb21ad80bf385581e6d959f
Instruction Fuzzy Hash: 91418171614204EFDB15CF64D894B9A7BB9EF44318F2480AEFD099F24AD7B0D994CBA0

Function 00292F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00292F8D
LoadLibraryW.KERNEL32(?), ref: 00292F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00292FA9
DestroyWindow.USER32(?), ref: 00292FB1

Strings

SysAnimate32, xrefs: 00292F68

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 145b21f1933badbdb74b6aae56769ff73893a6de12b7e1f066cd804ba0b176c0
Instruction ID: 720b3368de4479aedf13bef1179c599063685ee41fe52773ffad3b23ba81f72a
Opcode Fuzzy Hash: 145b21f1933badbdb74b6aae56769ff73893a6de12b7e1f066cd804ba0b176c0
Instruction Fuzzy Hash: 4B21AC72220206FBEF108F64DC84EBB37BDEB59364F100619F954D2590D771DC659B60

Function 00224D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00224D1E,002328E9,?,00224CBE,002328E9,002C88B8,0000000C,00224E15,002328E9,00000002), ref: 00224D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00224DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00224D1E,002328E9,?,00224CBE,002328E9,002C88B8,0000000C,00224E15,002328E9,00000002,00000000), ref: 00224DC3

Strings

CorExitProcess, xrefs: 00224D98
mscoree.dll, xrefs: 00224D86

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d38a92c3a65193b57ae0bad22d91da536c2a782dc53ee1a52cdcb1fae4174bc2
Instruction ID: 7d999542bca3ef08fefd64b8e838484e6e671afaa831c4319b26ad3d617a50b5
Opcode Fuzzy Hash: d38a92c3a65193b57ae0bad22d91da536c2a782dc53ee1a52cdcb1fae4174bc2
Instruction Fuzzy Hash: AAF04F34A50219BBDB159F90EC4DBADBBB5EF44751F5001A5F909A2260CB305E50CA94

Function 00204E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00204EDD,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00204EAE
FreeLibrary.KERNEL32(00000000,?,?,00204EDD,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00204EA8
kernel32.dll, xrefs: 00204E94

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: b75fac30c5bdfb1241e2577399f3e1b6dec8a2e188a96f62dfbb4e1169fe456f
Instruction ID: 2e7e06f7c148e8b0539e1ed845da6b273701c048ef7615ae4fdefda38ba2f056
Opcode Fuzzy Hash: b75fac30c5bdfb1241e2577399f3e1b6dec8a2e188a96f62dfbb4e1169fe456f
Instruction Fuzzy Hash: F8E08675A116235BD3222B25FC1CB5B6554AF82B627154116FD08D2151DB60CD1240E4

Function 00204E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00243CDE,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00204E74
FreeLibrary.KERNEL32(00000000,?,?,00243CDE,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00204E6E
kernel32.dll, xrefs: 00204E5B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 3b6903f7d69c6321de231f3f83db75888ba9dec13778506db180c1c9d49e4c8c
Instruction ID: 75d823ae69fd9b498e55bd0854aae1afa45c2ec77476492d969ce3c1b7f22e6e
Opcode Fuzzy Hash: 3b6903f7d69c6321de231f3f83db75888ba9dec13778506db180c1c9d49e4c8c
Instruction Fuzzy Hash: 63D0C231522722578B222F24FC1CE8B6A18AF86B51355861ABA0CA2191CF20CD21C1E4

Function 00272947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00272C05
DeleteFileW.KERNEL32(?), ref: 00272C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00272C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00272CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00272CC0

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 85dd1a01dbc4315d0e379758d4ee8d5770793f0c8302462f0f29c9f57c1779a5
Instruction ID: 9279604e775c0b2ad73c751af59c3670c4328e316e2e9fd375a6601fb0a47d16
Opcode Fuzzy Hash: 85dd1a01dbc4315d0e379758d4ee8d5770793f0c8302462f0f29c9f57c1779a5
Instruction Fuzzy Hash: 02B15F71D20129EBDF15DFA4CC85EDEB7BDEF49350F1080AAF909E6141EA309A588F61

Function 0028A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0028A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0028A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0028A468
CloseHandle.KERNEL32(?), ref: 0028A63D

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 13f53502107fa69c18933495ac55009de79e873364d49b3b2ccd470d0475814f
Instruction ID: 965dd1938ee984e92d08e6e045fa6367e298b14af1f130c00a817ee2dd9c26a5
Opcode Fuzzy Hash: 13f53502107fa69c18933495ac55009de79e873364d49b3b2ccd470d0475814f
Instruction Fuzzy Hash: A7A1D3B56143019FE720EF28C886F2AB7E5AF44714F14885DF55A9B2D2DBB0EC508F92

Function 0023BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,002A3700), ref: 0023BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,002D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0023BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,002D1270,000000FF,?,0000003F,00000000,?), ref: 0023BC36
_free.LIBCMT ref: 0023BB7F

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 0023BD4B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 8c6c55dd711bb590da71b1bfa84e507b35f453635d5f0926268a58bb85556a23
Instruction ID: d58ab5af3ceb3aa4379e815f5c1f8af718bc56533e11d9cb2a91e877be0e342c
Opcode Fuzzy Hash: 8c6c55dd711bb590da71b1bfa84e507b35f453635d5f0926268a58bb85556a23
Instruction Fuzzy Hash: 7D51EAB1D10219EFCB21EF65AC8596EB7BCEF41310F1006ABEA54D7291EB705E61CB50

Function 0026E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0026DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0026CF22,?), ref: 0026DDFD

Part of subcall function 0026DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0026CF22,?), ref: 0026DE16

Part of subcall function 0026E199: GetFileAttributesW.KERNEL32(?,0026CF95), ref: 0026E19A

lstrcmpiW.KERNEL32(?,?), ref: 0026E473
MoveFileW.KERNEL32(?,?), ref: 0026E4AC
_wcslen.LIBCMT ref: 0026E5EB
_wcslen.LIBCMT ref: 0026E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0026E650

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 7a0138585e07fb6760137daa1ba608e22f8ab8c87293b1e4e4fd9ffe51f6c3c3
Instruction ID: 4c032bf00e88db53b6650d071f6ccbc1cd89b9698a3c0a642b4bb8cf0c52140d
Opcode Fuzzy Hash: 7a0138585e07fb6760137daa1ba608e22f8ab8c87293b1e4e4fd9ffe51f6c3c3
Instruction Fuzzy Hash: 275176B65183855BCB24EFA0D8819DB73DC9F85340F00491EF689D3192EF74A5D88B56

Function 0028B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 0028C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028B6AE,?,?), ref: 0028C9B5
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028C9F1
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA68
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0028BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0028BB63
RegCloseKey.ADVAPI32(?,?), ref: 0028BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0028BBB3

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 383050107755d9fcbee5520c721d7835b3a67abedf3362f1c13379ad0a49963f
Instruction ID: 4df43541345b575ae6d522b23f467c2731c281a5cca093b5c7526d0638327300
Opcode Fuzzy Hash: 383050107755d9fcbee5520c721d7835b3a67abedf3362f1c13379ad0a49963f
Instruction Fuzzy Hash: 9C61CE34229241AFD315EF14C490E2ABBE4FF84308F54855DF49A8B2E2CB31ED55CB92

Function 00268BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00268BCD
VariantClear.OLEAUT32 ref: 00268C3E
VariantClear.OLEAUT32 ref: 00268C9D
VariantClear.OLEAUT32(?), ref: 00268D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00268D3B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: f3030eb037d2d93b7acc8981aa300c562e1cbd683a53eb77e92daa0fd8f91bfb
Instruction ID: 3464d8f48611f80be19aaf5a44fe0dac4c4991471b297ef569285a16dfddc7ab
Opcode Fuzzy Hash: f3030eb037d2d93b7acc8981aa300c562e1cbd683a53eb77e92daa0fd8f91bfb
Instruction Fuzzy Hash: 99516CB5A10219EFCB14CF68D884AAAB7F8FF89310B158559E905DB350E730E961CFA0

Function 00278AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00278BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00278BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00278C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00278C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00278C5F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: e1d66daca82eef5741bc216c1494104620aad6490451144fee9bbe4c8e57c272
Instruction ID: 88d7278c6062cd875df221866682f83c64ea70e735e397b57ff9cc3712824657
Opcode Fuzzy Hash: e1d66daca82eef5741bc216c1494104620aad6490451144fee9bbe4c8e57c272
Instruction Fuzzy Hash: 6C514975A102159FCB05DF64C885AAABBF5FF48314F08C459E849AB3A2CB31ED61CF90

Function 00288EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00288F40
GetProcAddress.KERNEL32(00000000,?), ref: 00288FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00288FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00289032
FreeLibrary.KERNEL32(00000000), ref: 00289052

Part of subcall function 0021F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00271043,?,75C0E610), ref: 0021F6E6
Part of subcall function 0021F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0025FA64,00000000,00000000,?,?,00271043,?,75C0E610,?,0025FA64), ref: 0021F70D

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 8250520ccb9a84d7dec12929b2a957e7a714549a0b536b6f8103fd8fb6324cfa
Instruction ID: 15618c2d3e623695168d05ce23a21bcee59a6e8af354a056764f74899cc826be
Opcode Fuzzy Hash: 8250520ccb9a84d7dec12929b2a957e7a714549a0b536b6f8103fd8fb6324cfa
Instruction Fuzzy Hash: C4519F38611205DFC711EF68C4848ADBBF1FF49314B588099E90AAB7A2CB31ED95CF90

Function 00296B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00296C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00296C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00296C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0027AB79,00000000,00000000), ref: 00296C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00296CC7

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: b958da1ac36f4a286d4b29c97c963a94508509eba6110902a2b6a3e0e7eb9eb4
Instruction ID: 6a0dbb47397573a09da00716ce898a6f2b9947ac3e0949b2fb4a95f2c2600626
Opcode Fuzzy Hash: b958da1ac36f4a286d4b29c97c963a94508509eba6110902a2b6a3e0e7eb9eb4
Instruction Fuzzy Hash: 8E41D435A24105AFDF24CF68CC5CFA97BE5EB09360F15022AF899A72E0D371ED61CA50

Function 00232051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002320C3
_free.LIBCMT ref: 002320E3

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c22fc7e423b24f0368d1d20a3fedc1c0c5fba201e117a76fe5ed287324e1baae
Instruction ID: 075143f62c3a6cc931c8765247a2174d1806c28c981057152637e20171801be0
Opcode Fuzzy Hash: c22fc7e423b24f0368d1d20a3fedc1c0c5fba201e117a76fe5ed287324e1baae
Instruction Fuzzy Hash: 5641F3B2A20200EFCB24DF78C980A5EB3F5EF88714F2545A8E519EB352D731AD15CB80

Function 0021912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00219141
ScreenToClient.USER32(00000000,?), ref: 0021915E
GetAsyncKeyState.USER32(00000001), ref: 00219183
GetAsyncKeyState.USER32(00000002), ref: 0021919D

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 7a5308ec6a9e2f23904ef7c75d7d921ff9eb4a9212ff0ce93c4e5500cea6a2e8
Instruction ID: dee9cb743bebbba687dd4b00b6d95388e99ec8c354a8a3475b64aef6cd48ca46
Opcode Fuzzy Hash: 7a5308ec6a9e2f23904ef7c75d7d921ff9eb4a9212ff0ce93c4e5500cea6a2e8
Instruction Fuzzy Hash: 39417F7191850BFBDF059F64D858BEEB7B4FB05320F208216E829A2290C77069E4CF51

Function 00273874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00273922
TranslateMessage.USER32(?), ref: 0027394B
DispatchMessageW.USER32(?), ref: 00273955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00273966

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: f39bc613373f49df62157254e6b4db4a6dabd38873d316931897de3c505f3f7e
Instruction ID: 7f0441f9ecb155bb65bfad5e40f6c82160da1b62c79d8728a277c44712bb149d
Opcode Fuzzy Hash: f39bc613373f49df62157254e6b4db4a6dabd38873d316931897de3c505f3f7e
Instruction Fuzzy Hash: B0310B70925383EEEB35CF34E80CBB637A8AB05300F14855ED55AC2590D3F09AA4EB11

Function 0027CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0027C21E,00000000), ref: 0027CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0027CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0027C21E,00000000), ref: 0027CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0027C21E,00000000), ref: 0027CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0027C21E,00000000), ref: 0027CFF2

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: d938874c29eb13b8b34cb2b9723b149ae3092e5e61bce8b020a5a90b4f9382fb
Instruction ID: f82d19386ffefe7dea1f9be8a4cb337f437c4cd09f6afeb5f976f4bbc43629e4
Opcode Fuzzy Hash: d938874c29eb13b8b34cb2b9723b149ae3092e5e61bce8b020a5a90b4f9382fb
Instruction Fuzzy Hash: 78318E71620206EFDB20DFB5D884AABBBF9EF14310B20842FF51AD2511DB30AE50DB61

Function 00261901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00261915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002619E2

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e2f227edd48fc080f75bb0aa2bcd48bca7555910fa9d638419a363aae5396a55
Instruction ID: 4249b90a6dd77e31695a64a95c968f2f752ec9503967b0eda1e7a8339316dedc
Opcode Fuzzy Hash: e2f227edd48fc080f75bb0aa2bcd48bca7555910fa9d638419a363aae5396a55
Instruction Fuzzy Hash: 0C31C271910219EFCB04CFA8DD9DADE3BB5EB44315F144225F925A72D1C770A9A4CB90

Function 00295706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00295745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0029579D
_wcslen.LIBCMT ref: 002957AF
_wcslen.LIBCMT ref: 002957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00295816

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 09367af80f801e921618b8f0f2001f866403b57da78d4da4313a65c11564afe4
Instruction ID: faf2ccc5258f26574f49b711ad93f357ab2d3a5de7ae1854b90f1ac80410e7b0
Opcode Fuzzy Hash: 09367af80f801e921618b8f0f2001f866403b57da78d4da4313a65c11564afe4
Instruction Fuzzy Hash: 56218771A24629EADF219FA0DC45AEDB778FF44724F104116F929DA180D7708AA5CF50

Function 00280930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00280951
GetForegroundWindow.USER32 ref: 00280968
GetDC.USER32(00000000), ref: 002809A4
GetPixel.GDI32(00000000,?,00000003), ref: 002809B0
ReleaseDC.USER32(00000000,00000003), ref: 002809E8

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0e46e1134365d9c82e26150e2f6f6cc53d98f08c8672d586ab9db1136d5cbfa5
Instruction ID: d64e5174d7ab0bc41b4e3960775927218c25a39b1cc705ffda4855919032259e
Opcode Fuzzy Hash: 0e46e1134365d9c82e26150e2f6f6cc53d98f08c8672d586ab9db1136d5cbfa5
Instruction Fuzzy Hash: C4218175610204AFD714EF69D888AAEBBE9EF48700F148069E85A977A2DB70AC54CF50

Function 0023CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0023CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0023CDE9

Part of subcall function 00233820: RtlAllocateHeap.NTDLL(00000000,?,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6,?,00201129), ref: 00233852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0023CE0F
_free.LIBCMT ref: 0023CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0023CE31

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: da4999ffd80c60c1130a48777e63cd7d4e1bdfd0fd04d1f4ddade0961acb95bd
Instruction ID: a60624b8d73726010ace37f3bbf44da9aebb5bd7fbb4cafd90c5cb5985c62bc7
Opcode Fuzzy Hash: da4999ffd80c60c1130a48777e63cd7d4e1bdfd0fd04d1f4ddade0961acb95bd
Instruction Fuzzy Hash: 5501FCF26212157F23212A767C4CD7B796DDEC6BA1735012AFD05E7201DA618D2187B4

Function 00219639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00219693
SelectObject.GDI32(?,00000000), ref: 002196A2
BeginPath.GDI32(?), ref: 002196B9
SelectObject.GDI32(?,00000000), ref: 002196E2

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4bfafff300e03c63ce1df6126347e9402e141dd43248ddac06e9f58bf5417b24
Instruction ID: db15b7f3eaa00a7228daebd1f3ca42dc8fd60ac285eefdebb60c23c8b641ddfd
Opcode Fuzzy Hash: 4bfafff300e03c63ce1df6126347e9402e141dd43248ddac06e9f58bf5417b24
Instruction Fuzzy Hash: 42212C70922286EBDB119F64FC287E97BA8BB60365F200217F414A65A1D3709CF5CBA5

Function 00265711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00265726
_memcmp.LIBVCRUNTIME ref: 00265744
_memcmp.LIBVCRUNTIME ref: 00265757
_memcmp.LIBVCRUNTIME ref: 0026576F
_memcmp.LIBVCRUNTIME ref: 00265787

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c35e46165fbf91dcd2b28be0badafd197d45e67fbb98c098a50fccad91d9ac54
Instruction ID: 0f47b2387794a50bdcd0fbf2a9ae2aedf695fa61178bf9ae87c3587bbcc20248
Opcode Fuzzy Hash: c35e46165fbf91dcd2b28be0badafd197d45e67fbb98c098a50fccad91d9ac54
Instruction Fuzzy Hash: 2301B9616B1625BBD65999109E42FBBB35D9B353A4F004021FD04AA641F761ED7086E0

Function 00232DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0022F2DE,00233863,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6), ref: 00232DFD
_free.LIBCMT ref: 00232E32
_free.LIBCMT ref: 00232E59
SetLastError.KERNEL32(00000000,00201129), ref: 00232E66
SetLastError.KERNEL32(00000000,00201129), ref: 00232E6F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 011cb17e5b521dd7dd94038ba1345cba27fbac3a44be90f6b1c34a6c121daeb9
Instruction ID: ba28bce5f5e1d890af98bcde0f3af662a7e4da394f1d309c598fc15eccd6cb2a
Opcode Fuzzy Hash: 011cb17e5b521dd7dd94038ba1345cba27fbac3a44be90f6b1c34a6c121daeb9
Instruction Fuzzy Hash: D5012DF2235601EBC6126B757C4BE2B255DABC5375F350025F825922D3EFB0EC395420

Function 0026000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?,?,0026035E), ref: 0026002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?), ref: 00260046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?), ref: 00260054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?), ref: 00260064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?), ref: 00260070

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 6114173a1bacbd1644ee960802c17a6e470870005eabd52b3695ec031060b188
Instruction ID: f0386a015005561f413f755b1ceffa2902cc4693ff7fcf72407e9f7a33d9989e
Opcode Fuzzy Hash: 6114173a1bacbd1644ee960802c17a6e470870005eabd52b3695ec031060b188
Instruction Fuzzy Hash: B301A272620215BFDB114F68EC88BAB7AEDEF44791F244125F905D2210D7B1DD90ABA0

Function 0026E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0026E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0026E9A5
Sleep.KERNEL32(00000000), ref: 0026E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0026E9B7
Sleep.KERNEL32 ref: 0026E9F3

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 444cd478f1aedb38cfe5d3e4dad2a5196ce9a619fe3dff12b5aa3c98bf5d02cc
Instruction ID: ce6c8c6c01c451add084ebea790e031c442d4c85e8b305b2bda45554bf155914
Opcode Fuzzy Hash: 444cd478f1aedb38cfe5d3e4dad2a5196ce9a619fe3dff12b5aa3c98bf5d02cc
Instruction Fuzzy Hash: 66015735C12629DBCF00AFE5E85DAEDBB78BF08700F120556E902B2240CB3095A48BA6

Function 002610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00261114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 0026112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0026114D

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 4e1ceb23e99a08c289caafd169663ea89dd67c7478e80f44a51d97d11ca74cc8
Instruction ID: 0b1b63c10fddc1efc166d923eb1ec6a429713f2aad423c1f4f40aaed1a8c7886
Opcode Fuzzy Hash: 4e1ceb23e99a08c289caafd169663ea89dd67c7478e80f44a51d97d11ca74cc8
Instruction Fuzzy Hash: 45013175100205BFDB114FA5EC4DE6A3F6EEF86360B644466FA45D7360DB31DC509A60

Function 00260FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00260FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00260FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00260FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00260FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00261002

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 6b214fbbcc12c6bf053dcc2575c473edb013fc0c9cfaf5972b87519f1d050ea6
Instruction ID: 3251767191968887db474aab3a23453d8f1856257cea2e6590ff570127214e5e
Opcode Fuzzy Hash: 6b214fbbcc12c6bf053dcc2575c473edb013fc0c9cfaf5972b87519f1d050ea6
Instruction Fuzzy Hash: C2F06235100351EBDB215FA4EC4DF563B6DEF89762F644415FD49C7261CA70EC908A70

Function 00261014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0026102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00261036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00261045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0026104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00261062

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 25b50366e9e076da081200e36531b4de69d1d96b7cb74ef99adccc48ff9bc2cc
Instruction ID: db2c28fef6b5d4d6b6316c5f0f159e21b064a7dd574830dc5c21447270632193
Opcode Fuzzy Hash: 25b50366e9e076da081200e36531b4de69d1d96b7cb74ef99adccc48ff9bc2cc
Instruction Fuzzy Hash: DDF06235100321EBDB215FA4EC4DF563B6DEF89761F340415FD45C7260CA70E8908A70

Function 0027030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 00270324
CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 00270331
CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 0027033E
CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 0027034B
CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 00270358
CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 00270365

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ccc7fa50f1316306eef59f1009c0b3c222c593b0c4f8fe7a06a1b5037aa2d5d7
Instruction ID: 509be07a3e872c0e1397f36be1dea457f5c83ea7abfab80b98828072c3a8ae89
Opcode Fuzzy Hash: ccc7fa50f1316306eef59f1009c0b3c222c593b0c4f8fe7a06a1b5037aa2d5d7
Instruction Fuzzy Hash: 91019072810B16DFC730AF66D8C0416F7F5BE502153158A7FD19A52931C371A968CE80

Function 0023D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0023D752

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 0023D764
_free.LIBCMT ref: 0023D776
_free.LIBCMT ref: 0023D788
_free.LIBCMT ref: 0023D79A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7f6a7102a48396d10e10c0deb6072d67a3fb6adb15df073b9b9c32700f84caea
Instruction ID: f15df19ae0b37225785fd05ca6389c88596c77b29adc1f9c46f6184b5093899d
Opcode Fuzzy Hash: 7f6a7102a48396d10e10c0deb6072d67a3fb6adb15df073b9b9c32700f84caea
Instruction Fuzzy Hash: F2F012B2564215EB8621EF64F9C6D16B7DDBB44710FB41845F048D7501C731FCA08A64

Function 00265C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00265C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00265C6F
MessageBeep.USER32(00000000), ref: 00265C87
KillTimer.USER32(?,0000040A), ref: 00265CA3
EndDialog.USER32(?,00000001), ref: 00265CBD

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 2e41c77474ec0a39d0b33e9f1ce0435d0944ff815a0f41a532773b621e84bb97
Instruction ID: 3891dbbc1e7d18d1458759de7a47daaad4c8f45ef34385b2535929787d86f3c4
Opcode Fuzzy Hash: 2e41c77474ec0a39d0b33e9f1ce0435d0944ff815a0f41a532773b621e84bb97
Instruction Fuzzy Hash: 74018130510B14AFEB205F10ED4EFA67BBCBB00B05F00056BB583A10E1DBF4A9A48B90

Function 002322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002322BE

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 002322D0
_free.LIBCMT ref: 002322E3
_free.LIBCMT ref: 002322F4
_free.LIBCMT ref: 00232305

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3797fecf0cc1f3a887bdc7f67b3a50853449069bac9e204decdd666f08c2ba77
Instruction ID: ab729723773d0fe5dc969c45013893506e0fe0a8491e6cc212fafbd9483732a9
Opcode Fuzzy Hash: 3797fecf0cc1f3a887bdc7f67b3a50853449069bac9e204decdd666f08c2ba77
Instruction Fuzzy Hash: 91F03AF4C22130DB8712AF54BC49A0D3B64F718760F21164BF818D26B1CB310C36AFA4

Function 002195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002195D4
StrokeAndFillPath.GDI32(?,?,002571F7,00000000,?,?,?), ref: 002195F0
SelectObject.GDI32(?,00000000), ref: 00219603
DeleteObject.GDI32 ref: 00219616
StrokePath.GDI32(?), ref: 00219631

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 61ec557291abd8b15b28df1d2ff84869c7ab202c4036eb3b78ff37948d49ae02
Instruction ID: bf30ea66885aa2819a577e4efc7c54c863f172582468549f489ff2581c6aaedc
Opcode Fuzzy Hash: 61ec557291abd8b15b28df1d2ff84869c7ab202c4036eb3b78ff37948d49ae02
Instruction Fuzzy Hash: D4F01430416289FBDB225F69FD2CBE83BA5AB10322F148216F429654F1C73089F5DF24

Function 00230F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002310F9
__freea.LIBCMT ref: 00231117

Part of subcall function 00231537: _free.LIBCMT ref: 0023154F

Strings

a/p, xrefs: 002311DE
am/pm, xrefs: 0023117A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 004ebeb0e593c18c5fbddd6992ad1059cbb6b66f8e334849e6f4c805b6fecc10
Instruction ID: 3581e63f2778e45f1b7725d4a045188c2fd23ef9e609f7192f0cb34b043cc75c
Opcode Fuzzy Hash: 004ebeb0e593c18c5fbddd6992ad1059cbb6b66f8e334849e6f4c805b6fecc10
Instruction Fuzzy Hash: 62D112B1930207DACB289F68C895BFEB7B0FF05300F284199E945AB654D7759DB0CB91

Function 002861D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00220242: EnterCriticalSection.KERNEL32(002D070C,002D1884,?,?,0021198B,002D2518,?,?,?,002012F9,00000000), ref: 0022024D
Part of subcall function 00220242: LeaveCriticalSection.KERNEL32(002D070C,?,0021198B,002D2518,?,?,?,002012F9,00000000), ref: 0022028A

Part of subcall function 002200A3: __onexit.LIBCMT ref: 002200A9

__Init_thread_footer.LIBCMT ref: 00286238

Part of subcall function 002201F8: EnterCriticalSection.KERNEL32(002D070C,?,?,00218747,002D2514), ref: 00220202
Part of subcall function 002201F8: LeaveCriticalSection.KERNEL32(002D070C,?,00218747,002D2514), ref: 00220235

Part of subcall function 0027359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002735E4
Part of subcall function 0027359C: LoadStringW.USER32(002D2390,?,00000FFF,?), ref: 0027360A

Strings

x#-, xrefs: 0028636F
x#-, xrefs: 00286353
x#-, xrefs: 0028633A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#-$x#-$x#-
API String ID: 1072379062-1822726949
Opcode ID: 31638c5dfba610da905835d8010ac64d2422ae2b73f6ae226de25dd5b274dfba
Instruction ID: b5c4cd8e3f80d845fb3a89d741a455889cd1c1ece260a2cb48912ba5744ad275
Opcode Fuzzy Hash: 31638c5dfba610da905835d8010ac64d2422ae2b73f6ae226de25dd5b274dfba
Instruction Fuzzy Hash: 0DC1A375A10206AFDB14EF58C894EBEB7B9FF48300F148059F9059B291DB74ED64CB90

Function 00235AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO , xrefs: 00235BA8, 00235C6C

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-3468927494
Opcode ID: a836baac6c82113b87300151c7718744ab72fa63c1ca284c494094a95c5a305f
Instruction ID: d986b6f47e8277fc8cd0f0901c8eda0320889a0c46bcfdc46591ac1c28489d0e
Opcode Fuzzy Hash: a836baac6c82113b87300151c7718744ab72fa63c1ca284c494094a95c5a305f
Instruction Fuzzy Hash: 0851E3F1D3062AEFCB109FA4D945FEEBBB8AF05318F14055AF809A7291D77099218B61

Function 00238A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00238B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00238B7A
__dosmaperr.LIBCMT ref: 00238B81

Strings

.", xrefs: 00238A63

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: ."
API String ID: 2434981716-2093358890
Opcode ID: 60882213dc8e3557100df9f790f1c3c1bb14bfcd92b1d318ae5569eae76b6729
Instruction ID: 6105980cbbdca90ee9d892d501d3d830ca170c51535640645a02dac62aa0a29c
Opcode Fuzzy Hash: 60882213dc8e3557100df9f790f1c3c1bb14bfcd92b1d318ae5569eae76b6729
Instruction Fuzzy Hash: A14180F0624246AFD7249F24D884A79BFE6DB46304F3845AAF898CF552DE318C228750

Function 00262716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0026B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002621D0,?,?,00000034,00000800,?,00000034), ref: 0026B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00262760

Part of subcall function 0026B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0026B3F8

Part of subcall function 0026B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0026B355
Part of subcall function 0026B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00262194,00000034,?,?,00001004,00000000,00000000), ref: 0026B365
Part of subcall function 0026B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00262194,00000034,?,?,00001004,00000000,00000000), ref: 0026B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0026281A

Strings

@, xrefs: 00262832

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e4d89117710ae9d3b2ceb7f48b5368974e8fa4453271c1fb99557c8815d2747d
Instruction ID: 4e5417268a4c32265e8c203885e0d42b02e199a459102ab807b80ff58fa6678b
Opcode Fuzzy Hash: e4d89117710ae9d3b2ceb7f48b5368974e8fa4453271c1fb99557c8815d2747d
Instruction Fuzzy Hash: 08413D72910218AFDB11DFA4CD45EEEBBB8AF05300F104095FA55B7181DB706E99CF60

Function 0023172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00231769
_free.LIBCMT ref: 00231834
_free.LIBCMT ref: 0023183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00231760, 00231767, 00231796, 002317CE

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: 130fbc85e0173df588915bfa0207ff78f58215efa637855b81b3f68039973411
Instruction ID: 139992b7c1676e07944b14adf23dc799cbcbcd58d69c54c13fc82b1f47fdf052
Opcode Fuzzy Hash: 130fbc85e0173df588915bfa0207ff78f58215efa637855b81b3f68039973411
Instruction Fuzzy Hash: 32316FB5E10219FBDB21DF99AC89D9EBBBCEB85310F144167F80497211D7708E60CB94

Function 0026C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0026C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0026C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002D1990,00B657B0), ref: 0026C395

Strings

0, xrefs: 0026C2DF

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 6f602573821ab67190c5e8c572f04eb5ae803f698048bd10b05f95532c5117da
Instruction ID: 807012d830dc4dfa3581eb216c67dbc61517a689edcbd6aea7832aaa01f7bd04
Opcode Fuzzy Hash: 6f602573821ab67190c5e8c572f04eb5ae803f698048bd10b05f95532c5117da
Instruction Fuzzy Hash: 4E41C731114302DFD720EF24D844B2ABBE4AF85310F20865EF9A5973D1D770E9A4CB62

Function 00294416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0029CC08,00000000,?,?,?,?), ref: 002944AA
GetWindowLongW.USER32 ref: 002944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002944D7

Strings

SysTreeView32, xrefs: 0029447C

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7eae9673e61e2f36813e3e38c4177d4a7acfa3f38a5e11238d1ebd2850583d56
Instruction ID: d8a730d2b9d3721e8df1591b2a85668161b34110140319f5c99a73e4276d1279
Opcode Fuzzy Hash: 7eae9673e61e2f36813e3e38c4177d4a7acfa3f38a5e11238d1ebd2850583d56
Instruction Fuzzy Hash: 6131B031220206AFDF209E78DC45FEA77A9EB08334F214719F979921D0D770EC619B50

Function 00266E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00266EED
VariantCopyInd.OLEAUT32(?,?), ref: 00266F08
VariantClear.OLEAUT32(?), ref: 00266F12

Strings

*j&, xrefs: 00266E8B, 00266E90, 00266EF8

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j&
API String ID: 2173805711-2273582324
Opcode ID: 8890774658fd96a69fc2f62a809897bda00584e071765a15fd61e449ed8a28c1
Instruction ID: 69c7a3dab869f6f8b4896d7c1397c9ccf936b401010b5849e9e1d047b5afc20a
Opcode Fuzzy Hash: 8890774658fd96a69fc2f62a809897bda00584e071765a15fd61e449ed8a28c1
Instruction Fuzzy Hash: 69318F71624345DBCB05AFA4E8999BD37B6EF85304F2004ADF9034B6A2CB749DA1DB90

Function 0028304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0028335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00283077,?,?), ref: 00283378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0028307A
_wcslen.LIBCMT ref: 0028309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00283106

Strings

255.255.255.255, xrefs: 00283095, 0028309A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 81b91fb9e6a5c68f36b6fff8bb4a5231565e5c7fa73d2aabbe78ad724e2aa9ea
Instruction ID: ec1866cbcd616507665ed6ab4ebc447d1a832b580c808d735a16e87cc28a8481
Opcode Fuzzy Hash: 81b91fb9e6a5c68f36b6fff8bb4a5231565e5c7fa73d2aabbe78ad724e2aa9ea
Instruction Fuzzy Hash: 4231073D611202DFCB10EF28C489EAA77E0EF14B14F248059E8168B7D2DB72EE55CB60

Function 00294653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00294705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00294713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0029471A

Strings

msctls_updown32, xrefs: 00294684

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 3eb513a444b6e6812c423c2a1b6bec89f81367aded4f6a2564bd703f19b4e4e6
Instruction ID: df32a5a1768f35144a07c739f6a39f14dfc7a305ad395abbb88e5a0ded7046ec
Opcode Fuzzy Hash: 3eb513a444b6e6812c423c2a1b6bec89f81367aded4f6a2564bd703f19b4e4e6
Instruction Fuzzy Hash: 372162B5610209AFDB10DF64DCD5DB777ADEB5A394B140059FA0097251DB70EC22CA60

Function 002695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0026961D

Strings

#notrayicon, xrefs: 002695B7
#OnAutoItStartRegister, xrefs: 002695F3
#requireadmin, xrefs: 002695D9

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f5c83ce176d9a7b80240acc29be111b0e0669e472f88fbdaf2b9e24362d1b08d
Instruction ID: b03eda3bd802084679ea2687ab2a8570c3e46ad985830a8155ff1aefca325b50
Opcode Fuzzy Hash: f5c83ce176d9a7b80240acc29be111b0e0669e472f88fbdaf2b9e24362d1b08d
Instruction Fuzzy Hash: 68212672234622A6C731AE28D802FB7739C9F65304F54402AFA4A97081EFB1ADF5C695

Function 002937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00293840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00293850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00293876

Strings

Listbox, xrefs: 0029380F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 556b1ea5109fe9d21465937d11eb0f4d3025feb2adc04d45969050de3a5f7829
Instruction ID: 68cf5ff37506a9727b5359b255c56014fcb915cdb4fc3999945cebaf0f8d26ac
Opcode Fuzzy Hash: 556b1ea5109fe9d21465937d11eb0f4d3025feb2adc04d45969050de3a5f7829
Instruction Fuzzy Hash: C9217F72620219BBEF21CE94DC45EAB776EEF89754F108125F9059B190C6719C618BA0

Function 002749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00274A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00274A5C
SetErrorMode.KERNEL32(00000000,?,?,0029CC08), ref: 00274AD0

Strings

%lu, xrefs: 00274A6F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: a790d8e468227d42e7e1feb55aff2d11270c89d41129b03f8ba58e4952c804d7
Instruction ID: de03c87b5295ea0826f9331809643a962a02e51f8c22901a86c676fef676582d
Opcode Fuzzy Hash: a790d8e468227d42e7e1feb55aff2d11270c89d41129b03f8ba58e4952c804d7
Instruction Fuzzy Hash: BC316F75A10209AFDB10DF54C885EAA7BF8EF08308F1480A9F909DB252D771EE95CF61

Function 002941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0029424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00294264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00294271

Strings

msctls_trackbar32, xrefs: 00294226

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 76137a1acb38b689b8bce8bec6242c896cfc8cce013dba785e0f4a849b46939e
Instruction ID: e16bbc7fadadea7f8770e27f3a0c6a02674ef6c606ace171508a1819cee1cd05
Opcode Fuzzy Hash: 76137a1acb38b689b8bce8bec6242c896cfc8cce013dba785e0f4a849b46939e
Instruction Fuzzy Hash: 01110632650208BEEF206F29CC06FAB3BACFF85B54F110524FA55E2090D271DC729B20

Function 00262F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

Part of subcall function 00262DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00262DC5
Part of subcall function 00262DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00262DD6
Part of subcall function 00262DA7: GetCurrentThreadId.KERNEL32 ref: 00262DDD
Part of subcall function 00262DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00262DE4

GetFocus.USER32 ref: 00262F78

Part of subcall function 00262DEE: GetParent.USER32(00000000), ref: 00262DF9

GetClassNameW.USER32(?,?,00000100), ref: 00262FC3
EnumChildWindows.USER32(?,0026303B), ref: 00262FEB

Strings

%s%d, xrefs: 00262FFF

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: afcd9a6c239dbe888d13278250b77d56e7e4f435edb87b624f91148de9cb4658
Instruction ID: e3fef57a7ea389a6bfac9d55761aeaf8d4f475ec69225a52faf9f7b617ba2ba8
Opcode Fuzzy Hash: afcd9a6c239dbe888d13278250b77d56e7e4f435edb87b624f91148de9cb4658
Instruction Fuzzy Hash: 3D11B4B5610205ABDF14BF70DC89FED376AAF94304F144075F909AB192DE709AA98F70

Function 00295882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002958EE
DrawMenuBar.USER32(?), ref: 002958FD

Strings

0, xrefs: 0029588F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: cdc038fbdbf6be1b4071c247b87aee16f470f25f77cbb34e9795c086409f7133
Instruction ID: d121789f671b7a7cf230b8876c64d1ef9036c7b675ddbe093d47e95f834979ff
Opcode Fuzzy Hash: cdc038fbdbf6be1b4071c247b87aee16f470f25f77cbb34e9795c086409f7133
Instruction Fuzzy Hash: 1E018431620228EFEF519F11DC44BEEBBB4FF45760F108099E849D6151DB708AA4DF61

Function 0026007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d81d379af5638bea3478ec5bc93c2cc74b021e0d464ab6fb8fba9af3df8da691
Instruction ID: 72c8df95641bb7c449b6eee2ea31c3768200c5eb320a28ae8ae560e068571563
Opcode Fuzzy Hash: d81d379af5638bea3478ec5bc93c2cc74b021e0d464ab6fb8fba9af3df8da691
Instruction Fuzzy Hash: E7C15C75A10206EFDB14CFA4C898BAEB7B5FF48304F208598E905EB251D771ED91DB90

Function 0028342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00283459
CoUninitialize.OLE32 ref: 00283463
VariantInit.OLEAUT32(?), ref: 0028346E
VariantClear.OLEAUT32(?), ref: 0028371B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 77edf676b45b06deb88d599e9e3e0bc7c0485fe0364c8bd071c3df7d81f43efc
Instruction ID: c55f1fb121c589cdb73be1e5b351d1af92eb9b7a1bdd9dcb13ed9218738e2e17
Opcode Fuzzy Hash: 77edf676b45b06deb88d599e9e3e0bc7c0485fe0364c8bd071c3df7d81f43efc
Instruction Fuzzy Hash: 47A14C796243119FC700EF28C885A6ABBE5FF88714F148859F9499B3A2DB30EE51CF51

Function 00260436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0029FC08,?), ref: 002605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0029FC08,?), ref: 00260608
CLSIDFromProgID.OLE32(?,?,00000000,0029CC40,000000FF,?,00000000,00000800,00000000,?,0029FC08,?), ref: 0026062D
_memcmp.LIBVCRUNTIME ref: 0026064E

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: fa508c1fd3a5223118b04ca83d17c638e6e3f2d14322b759b4527ec49f3554c1
Instruction ID: 3923e265bd2364efd55e3aef47e3903edc3b2c2575200cb2003d71ba6ae970f8
Opcode Fuzzy Hash: fa508c1fd3a5223118b04ca83d17c638e6e3f2d14322b759b4527ec49f3554c1
Instruction Fuzzy Hash: 85814C71A10209EFCB04DF94C984EEEB7B9FF89315F204558E506AB250DB71AE56CF60

Function 0028A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0028A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0028A6BA

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Process32NextW.KERNEL32(00000000,?), ref: 0028A79C
CloseHandle.KERNEL32(00000000), ref: 0028A7AB

Part of subcall function 0021CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00243303,?), ref: 0021CE8A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 04530ec8fba2334f2fcdc8878573bb7f05099e2a6f54a8cb107551091f0a8364
Instruction ID: 9022393ee34b4614caf69655f0d2f7768bacd0f4640a7e510015b302135c1440
Opcode Fuzzy Hash: 04530ec8fba2334f2fcdc8878573bb7f05099e2a6f54a8cb107551091f0a8364
Instruction Fuzzy Hash: 41518E715183019FD710EF24C886A6BBBE8FF89714F00892EF58997292EB30D954CF92

Function 00241391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002414C0

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: da8b21b157d909829246e819b24ad6320f4ae3cedce058b692c07ac87c518aaf
Instruction ID: c3a6086dfe949f45cd2ab9903357572993b3fd8af9b408dc79ca0b8cbba0210f
Opcode Fuzzy Hash: da8b21b157d909829246e819b24ad6320f4ae3cedce058b692c07ac87c518aaf
Instruction Fuzzy Hash: 90417F71A30111ABDB297FF8AC466BE3AB4EF42370F240266F819D6191E77448F15A71

Function 00296278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002962E2
ScreenToClient.USER32(?,?), ref: 00296315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00296382

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 0d157ebada33a26220dcee714c1f3871e294c1966c71f07a6cf74decbee30850
Instruction ID: 3e8403220b1184dbc9686154a2feeb6956cdff38fe21c0da8dfd1bf5f01640d8
Opcode Fuzzy Hash: 0d157ebada33a26220dcee714c1f3871e294c1966c71f07a6cf74decbee30850
Instruction Fuzzy Hash: 48513C7491020AAFDF14DF64D8889AE7BF5EF45760F1081AAF81597290D730EDA1CB50

Function 00281AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00281AFD
WSAGetLastError.WSOCK32 ref: 00281B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00281B8A
WSAGetLastError.WSOCK32 ref: 00281B94

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 0b8f10a7036789a10b4554b259e8378a55002eb23488e2f24ca87e6fa4099fde
Instruction ID: 72560653ba590221a7f9f2c4a58f8f0957267435a79a2bf0f123d623736997bb
Opcode Fuzzy Hash: 0b8f10a7036789a10b4554b259e8378a55002eb23488e2f24ca87e6fa4099fde
Instruction Fuzzy Hash: C241F4786103016FE720AF24C88AF6577E5AB44718F548448F91A9F3D3D772EDA2CB90

Function 0023B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc21713dd33936da7403b8987acfd15c91df97bf375b9b15351a64fa7f41bb1d
Instruction ID: cc6a6699caccb3d534cb872ebb201a7bd4caf1b9f28ee5c52d1e42c76186daeb
Opcode Fuzzy Hash: fc21713dd33936da7403b8987acfd15c91df97bf375b9b15351a64fa7f41bb1d
Instruction Fuzzy Hash: 6D412BB6A20314BFD7259F78CC51B6ABBF9EB88710F10452EF641DB281D77199618B80

Function 002756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00275783
GetLastError.KERNEL32(?,00000000), ref: 002757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002757FA

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ec44cbe0b4d1f4fe084fa30b300f807f54527c1e6d8b3c60a33480133676c4d4
Instruction ID: b4f1062eebcabc105ee8efa0bbba4303f61c43baacb2ccf782640a005f0f2381
Opcode Fuzzy Hash: ec44cbe0b4d1f4fe084fa30b300f807f54527c1e6d8b3c60a33480133676c4d4
Instruction Fuzzy Hash: 3B410839610611DFCB11EF15C544A5ABBE2AF89320B59C489EC4AAB3A2CB74FD50CF91

Function 0023D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00226D71,00000000,00000000,002282D9,?,002282D9,?,00000001,00226D71,?,00000001,002282D9,002282D9), ref: 0023D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0023D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0023D9AB
__freea.LIBCMT ref: 0023D9B4

Part of subcall function 00233820: RtlAllocateHeap.NTDLL(00000000,?,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6,?,00201129), ref: 00233852

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: afdfb857c98e580dfc8d806953e5cf6bf57031d37f2725d3c56596c211fb91ea
Instruction ID: 700b49650160d7f36e94fca4f1aae9bdedc3ad7366a03dc8db94583fce4bb94e
Opcode Fuzzy Hash: afdfb857c98e580dfc8d806953e5cf6bf57031d37f2725d3c56596c211fb91ea
Instruction Fuzzy Hash: C331F0B2A2021AABDF25DF64EC45EAE7BA5EF40310F150169FC04D7250EB35CD60CBA0

Function 002952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00295352
GetWindowLongW.USER32(?,000000F0), ref: 00295375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00295382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002953A8

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 251ce5690f4cf9b520dd7a16d3041c6695884ec59188434b257aed9c742253a2
Instruction ID: 60fdfb1a6ad7b9744293e714709d29831a7f96951afae6648457480174727e32
Opcode Fuzzy Hash: 251ce5690f4cf9b520dd7a16d3041c6695884ec59188434b257aed9c742253a2
Instruction Fuzzy Hash: F7310330B75A29FFEF369E14DC19BE83765AB04390F584182FA00961E1C3F09DA09B49

Function 0026AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0026ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0026AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0026AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0026ACC6

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3162e7f6ac18ce9e21bbe4a159d02d85eaed293b50cd532c3887e3e2abb148e4
Instruction ID: d81e6516278931a9401f2f23c99e29867e77a7d1a6cecfc7f12e2e624ca59ee9
Opcode Fuzzy Hash: 3162e7f6ac18ce9e21bbe4a159d02d85eaed293b50cd532c3887e3e2abb148e4
Instruction Fuzzy Hash: 9D310730A20719AFEF35CF658C087FA7BA9AB89310F14431BE485A21D1C375D9E59F52

Function 00297674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0029769A
GetWindowRect.USER32(?,?), ref: 00297710
PtInRect.USER32(?,?,00298B89), ref: 00297720
MessageBeep.USER32(00000000), ref: 0029778C

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5baaa6c7946f3bbf17c61d7836d0ddc1b125616970ee90f384c9cbdc71aa54a3
Instruction ID: 670be0a97f89866cb8dd420f51c005c51e06e16bf7169fba410493433beafe8d
Opcode Fuzzy Hash: 5baaa6c7946f3bbf17c61d7836d0ddc1b125616970ee90f384c9cbdc71aa54a3
Instruction Fuzzy Hash: FB416B34A29215EFCF11CF98D898EE9B7F5FF89314F1581A9E8149B261C730A961CF90

Function 002916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002916EB

Part of subcall function 00263A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00263A57
Part of subcall function 00263A3D: GetCurrentThreadId.KERNEL32 ref: 00263A5E
Part of subcall function 00263A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002625B3), ref: 00263A65

GetCaretPos.USER32(?), ref: 002916FF
ClientToScreen.USER32(00000000,?), ref: 0029174C
GetForegroundWindow.USER32 ref: 00291752

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6449271fdafb2952a2343a4a1ba515b993f508c374bff1baf40917f9189fb1c3
Instruction ID: f3e589e9e444a71ac47138b2ed21f1dfd2fd8e1134eb8f88266e358b217c25ce
Opcode Fuzzy Hash: 6449271fdafb2952a2343a4a1ba515b993f508c374bff1baf40917f9189fb1c3
Instruction Fuzzy Hash: 89313075D10249AFDB00EFA5C8858AEB7F9EF48304B5080AAE415E7252D7319E55CFA1

Function 00298FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

GetCursorPos.USER32(?), ref: 00299001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00257711,?,?,?,?,?), ref: 00299016
GetCursorPos.USER32(?), ref: 0029905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00257711,?,?,?), ref: 00299094

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 3d30a497764b7d63b4b60054b32f2f20eddda569eb2920148d83aeb74976fb1b
Instruction ID: 84a19348448f67ccd887facc0c3262115a8a74c56a8de84949d036b3cbd0ab7c
Opcode Fuzzy Hash: 3d30a497764b7d63b4b60054b32f2f20eddda569eb2920148d83aeb74976fb1b
Instruction Fuzzy Hash: 29219F35610018FFDF258F99D858EEA7BB9EB8A360F14406AF91597261C3329DB0DB60

Function 0026D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0029CB68), ref: 0026D2FB
GetLastError.KERNEL32 ref: 0026D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0026D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0029CB68), ref: 0026D376

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 8f4702669a4bd2eda673d190c366036aafd08830f580f9b6c7c15dc4eefb8847
Instruction ID: 335990a6eb62b95ffb642a64d4c2b4c850f2ee6026130e50276090c98c509ead
Opcode Fuzzy Hash: 8f4702669a4bd2eda673d190c366036aafd08830f580f9b6c7c15dc4eefb8847
Instruction Fuzzy Hash: F5219170A243069FC710EF24D88586A77E4AE56324F604A5DF899C73E2E730D9A5CF93

Function 00261571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00261014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0026102A
Part of subcall function 00261014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00261036
Part of subcall function 00261014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00261045
Part of subcall function 00261014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0026104C
Part of subcall function 00261014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00261062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002615BE
_memcmp.LIBVCRUNTIME ref: 002615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00261617
HeapFree.KERNEL32(00000000), ref: 0026161E

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3d9afc82212816e4e7926c37617590c08977a4ff99e3c69154998d3486d97516
Instruction ID: ae8ed5c1efb0c1b06a70d69609c040e5803fe0260561681d1b45b78d13bb76de
Opcode Fuzzy Hash: 3d9afc82212816e4e7926c37617590c08977a4ff99e3c69154998d3486d97516
Instruction Fuzzy Hash: B421AC71E10109EFDF10DFA8D949BEEB7B8EF44354F184459E445AB241E730BAA5CBA0

Function 00292782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0029280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00292824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00292832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00292840

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 7e43cc7d0294e4f9c2b3a8ac65e4e2396182cf19cf59811d0966a28b33083f10
Instruction ID: 6cb64dbabd66d5a2d6410cc3fb8ade679bb3936e4c18141b5985dbf9b068af76
Opcode Fuzzy Hash: 7e43cc7d0294e4f9c2b3a8ac65e4e2396182cf19cf59811d0966a28b33083f10
Instruction Fuzzy Hash: FA21B231214111FFDB14DB24CC44FAABB95AF45324F248159F41A9B6E2CB71EC56CBA0

Function 002678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00268D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0026790A,?,000000FF,?,00268754,00000000,?,0000001C,?,?), ref: 00268D8C
Part of subcall function 00268D7D: lstrcpyW.KERNEL32(00000000,?,?,0026790A,?,000000FF,?,00268754,00000000,?,0000001C,?,?,00000000), ref: 00268DB2
Part of subcall function 00268D7D: lstrcmpiW.KERNEL32(00000000,?,0026790A,?,000000FF,?,00268754,00000000,?,0000001C,?,?), ref: 00268DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00268754,00000000,?,0000001C,?,?,00000000), ref: 00267923
lstrcpyW.KERNEL32(00000000,?,?,00268754,00000000,?,0000001C,?,?,00000000), ref: 00267949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00268754,00000000,?,0000001C,?,?,00000000), ref: 00267984

Strings

cdecl, xrefs: 0026797B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c3b09b04cd9d186106f5e7f5fe247e1c08537848bdd6bf41f461f7eb5bcfdb8a
Instruction ID: 8a67b4529732ebffd2416bfde3058276cbbbff0b97a49b5f4702aa0fc4adc2e8
Opcode Fuzzy Hash: c3b09b04cd9d186106f5e7f5fe247e1c08537848bdd6bf41f461f7eb5bcfdb8a
Instruction Fuzzy Hash: 8911293A211342ABCB155F38E844D7A77E5FF45354B50402AF806C7264EB319861CB61

Function 00295660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002956BB
_wcslen.LIBCMT ref: 002956CD
_wcslen.LIBCMT ref: 002956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00295816

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 883b6e851777408bd34d48e53494793e2c50b3cb656834e709961c5198ef671c
Instruction ID: 3f3f0a00c975b1078c7e8079e85041586129136c4cbe826201b60dbcb286c625
Opcode Fuzzy Hash: 883b6e851777408bd34d48e53494793e2c50b3cb656834e709961c5198ef671c
Instruction Fuzzy Hash: 4511D671730625A6EF21DFA1DC85AEE776CFF11760B104026F915D6081E7B0C9A4CFA0

Function 00261A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00261A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00261A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00261A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00261A8A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f16af87e38430e7a24bcdafb92e00a07b7a9a0d79863b2b4b64f2e9453dddeb5
Instruction ID: 90cb43e5ebf77f4b300804fa42cb07d475ce895a656b9d73d9aac991d46669f3
Opcode Fuzzy Hash: f16af87e38430e7a24bcdafb92e00a07b7a9a0d79863b2b4b64f2e9453dddeb5
Instruction Fuzzy Hash: 7F11393AD11219FFEB10DBE4CD85FADBB78EB08750F240492EA04B7294D6716E60DB94

Function 0026E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0026E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0026E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0026E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0026E24D

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 863dbd54000fcf0326ee54d75b14dcf20fb618b87d99d1624f8953871ef6a905
Instruction ID: 5e4856828bce2e1342cbb18a2f1b46470847c0b0bce7788e99e48a06e81c91e9
Opcode Fuzzy Hash: 863dbd54000fcf0326ee54d75b14dcf20fb618b87d99d1624f8953871ef6a905
Instruction Fuzzy Hash: 95112676D14214BFCB019FA8FC0DA9E7FADAB45320F104256FC24E3291D2B0CE6487A0

Function 0022D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0022CFF9,00000000,00000004,00000000), ref: 0022D218
GetLastError.KERNEL32 ref: 0022D224
__dosmaperr.LIBCMT ref: 0022D22B
ResumeThread.KERNEL32(00000000), ref: 0022D249

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 49783618925fb4139c77a5daeebd67c5b2d465e2bec5bb12463eb3ff6a5bdb50
Instruction ID: d9d51a5021733fc2fbf765706d5ba1a02f0b85bc64d55c370244c6ccda8a1c20
Opcode Fuzzy Hash: 49783618925fb4139c77a5daeebd67c5b2d465e2bec5bb12463eb3ff6a5bdb50
Instruction Fuzzy Hash: E701D636425225FBDB115FE5FC09BAE7A69DF82730F20031AFD25961D1CF708921CAA0

Function 0020600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0020604C
GetStockObject.GDI32(00000011), ref: 00206060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0020606A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 148d526d709cc5fbecdd21e5b1d4a89a246821ec17193a8e07548f162a96f92b
Instruction ID: 30d3e0f71ce86595605452efdbf4b26e18a56a03901ca5214f0cff9988eb7544
Opcode Fuzzy Hash: 148d526d709cc5fbecdd21e5b1d4a89a246821ec17193a8e07548f162a96f92b
Instruction Fuzzy Hash: 0611AD72511609BFEF124FA4DC48EEABB6EFF083A4F100202FA0452051C7329C70EBA0

Function 00223B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00223B56

Part of subcall function 00223AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00223AD2
Part of subcall function 00223AA3: ___AdjustPointer.LIBCMT ref: 00223AED

_UnwindNestedFrames.LIBCMT ref: 00223B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00223B7C
CallCatchBlock.LIBVCRUNTIME ref: 00223BA4

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 46fe9b38b0c4939ac8a7a2a37263148d2239d538864c9e23525e47d98dee691e
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: E4012932110159BBDF12AE95EC42EEB3F6AEF48758F044014FE4856121C736E971DFA0

Function 00233073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002013C6,00000000,00000000,?,0023301A,002013C6,00000000,00000000,00000000,?,0023328B,00000006,FlsSetValue), ref: 002330A5
GetLastError.KERNEL32(?,0023301A,002013C6,00000000,00000000,00000000,?,0023328B,00000006,FlsSetValue,002A2290,FlsSetValue,00000000,00000364,?,00232E46), ref: 002330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0023301A,002013C6,00000000,00000000,00000000,?,0023328B,00000006,FlsSetValue,002A2290,FlsSetValue,00000000), ref: 002330BF

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 162c9f1278fb7abe7330416b79e31654305bfb553021af416721879b3bf96cbf
Instruction ID: 16934cca70a464f22534972fc75a1ad295e5982b5bf9527a01dfa89ecbb7f538
Opcode Fuzzy Hash: 162c9f1278fb7abe7330416b79e31654305bfb553021af416721879b3bf96cbf
Instruction Fuzzy Hash: EC01D472731623ABCB258F78AC88A577B98AF45B61F200622F905E7150CB21DB11C6E0

Function 00267464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0026747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00267497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002674CA

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: dc22a84fe1c44aff106019e1c6eff13a5af1c9440c0bc6dd50b63540b7ff1669
Instruction ID: 5398a862a883c5a55708b1cb9f50cea53f1f3ca1da124c7ee5772df4f5704d37
Opcode Fuzzy Hash: dc22a84fe1c44aff106019e1c6eff13a5af1c9440c0bc6dd50b63540b7ff1669
Instruction Fuzzy Hash: EC11A1B52153119BF7208F14FD0CB927BFCEB40B08F20856AA616D6191DBB0E954DBA0

Function 0026B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0026ACD3,?,00008000), ref: 0026B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0026ACD3,?,00008000), ref: 0026B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0026ACD3,?,00008000), ref: 0026B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0026ACD3,?,00008000), ref: 0026B126

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 22deba0ce9623bc23dc144706344e23849ce02e2474089ad738820bb547e5f46
Instruction ID: 20af093f64cc802c5afb58dbc02c1014d284824529d63eed84d737a0084d95ad
Opcode Fuzzy Hash: 22deba0ce9623bc23dc144706344e23849ce02e2474089ad738820bb547e5f46
Instruction Fuzzy Hash: AD116D31C2152DEBCF01AFE4E998AEEBF78FF0A711F11409AD945B2185CB7096E08B55

Function 00262DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00262DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00262DD6
GetCurrentThreadId.KERNEL32 ref: 00262DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00262DE4

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 4985387bf05b283c8c457025993f5689e099a4dd489f5eadb157cbb633142ae0
Instruction ID: 4c89f40fe3564f653626f59ff8a22a3f2bf43c95e54f6b63b397fb95c2dcce0c
Opcode Fuzzy Hash: 4985387bf05b283c8c457025993f5689e099a4dd489f5eadb157cbb633142ae0
Instruction Fuzzy Hash: 4DE09271111624BBDB201F72AC0DFEB3E6CEF83BA1F500416F105D10909AA1C884C6B0

Function 00298863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00219639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00219693
Part of subcall function 00219639: SelectObject.GDI32(?,00000000), ref: 002196A2
Part of subcall function 00219639: BeginPath.GDI32(?), ref: 002196B9
Part of subcall function 00219639: SelectObject.GDI32(?,00000000), ref: 002196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00298887
LineTo.GDI32(?,?,?), ref: 00298894
EndPath.GDI32(?), ref: 002988A4
StrokePath.GDI32(?), ref: 002988B2

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 8edec65f1e5ee9a17f442802b7487f4af4f177dbf643cd6d3708584ea01d50ca
Instruction ID: 661d4b4d2452cd7e4d3d4ca42b2b7bfbd84bc0c0791e439d78c8198db453887f
Opcode Fuzzy Hash: 8edec65f1e5ee9a17f442802b7487f4af4f177dbf643cd6d3708584ea01d50ca
Instruction Fuzzy Hash: 81F03A36052299BADB126F94BC0DFCA3B59AF06310F148002FA15650E1C7755561CFB9

Function 002198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002198CC
SetTextColor.GDI32(?,?), ref: 002198D6
SetBkMode.GDI32(?,00000001), ref: 002198E9
GetStockObject.GDI32(00000005), ref: 002198F1

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 3b49e3845170ce6e7b23427f98ac8c08cf39660e72660f3eb0f4b3675c8442f6
Instruction ID: a035443598a55f24440e2c58b1f480a3543a2518abde18cc965d3fad3240afd2
Opcode Fuzzy Hash: 3b49e3845170ce6e7b23427f98ac8c08cf39660e72660f3eb0f4b3675c8442f6
Instruction Fuzzy Hash: D6E06D31284280ABDB215F74BC0DBE83F60AB12336F24821AFAFA581E1C77146949B10

Function 0026162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00261634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002611D9), ref: 0026163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002611D9), ref: 00261648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002611D9), ref: 0026164F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 60e0fc4c8b31362915e1dcf99dced8c8094fbae1d3afa88dcc5c05ef7e170a8a
Instruction ID: 7c8d9100274f8252f2755d25a9a06aa8e0c286356fb598774224056e5dd922ec
Opcode Fuzzy Hash: 60e0fc4c8b31362915e1dcf99dced8c8094fbae1d3afa88dcc5c05ef7e170a8a
Instruction Fuzzy Hash: 4AE08635601211EBD7201FA0BE0DB463B7CAF44791F288809F745C9080D6345490C764

Function 0025D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0025D858
GetDC.USER32(00000000), ref: 0025D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0025D882
ReleaseDC.USER32(?), ref: 0025D8A3

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4a0801a3c01ff6dd125ddca342f809c607af3c5562c9a06bcedb7942c635b3e4
Instruction ID: 3eb72b2cfe83e84c9341403d72a6538f11d78c4cbd28fac1e1a358ee227335a4
Opcode Fuzzy Hash: 4a0801a3c01ff6dd125ddca342f809c607af3c5562c9a06bcedb7942c635b3e4
Instruction Fuzzy Hash: ACE01AB1810205DFCF419FA0E80C66DBBB5FB48311F24800AE816E7250CB799951AF50

Function 0025D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0025D86C
GetDC.USER32(00000000), ref: 0025D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0025D882
ReleaseDC.USER32(?), ref: 0025D8A3

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d52ef87df9a4e12ee1c1e7180d1e6e7495f11d691a2f77f579eb214635d6218c
Instruction ID: 62c750168ca4a692ae55fb4ea27041abc9125a37ca6c1d7415e9399c2b1b115e
Opcode Fuzzy Hash: d52ef87df9a4e12ee1c1e7180d1e6e7495f11d691a2f77f579eb214635d6218c
Instruction Fuzzy Hash: 7FE092B5810205EFCF51AFA0E80C66DBBB9BB48311F24844AE95AE7260CB799951AF50

Function 00274D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00207620: _wcslen.LIBCMT ref: 00207625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00274ED4

Strings

LPT, xrefs: 00274DFB
*, xrefs: 00274E10

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: e23c314e031a915fac55c8910f39ec176d553a2047dc1478d1e64988c1a72961
Instruction ID: 724635b69fd97e77ec21f55a6a85a516c309761552f438f3df8ea5e9e3bd696a
Opcode Fuzzy Hash: e23c314e031a915fac55c8910f39ec176d553a2047dc1478d1e64988c1a72961
Instruction Fuzzy Hash: CB916E75A102159FCB14EF58C484EAABBF1AF49304F18C099E80A9F7A2C771ED95CF91

Function 0022E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0022E30D

Strings

pow, xrefs: 0022E2E5, 0022E302

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 0af323eb8cc27f98809a978670a0512bc21e2df58a82a789e0e4ab70d624e328
Instruction ID: a5b3c2f230a646e66ede4c2a1f4f778f28c28f8f5343e967aa9da93d984c5e3c
Opcode Fuzzy Hash: 0af323eb8cc27f98809a978670a0512bc21e2df58a82a789e0e4ab70d624e328
Instruction Fuzzy Hash: A9518DE1A3C207F6CF31BF58E9013793B94AF40741F304999E496822E9DF348CB5AA42

Function 00287771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0025569E,00000000,?,0029CC08,?,00000000,00000000), ref: 002878DD

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

CharUpperBuffW.USER32(0025569E,00000000,?,0029CC08,00000000,?,00000000,00000000), ref: 0028783B

Strings

<s,, xrefs: 002877C8

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s,
API String ID: 3544283678-3841622832
Opcode ID: 74aaabb479a08ccffeae7c179b8ac7afa56655e3004e9cb3bd86a77db752bac8
Instruction ID: 24d26f1cb357e6f69e06a80d77f8e83590183b988bd545dd6323c2f4dc5b4166
Opcode Fuzzy Hash: 74aaabb479a08ccffeae7c179b8ac7afa56655e3004e9cb3bd86a77db752bac8
Instruction Fuzzy Hash: 8F614B76934219AACF04FBA4CC95DFDB378BF14700B644129E542A30D2EF70AA65DFA0

Function 0021E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0021E1B1

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 765ddb4976cd9ae4664a305e1e9b03bdb49704b203ca3e6746a9872e19c4d554
Instruction ID: 42205d2b47f07103e14acf55cff0a721cd9661cb134749edeb991bf232038725
Opcode Fuzzy Hash: 765ddb4976cd9ae4664a305e1e9b03bdb49704b203ca3e6746a9872e19c4d554
Instruction Fuzzy Hash: 40513331920356DFDF18DF28C891AFABBE8EF29310F254015EC519B2D0D6309EA6CB90

Function 0021F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0021F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0021F2BB

Strings

@, xrefs: 0021F2AF

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 883f58f00dd364e93c0ed71f2f05aebe60dda93bf697be8f10bd8ceaac4bb004
Instruction ID: 2b7846664409691e0c5bd1f3538b7a3d93005d473ea33ed31d1f80f758a41682
Opcode Fuzzy Hash: 883f58f00dd364e93c0ed71f2f05aebe60dda93bf697be8f10bd8ceaac4bb004
Instruction Fuzzy Hash: A55149714187459BD320AF10EC8ABABB7F8FB84300F91495DF1D9411A6EB709539CB67

Function 00285745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002857E0
_wcslen.LIBCMT ref: 002857EC

Strings

CALLARGARRAY, xrefs: 002857E6, 002857EB

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 61c593167751d18279a58b62584dc2e691580dfcea938213402b4b4b4e7e18f3
Instruction ID: 8e85b84912109a0ce8b8529239e29c655664d994320c98e6f77a6d229093fd2b
Opcode Fuzzy Hash: 61c593167751d18279a58b62584dc2e691580dfcea938213402b4b4b4e7e18f3
Instruction Fuzzy Hash: A341A035E212199FCB14EFA8C8859AEBBF5EF59310F10402AE505A7292E7709DE1CF90

Function 0027D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0027D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0027D13A

Strings

|, xrefs: 0027D10B

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: fc954eb88edb8a3b8b326e9162de1bfe6ab1e4d845d4aa19fc99596c94b276b1
Instruction ID: 6760c3c8a10f1fef9dee3c8d4d938249f1ea60dbc46f531be8d1c31b86f97be8
Opcode Fuzzy Hash: fc954eb88edb8a3b8b326e9162de1bfe6ab1e4d845d4aa19fc99596c94b276b1
Instruction Fuzzy Hash: 37313971D11219ABCF15EFA4CC85EEEBFB9FF05300F404019E819A61A2D731AA66CF60

Function 0029356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00293621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0029365C

Strings

static, xrefs: 002935BC

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 7e2cea6cfd92e07af8761a6ea29cc9bf227cc8c96f9d413658e4d14954ad5478
Instruction ID: 27223ea3f96b0adaf7f2f0178b9d270527b33be08544a8206c841c36c90e24d5
Opcode Fuzzy Hash: 7e2cea6cfd92e07af8761a6ea29cc9bf227cc8c96f9d413658e4d14954ad5478
Instruction Fuzzy Hash: BF318F71120205AADB10DF68DC80EFB73ADFF89724F108619F8A5D7290DA31ADA1DB64

Function 00294537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0029461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00294634

Strings

', xrefs: 0029458E

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: fad80cb33dc140cea3d0b8774811e9ec12f774b26dcb5ade5bc353aef2ff6caf
Instruction ID: 060125bf79822bc748d2f31ac7ea3b11e1aa5131439228378c3d1a7697c62d27
Opcode Fuzzy Hash: fad80cb33dc140cea3d0b8774811e9ec12f774b26dcb5ade5bc353aef2ff6caf
Instruction Fuzzy Hash: 673137B4A1120A9FDF14DFA9C990BDA7BB9FF19300F51416AE904AB341D770A952CF90

Function 002931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0029327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00293287

Strings

Combobox, xrefs: 00293249

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: acb20c0feb1355ab9d97eb3adbccbfbb9d20a4e1f5fadc9fdbd4518e39c1850f
Instruction ID: 9034d278bd93eb1f598704f7303a9b3df57575cce82e3d118df20f0400998914
Opcode Fuzzy Hash: acb20c0feb1355ab9d97eb3adbccbfbb9d20a4e1f5fadc9fdbd4518e39c1850f
Instruction Fuzzy Hash: C211D071B202097FFF25DF94DC84EBB376AEB94364F100129F91897290D6319D618B60

Function 00293710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0020600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0020604C
Part of subcall function 0020600E: GetStockObject.GDI32(00000011), ref: 00206060
Part of subcall function 0020600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0020606A

GetWindowRect.USER32(00000000,?), ref: 0029377A
GetSysColor.USER32(00000012), ref: 00293794

Strings

static, xrefs: 00293757

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 2d507f0a842ee9ecbb648ff3fbe24e2403a143f00a7ffe3c795003c13f2422b6
Instruction ID: 1df6d20489f5f5790e12f85ecf10ade8f9cdeb8f753b020459ffe34109de7573
Opcode Fuzzy Hash: 2d507f0a842ee9ecbb648ff3fbe24e2403a143f00a7ffe3c795003c13f2422b6
Instruction Fuzzy Hash: 98113AB262020AAFDF00DFA8CC49EEA7BB8FB09314F104915F955E2250D775E8619B50

Function 0027CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0027CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0027CDA6

Strings

<local>, xrefs: 0027CD66

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c456674a53553facbfa050e77e1911028e9deca8e7e27ec82966527b660be12c
Instruction ID: a92a30c81f3fdac0f3a425f6ee19097c1b30ba9745ed2c856674f32a498cceeb
Opcode Fuzzy Hash: c456674a53553facbfa050e77e1911028e9deca8e7e27ec82966527b660be12c
Instruction Fuzzy Hash: 9911A771125632BAD7384A769C49FE7BE5CEB167A4F20823EB10D82180D6749850D6F0

Function 00293429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002934BA

Strings

edit, xrefs: 0029348F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 3d01560a73055ebe994f0813b28dee28f481eec32e731134ee87673545bf3b7a
Instruction ID: 9469c986c37651be9db2b54a88f66b86219e535fe50a07f041cd588657aced63
Opcode Fuzzy Hash: 3d01560a73055ebe994f0813b28dee28f481eec32e731134ee87673545bf3b7a
Instruction Fuzzy Hash: 30118C71120209ABEF128F64EC48ABB37AAEF05378F615724F965931E0C771EC619B60

Function 00266C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

CharUpperBuffW.USER32(?,?,?), ref: 00266CB6
_wcslen.LIBCMT ref: 00266CC2

Strings

STOP, xrefs: 00266CBC, 00266CC1

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: d00f7e54a5b5875ae2c57c7ca5882d811b30dfa567d84c5319bc9b3d2c7a51cb
Instruction ID: 6d4f61e257e52c88b701ef96aba7109a003ccaf5fb4784f43b46a1ba0f5385f0
Opcode Fuzzy Hash: d00f7e54a5b5875ae2c57c7ca5882d811b30dfa567d84c5319bc9b3d2c7a51cb
Instruction Fuzzy Hash: 590108326309278ACB109FFDDC489BF73B4EE61710F100529E452921D1EA31D8A0C650

Function 00261BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 00263CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00263CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00261C46

Strings

ListBox, xrefs: 00261C10
ComboBox, xrefs: 00261BE5

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c06b287d358ce262ea6ffff28294be73b691de96469b027e6ebb84f678828ecd
Instruction ID: caa5814eaf462ad81bb360c61ee264239e29298dd6750c3f0899ece3ed418784
Opcode Fuzzy Hash: c06b287d358ce262ea6ffff28294be73b691de96469b027e6ebb84f678828ecd
Instruction Fuzzy Hash: 3001FC71A6020466CB04EB90C951EFF77A89F15340F14001BF406632C3EA20AEB88AB2

Function 0021A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0021A529

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Strings

3y%, xrefs: 0021A545, 0021A54D, 0021A552
,%-, xrefs: 0021A509

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%-$3y%
API String ID: 2551934079-1204127486
Opcode ID: d0c6f6df1116137e5746284799ddc45811b4ba0f588887c861338cd18a4103dc
Instruction ID: 1c88e8281cc475c0e2aa66238f99820bdd904744b2e16613594962050b017652
Opcode Fuzzy Hash: d0c6f6df1116137e5746284799ddc45811b4ba0f588887c861338cd18a4103dc
Instruction Fuzzy Hash: 59014731F32210A7CA04F768B84BA9D33A58B15720F904015F502172C3DE605DA58E97

Function 00298172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002D3018,002D305C), ref: 002981BF
CloseHandle.KERNEL32 ref: 002981D1

Strings

\0-, xrefs: 0029818A

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0-
API String ID: 3712363035-8283200
Opcode ID: 01389fe57e023752b04404ebc534b0c81de3b48231507831ea479b4138ea72eb
Instruction ID: c4549b104426277149361aa72bd687e89d8575d342fbd9a18f14c22755937189
Opcode Fuzzy Hash: 01389fe57e023752b04404ebc534b0c81de3b48231507831ea479b4138ea72eb
Instruction Fuzzy Hash: 48F05EB2A51310BBE320AB61FC49FB73B5CDB05752F000462BB08D51A2D6768E2487BA

Function 0028747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00287493
_wcslen.LIBCMT ref: 002874B9

Strings

3, 3, 16, 1, xrefs: 00287483

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: d1e8342c7b8b29e48082fba445ff70de1eacaacc9ff37c778ec82cb5f0d5f16b
Instruction ID: d0f4a570578ec79737ae4fa9d8e7918790fa8f06a220c15e5b3f1a882f80ce2e
Opcode Fuzzy Hash: d1e8342c7b8b29e48082fba445ff70de1eacaacc9ff37c778ec82cb5f0d5f16b
Instruction Fuzzy Hash: 90E02B0A23627120923136B9ACC1A7F5699DFC5750734182BF985C22A6EAD4CDF193A0

Function 00260B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00260B23

Strings

AutoIt, xrefs: 00260B17
Error allocating memory., xrefs: 00260B1C

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 5ab994a07049ad1343649ac75ada5e2d2c815b4170840df6f65a260eef557532
Instruction ID: 4967745fe8ad30d3c8b867ca185072c354d51c192cde139cb312976a2070a257
Opcode Fuzzy Hash: 5ab994a07049ad1343649ac75ada5e2d2c815b4170840df6f65a260eef557532
Instruction Fuzzy Hash: 73E0D83126431836D6143B947C07FD97AC48F05B20F20042BF758594C38AE164F00AE9

Function 00220D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0021F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00220D71,?,?,?,0020100A), ref: 0021F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0020100A), ref: 00220D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0020100A), ref: 00220D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00220D7F

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 431ef983b9237b80ed5075ebf593f08192979babac6e2e18ae5d20d942eb5a56
Instruction ID: 5035213a992191e0deb8f9d802a725d3ff47a4364a7d247755243894615987b2
Opcode Fuzzy Hash: 431ef983b9237b80ed5075ebf593f08192979babac6e2e18ae5d20d942eb5a56
Instruction Fuzzy Hash: A8E092706113119BE7B09FF8F5487427BE0EF00740F00492EE886C6656DBB0E4548F91

Function 0021E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0021E3D5

Strings

0%-, xrefs: 0021E3B5
8%-, xrefs: 0021E3CA

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%-$8%-
API String ID: 1385522511-4080731599
Opcode ID: dcdc1834639fcb1b2a35e3b5e1705d12fdc13423c46230e8b45275c7cb6ca139
Instruction ID: 1a8ca7b6fd97f4ff07864cbdc6a61ca26e165344e83661b409d96bab988f8ac7
Opcode Fuzzy Hash: dcdc1834639fcb1b2a35e3b5e1705d12fdc13423c46230e8b45275c7cb6ca139
Instruction Fuzzy Hash: B7E02031831920CBCE0C9758BE9CDDC3391BB343207D102E7F862871D19B301CA58954

Function 00273017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0027302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00273044

Strings

aut, xrefs: 00273038

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d5e83a5432b845fa45c19cd1d793d71e2b5c02bed78045478155d5a1c8914bb4
Instruction ID: 83c185eb732629372461b675e988c048dcdd6afc5175b45cdddb03e07497cdef
Opcode Fuzzy Hash: d5e83a5432b845fa45c19cd1d793d71e2b5c02bed78045478155d5a1c8914bb4
Instruction Fuzzy Hash: 5FD05E7290032877DA20A7A4AC0EFCB3A6CDB05750F0002A2BA59E2091DAB09984CAE0

Function 00292322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0029232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0029233F

Part of subcall function 0026E97B: Sleep.KERNEL32 ref: 0026E9F3

Strings

Shell_TrayWnd, xrefs: 00292325

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2d814dd03a705483d996d183d1b1ef62c0304f582a558e5cf60d6e9d003913fc
Instruction ID: 03b27780f0aceb36338ecbe91bbf885a38c7be07847ba7182262473f076576a5
Opcode Fuzzy Hash: 2d814dd03a705483d996d183d1b1ef62c0304f582a558e5cf60d6e9d003913fc
Instruction Fuzzy Hash: 40D012763E5310B7EA68B770EC4FFC6BA289F40B10F114E177749AA1D4C9F0A855CA54

Function 00292356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0029236C
PostMessageW.USER32(00000000), ref: 00292373

Part of subcall function 0026E97B: Sleep.KERNEL32 ref: 0026E9F3

Strings

Shell_TrayWnd, xrefs: 00292365

Memory Dump Source

Source File: 00000000.00000002.1300551740.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.1300506428.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300648849.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300751747.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1300789947.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b68f2975503ebf7b03a16dbec5a5b22d00ffa7ac83753d10f3ff04f8e37b6436
Instruction ID: b9086f38f455c62ddab6361448c4858a52e5a6a1cf372da7c7d6388fdd7aa7d4
Opcode Fuzzy Hash: b68f2975503ebf7b03a16dbec5a5b22d00ffa7ac83753d10f3ff04f8e37b6436
Instruction Fuzzy Hash: F5D0A9323D13007AEA68A330EC0FFC6A6289B00B00F110A167205AA0D0C8A0A8108A04

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.1426303801.000001DD60959000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1415288444.000001DD60958000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1367634974.000001DD580CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1423350443.000001DD58158000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1359924609.000001DD5DCBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1359924609.000001DD5DCBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1422964474.000001DD5817B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1369255504.000001DD578F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1448790189.000001DD56F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1419846056.000001DD5DE41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1419846056.000001DD5DE41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1367634974.000001DD580CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1423350443.000001DD58158000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1368503963.000001DD58059000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1368503963.000001DD58059000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1359924609.000001DD5DCBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1422964474.000001DD5817B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2478313808.000001DBB2F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2478092164.00000191E1A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2478313808.000001DBB2F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2478092164.00000191E1A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1446329213.000001DD57B78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2478313808.000001DBB2F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2478092164.00000191E1A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1450455828.000001DD57F9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1428573226.000001DD57F9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464210834.000001DD57F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1421575948.000001DD58E4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1437236769.000001DD58E4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1446287467.000001DD57D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1450455828.000001DD57F9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1428573226.000001DD57F9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464210834.000001DD57F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1465766940.000001DD5735C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1447414031.000001DD5735C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: dualstack.reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.7:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49878 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49885 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d2baf1c1-67a3-4dbf-b204-8d4bc03195f7.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d2baf1c1-67a3-4dbf-b204-8d4bc03195f7.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre