Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1573930
MD5:	124221b530ca975f2847f8f37293111b
SHA1:	5e51ff04704116f685e51409df3f90fbc9b2a550
SHA256:	96112838ce17a15021afa6dad493c52fa89486c2a145d658966c6618093635e3
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6484 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 124221B530CA975F2847F8F37293111B)

taskkill.exe (PID: 6364 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1084 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6004 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3452 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1476 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6508 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3648 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4068 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5512 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9c498fc-5a65-420d-ab47-2949d9af209f} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 1c878e6ff10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3168 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -parentBuildID 20230927232528 -prefsHandle 4124 -prefMapHandle 3448 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5adba865-d61c-4404-a32a-e340b4d1a3c6} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 1c809bf6710 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7396 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4876 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4888 -prefMapHandle 4880 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8bcef83-51b2-46da-97d3-fe6f72949a97} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 1c80ac13710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6484	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00CAEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00CAEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CAED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00CAED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00CAEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00C9AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CC9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00CC9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4e950e3a-5
Source: file.exe, 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9c9175be-b
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_eb9fa329-4
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6ef22c2b-1

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000240D04B6BB7 NtQuerySystemInformation,		17_2_00000240D04B6BB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000240D04D9532 NtQuerySystemInformation,		17_2_00000240D04D9532

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00C9D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C91201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C91201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C9E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA2046	0_2_00CA2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C38060	0_2_00C38060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C98298	0_2_00C98298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6E4FF	0_2_00C6E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6676B	0_2_00C6676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC4873	0_2_00CC4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3CAF0	0_2_00C3CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5CAA0	0_2_00C5CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4CC39	0_2_00C4CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C66DD9	0_2_00C66DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C391C0	0_2_00C391C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4B119	0_2_00C4B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C51394	0_2_00C51394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C51706	0_2_00C51706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5781B	0_2_00C5781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C519B0	0_2_00C519B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4997D	0_2_00C4997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C37920	0_2_00C37920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C57A4A	0_2_00C57A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C57CA7	0_2_00C57CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C51C77	0_2_00C51C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C69EEE	0_2_00C69EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBBE44	0_2_00CBBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C51F32	0_2_00C51F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000240D04B6BB7	17_2_00000240D04B6BB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000240D04D9532	17_2_00000240D04D9532
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000240D04D9C5C	17_2_00000240D04D9C5C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000240D04D9572	17_2_00000240D04D9572

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C50A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C39CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C4F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/41@69/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA37B5 GetLastError,FormatMessageW,

0_2_00CA37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C910BF AdjustTokenPrivileges,CloseHandle,		0_2_00C910BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C916C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00CA51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C9D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00CA648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C342A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2352:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2271816947.000001C811696000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233484613.000001C811694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2271816947.000001C811696000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233484613.000001C811694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2271816947.000001C811696000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233484613.000001C811694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2271816947.000001C811696000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233484613.000001C811694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2210461024.000001C815D82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214487594.000001C812869000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2271816947.000001C811696000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233484613.000001C811694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2271816947.000001C811696000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233484613.000001C811694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2271816947.000001C811696000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233484613.000001C811694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2271816947.000001C811696000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233484613.000001C811694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2271816947.000001C811696000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233484613.000001C811694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9c498fc-5a65-420d-ab47-2949d9af209f} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 1c878e6ff10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -parentBuildID 20230927232528 -prefsHandle 4124 -prefMapHandle 3448 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5adba865-d61c-4404-a32a-e340b4d1a3c6} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 1c809bf6710 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4876 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4888 -prefMapHandle 4880 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8bcef83-51b2-46da-97d3-fe6f72949a97} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 1c80ac13710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9c498fc-5a65-420d-ab47-2949d9af209f} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 1c878e6ff10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -parentBuildID 20230927232528 -prefsHandle 4124 -prefMapHandle 3448 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5adba865-d61c-4404-a32a-e340b4d1a3c6} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 1c809bf6710 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4876 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4888 -prefMapHandle 4880 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8bcef83-51b2-46da-97d3-fe6f72949a97} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 1c80ac13710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2134323954.000001C8086DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2152949869.000001C8086C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2152949869.000001C8086C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2151833304.000001C8086BA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2134323954.000001C8086DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2151833304.000001C8086BA000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C342DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3A430 push FFFFFFA1h; ret		0_2_00C3A44E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C50A76 push ecx; ret		0_2_00C50A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C4F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00CC1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96955

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_00000240D04B6BB7 rdtsc

17_2_00000240D04B6BB7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C9DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6C2A2 FindFirstFileExW,	0_2_00C6C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA68EE FindFirstFileW,FindClose,	0_2_00CA68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00CA698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C9D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C9D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CA9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CA979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00CA9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00CA5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C342DE

Source: file.exe, 00000000.00000003.2109300072.000000000174F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2110950296.000000000175F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109521564.0000000001754000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2112068763.0000000001766000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: firefox.exe, 00000011.00000002.3899466366.00000240D0500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: firefox.exe, 00000011.00000002.3899466366.00000240D0500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW/
Source: firefox.exe, 00000011.00000002.3899466366.00000240D0500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: firefox.exe, 00000012.00000002.3898451383.0000018820B85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: firefox.exe, 00000010.00000002.3895501148.000002680995A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPC
Source: file.exe, 00000000.00000003.2035295792.000000000178B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2037090908.000000000178B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036690761.000000000178B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035116791.000000000178B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035742671.000000000178B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106341845.000000000178E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036272664.000000000178B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035199928.000000000178B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109463232.0000000001790000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035439689.000000000178B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2037956397.000000000178E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3899202192.0000026809E13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3896606616.0000026809A70000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3895501148.000002680995A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3899466366.00000240D0500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_00000240D04B6BB7 rdtsc

17_2_00000240D04B6BB7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CAEAA2 BlockInput,

0_2_00CAEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C62622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C54CE8 mov eax, dword ptr fs:[00000030h]

0_2_00C54CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C90B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00C90B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C62622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C5083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C509D5 SetUnhandledExceptionFilter,	0_2_00C509D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C50C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C50C21

Source: C:\Users\user\Desktop\file.exe

0_2_00C91201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C72BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C72BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9B226 SendInput,keybd_event,

0_2_00C9B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00CB22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00C90B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C91663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C91663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C50698 cpuid

0_2_00C50698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8D21C GetLocalTime,

0_2_00C8D21C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8D27A GetUserNameW,

0_2_00C8D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C6B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00C6B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C342DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6484, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6484, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00CB1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00CB1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	26%	ReversingLabs	Win32.Ransomware.Generic
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.129	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.1.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.110	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.19.206	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.129.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.2271048075.000001C80BC6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2111556773.000001C80BC6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3896211733.00000240CFFC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3896240715.0000018820AD6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2212152052.000001C815C5F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2229679184.000001C80B22C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2237993402.000001C80B22C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2109510557.000001C810E30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191314571.000001C810E2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2108441979.000001C810E3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 0000000E.00000003.2253953782.000001C87FDB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3897028962.0000026809DCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3896211733.00000240CFFEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3898707451.0000018820D03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.3896240715.0000018820A8E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2111080239.000001C81135D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2113552918.000001C80B367000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243100846.000001C81135E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233598589.000001C811311000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2111283213.000001C811095000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221990291.000001C8110C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272853450.000001C8110D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250418629.000001C80BB90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2268150891.000001C8110C9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2214487594.000001C8128EC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2260427909.000001C808A7F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2229679184.000001C80B24F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251765087.000001C80B0F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2246377469.000001C80B0ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2238082592.000001C80B0E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2085323147.000001C809057000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2085459619.000001C809073000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2085200108.000001C80903A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2084914776.000001C808E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2085077433.000001C80901E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2112503837.000001C80A6A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2238134982.000001C80ACF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2266718731.000001C81166C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2224330363.000001C810F4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2113552918.000001C80B367000.00000004.00000800.00020000.00000000.sdmp	false		high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2085323147.000001C809057000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2185658404.000001C80AE14000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2246456686.000001C80AC6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2295347942.000001C80AC70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2085459619.000001C809073000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2085200108.000001C80903A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2084914776.000001C808E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2085077433.000001C80901E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.firefox.com/	firefox.exe, 0000000E.00000003.2260427909.000001C808A7F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com	firefox.exe, 0000000E.00000003.2245733425.000001C80C84A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2085323147.000001C809057000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2085459619.000001C809073000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2085200108.000001C80903A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2084914776.000001C808E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2085077433.000001C80901E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/	firefox.exe, 0000000E.00000003.2235976049.000001C810D68000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257365286.000001C809DD3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2295737140.000001C80A9F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2233598589.000001C811311000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://fpn.firefox.com	firefox.exe, 0000000E.00000003.2260191382.000001C808AD9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000E.00000003.2229679184.000001C80B22C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
http://exslt.org/dates-and-times	firefox.exe, 0000000E.00000003.2263869162.000001C87FD5F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2251131706.000001C80B5A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2214765815.000001C804C7D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1539075https://bugzilla.mozilla.org/show_bug.cgi?id=161	firefox.exe, 0000000E.00000003.2113552918.000001C80B367000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	firefox.exe, 00000012.00000002.3896240715.0000018820A0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2127605041.000001C80A495000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2127856452.000001C80A4A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2127089032.000001C80A468000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2111080239.000001C81135D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243100846.000001C81135E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233598589.000001C811311000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2236992211.000001C80BB62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250322613.000001C80BBA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.2250041216.000001C811069000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271048075.000001C80BC6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2111556773.000001C80BC6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3896211733.00000240CFFC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3896240715.0000018820AD6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2225636454.000001C80C8B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245011279.000001C80C8B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2127605041.000001C80A495000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2127089032.000001C80A468000.00000004.00000800.00020000.00000000.sdmp	false		high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2309059326.000001C80AD18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2229469113.000001C80B647000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2229914443.000001C80B0B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254237775.000001C80B0B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2256873379.000001C80A0B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2295424593.000001C80AA82000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 0000000E.00000003.2253953782.000001C87FDB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3897028962.0000026809DCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3896211733.00000240CFFEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3898707451.0000018820D03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 0000000E.00000003.2253953782.000001C87FDB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3897028962.0000026809DCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3896211733.00000240CFFEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3898707451.0000018820D03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		high
https://spocs.getpocket.com/	firefox.exe, 00000012.00000002.3896240715.0000018820A13000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2111080239.000001C81135D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243100846.000001C81135E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233598589.000001C811311000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3898153669.0000018820B70000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.14.dr	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2229679184.000001C80B24F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1607439Can	firefox.exe, 0000000E.00000003.2113552918.000001C80B367000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2224330363.000001C810F4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2113552918.000001C80B367000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2295737140.000001C80A928000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000E.00000003.2260427909.000001C808A7F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2127605041.000001C80A495000.00000004.00000800.00020000.00000000.sdmp	false		high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2257365286.000001C809DC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202948533.000001C80A3EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2112175413.000001C80B8DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2200729142.000001C80ABBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2239646063.000001C80AD66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2185005842.000001C80ABB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2090976078.000001C80A3ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259272398.000001C809666000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301765054.000001C808230000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124092602.000001C80A3C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255794214.000001C809FC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2118886714.000001C80ABA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183935419.000001C80AEDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2231224068.000001C815CC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259710557.000001C80949B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124092602.000001C80A3EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2227013627.000001C80C825000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2206923720.000001C808230000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312095942.000001C809FF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2211556117.000001C80A3CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191053917.000001C810E87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2245733425.000001C80C84A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2245733425.000001C80C84A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false		high
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2235976049.000001C810DD8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2111080239.000001C81135D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2251131706.000001C80B5A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2229679184.000001C80B24F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223494275.000001C810F9E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2251131706.000001C80B5A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2229679184.000001C80B24F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223494275.000001C810F9E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2295737140.000001C80A928000.00000004.00000800.00020000.00000000.sdmp	false		high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2109510557.000001C810E30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191314571.000001C810E2F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2294454613.000001C810F7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223680097.000001C810F7B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2215651763.000001C81138A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2111029006.000001C81138E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243100846.000001C81138A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2113552918.000001C80B367000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267818539.000001C81138F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309954152.000001C811390000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233598589.000001C81138A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2220101593.000001C814DBF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2260191382.000001C808AD0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2189948245.000001C808C73000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2127605041.000001C80A495000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2255275583.000001C80A0D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3896459024.0000026809A30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3895792939.00000240CFDB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3895790678.00000188207A0000.00000002.10000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.181.110	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573930
Start date and time:	2024-12-12 18:08:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/41@69/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 47 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 54.213.181.160, 44.228.225.150, 35.85.93.176, 172.217.17.46, 23.55.161.211, 23.55.161.185, 142.250.181.138, 172.217.19.202, 23.218.208.109, 13.107.246.63, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	k5NcGFI29j.exe	Get hash	malicious	Jigsaw	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	k5NcGFI29j.exe	Get hash	malicious	Jigsaw	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	k5NcGFI29j.exe	Get hash	malicious	Jigsaw	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	yiDQb6GkBq.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar	Browse	93.184.215.14
	k5NcGFI29j.exe	Get hash	malicious	Jigsaw	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, Vidar	Browse	157.240.196.35
	https://connect-velocity-33392.my.salesforce-sites.com/help	Get hash	malicious	Unknown	Browse	157.240.196.35
	yiDQb6GkBq.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar	Browse	157.240.196.35
	http://annavirgili.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	157.240.196.35
	http://annavirgili.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	157.240.196.35
	https://www.amberdrinks.lt/	Get hash	malicious	Unknown	Browse	157.240.196.35
	http://annavirgili.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, Vidar	Browse	104.244.42.65
	yiDQb6GkBq.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar	Browse	104.244.42.193
	https://feji.us/m266he	Get hash	malicious	Unknown	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	igmbio.pdf	Get hash	malicious	Unknown	Browse	185.199.108.153
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	https://docs.google.com/presentation/d/e/2PACX-1vRMxSBYgTIj7bH-OYJSKudpxaekmSD6B-b603kyy-2ygb7TXyfRQC-hU8fjYDSrrObCUBq88ZmRswwh/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	151.101.2.137
	NOTIFICACIONES+FISCALES+Y+DEMANDAS+PENDIENTES.pdf.pdf	Get hash	malicious	Unknown	Browse	199.232.168.157
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	MOV-4106720318-MMS028.mp4.html	Get hash	malicious	Unknown	Browse	151.101.66.137
	https://forms.office.com/e/YpaL2Dw0r2	Get hash	malicious	Unknown	Browse	151.101.66.137
	https://connect-velocity-33392.my.salesforce-sites.com/help	Get hash	malicious	Unknown	Browse	151.101.194.137
	New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_html	Get hash	malicious	Unknown	Browse	151.101.130.137
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, Vidar	Browse	34.117.59.81
	file.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	34.117.59.81
	Josho.mips.elf	Get hash	malicious	Unknown	Browse	34.119.80.120
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	jew.arm.elf	Get hash	malicious	Unknown	Browse	48.5.156.234
	jew.mpsl.elf	Get hash	malicious	Unknown	Browse	50.9.28.6
	2.elf	Get hash	malicious	Unknown	Browse	48.13.8.28
	jew.m68k.elf	Get hash	malicious	Unknown	Browse	48.44.139.74
	Non_disclosure_agreement.lnk.download.lnk	Get hash	malicious	Unknown	Browse	34.49.241.189
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	jew.arm.elf	Get hash	malicious	Unknown	Browse	48.5.156.234
	jew.mpsl.elf	Get hash	malicious	Unknown	Browse	50.9.28.6
	2.elf	Get hash	malicious	Unknown	Browse	48.13.8.28
	jew.m68k.elf	Get hash	malicious	Unknown	Browse	48.44.139.74
	Non_disclosure_agreement.lnk.download.lnk	Get hash	malicious	Unknown	Browse	34.49.241.189

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_9e9c0082-7c11-4da8-82d5-0c31ec2fda48.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.179783144505099
Encrypted:	false
SSDEEP:	192:UjKMXQSNcbhbVbTbfbRbObtbyEl7ngrBJA6wnSrDtTkd/S6:kPxcNhnzFSJAr8jnSrDhkd/H
MD5:	C92B59B0C2DCA7140A406921A2195DBC
SHA1:	43788928F84375E90D74839C144BCF70125B8702
SHA-256:	5C99B279B9EFC5D8A1EDA37876B84A4F236DFFE76CAEA934734329FC7222A816
SHA-512:	98E11F966410893F82C9462F4BF149B2E350740ACDBF83C6F92BAEBCBAAFE74E4D53482669B20C0D60F3A617D816F0553463A02B07F64E118C1AEF6B70371211
Malicious:	false
Preview:	{"type":"uninstall","id":"9e9c0082-7c11-4da8-82d5-0c31ec2fda48","creationDate":"2024-12-12T18:55:58.669Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_9e9c0082-7c11-4da8-82d5-0c31ec2fda48.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.179783144505099
Encrypted:	false
SSDEEP:	192:UjKMXQSNcbhbVbTbfbRbObtbyEl7ngrBJA6wnSrDtTkd/S6:kPxcNhnzFSJAr8jnSrDhkd/H
MD5:	C92B59B0C2DCA7140A406921A2195DBC
SHA1:	43788928F84375E90D74839C144BCF70125B8702
SHA-256:	5C99B279B9EFC5D8A1EDA37876B84A4F236DFFE76CAEA934734329FC7222A816
SHA-512:	98E11F966410893F82C9462F4BF149B2E350740ACDBF83C6F92BAEBCBAAFE74E4D53482669B20C0D60F3A617D816F0553463A02B07F64E118C1AEF6B70371211
Malicious:	false
Preview:	{"type":"uninstall","id":"9e9c0082-7c11-4da8-82d5-0c31ec2fda48","creationDate":"2024-12-12T18:55:58.669Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2514MH3B5R7JZV5A4DXY.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.308487570628513
Encrypted:	false
SSDEEP:	48:XEdiBXUgdwrz5EdiBR6BdwtvEdiBRadwv1:XeZNZl
MD5:	B090DBAA0E63053109432C06F8C73C29
SHA1:	D13ED4F0C573D4769E307D017E70C06E87A4DC94
SHA-256:	A1A801A20BDFB5DD409715596C64546DE95F3C68870F6F01B06E58520896BD19
SHA-512:	3C2A941DF6536B6A5BF8237538FBF95525F5FBA03C31B3B70F7FD558785BF4CD512B948CF29B2C394D84E4588C079EF6B5DF6D76D74FCFDBF4DD789510810743
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......A....L..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y'.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y'.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y'...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............b.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.308487570628513
Encrypted:	false
SSDEEP:	48:XEdiBXUgdwrz5EdiBR6BdwtvEdiBRadwv1:XeZNZl
MD5:	B090DBAA0E63053109432C06F8C73C29
SHA1:	D13ED4F0C573D4769E307D017E70C06E87A4DC94
SHA-256:	A1A801A20BDFB5DD409715596C64546DE95F3C68870F6F01B06E58520896BD19
SHA-512:	3C2A941DF6536B6A5BF8237538FBF95525F5FBA03C31B3B70F7FD558785BF4CD512B948CF29B2C394D84E4588C079EF6B5DF6D76D74FCFDBF4DD789510810743
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......A....L..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y'.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y'.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y'...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............b.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.308487570628513
Encrypted:	false
SSDEEP:	48:XEdiBXUgdwrz5EdiBR6BdwtvEdiBRadwv1:XeZNZl
MD5:	B090DBAA0E63053109432C06F8C73C29
SHA1:	D13ED4F0C573D4769E307D017E70C06E87A4DC94
SHA-256:	A1A801A20BDFB5DD409715596C64546DE95F3C68870F6F01B06E58520896BD19
SHA-512:	3C2A941DF6536B6A5BF8237538FBF95525F5FBA03C31B3B70F7FD558785BF4CD512B948CF29B2C394D84E4588C079EF6B5DF6D76D74FCFDBF4DD789510810743
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......A....L..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y'.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y'.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y'...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............b.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9IKSXKB4AAYQ8L7U83HN.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.308487570628513
Encrypted:	false
SSDEEP:	48:XEdiBXUgdwrz5EdiBR6BdwtvEdiBRadwv1:XeZNZl
MD5:	B090DBAA0E63053109432C06F8C73C29
SHA1:	D13ED4F0C573D4769E307D017E70C06E87A4DC94
SHA-256:	A1A801A20BDFB5DD409715596C64546DE95F3C68870F6F01B06E58520896BD19
SHA-512:	3C2A941DF6536B6A5BF8237538FBF95525F5FBA03C31B3B70F7FD558785BF4CD512B948CF29B2C394D84E4588C079EF6B5DF6D76D74FCFDBF4DD789510810743
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......A....L..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y'.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y'.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y'...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............b.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925992240450901
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNs5l9Htu:8S+OVPUFRbOdwNIOdYpjvY1Q6L3tt8P
MD5:	5627EB5B0AFA94F3100B035D9898F5DE
SHA1:	92B577A71DD31A282C0D94D6C3918973C230B6F0
SHA-256:	FE4FF08AACE716F0DC14EB19CFF3F21A92D2D382242CF3E43EAE6FDBF7DBDD45
SHA-512:	F12DFFB4EF1B2D9A415299975492FE40856D831A675EDB5F5600F38D1E81E59509F00E930D624979552F533767D49D70ACDB681A67487CEAE9E2D09CE59AAD03
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925992240450901
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNs5l9Htu:8S+OVPUFRbOdwNIOdYpjvY1Q6L3tt8P
MD5:	5627EB5B0AFA94F3100B035D9898F5DE
SHA1:	92B577A71DD31A282C0D94D6C3918973C230B6F0
SHA-256:	FE4FF08AACE716F0DC14EB19CFF3F21A92D2D382242CF3E43EAE6FDBF7DBDD45
SHA-512:	F12DFFB4EF1B2D9A415299975492FE40856D831A675EDB5F5600F38D1E81E59509F00E930D624979552F533767D49D70ACDB681A67487CEAE9E2D09CE59AAD03
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07338695179673393
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	C1EAF0D8FD1746FE9AA22B9B4406AA3E
SHA1:	BB1DAF4824213D202DE7C22AAAB5415156269796
SHA-256:	09A8C2EDB6419EAB6B19C56FA79273844702460E5DCC5DF0498B14A4710F1FE6
SHA-512:	F0F4EF474E4A812DD06DD9533B09E02BF6B7AAC3CEA5060EE1680CC1BD785BABBF377AB71A2872747E6111AE736FADE38503B6258E41D4159F7045C457C9ECB6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039751381258926154
Encrypted:	false
SSDEEP:	3:GHlhV6kad5JysgQo96lhV6kad5JysgQolt/ol8a9//Ylll4llqlyllel4lt:G7V6Td58sC9+V6Td58sCltQL9XIwlio
MD5:	D3EE65B893A2A2DB8629A557215C9E79
SHA1:	B9E329F5076AF7625F3516BF92E19C5F64E8350E
SHA-256:	D2C2605A0A27CABC490D8B2FF95E35CDC78B746EF5758D1CE774845A8874622D
SHA-512:	93E9E0D1DE1EE5F1818CB9CB7C7064A271986208712BA88440A21F9CB5B5611704A3F5C474C9F366436320EA2A75CDE5A74693E088EC1D92D38BAD985E321094
Malicious:	false
Preview:	..-.......................E... ..x...W......5M..-.......................E... ..x...W......5M........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.13403805891264983
Encrypted:	false
SSDEEP:	24:KwofkZLxsZ+I2zxsMlCXsMzqCFZ7pCF6C5WUCuSCCQE/HaaKCc7RCGOxsaD2Zwls:XoMXQ52VJCXs4qLWeJa1VyiDZk
MD5:	C72BC3B4878EEB3F784DCA63EDFFCE3C
SHA1:	EB8D6F1511E6CF2E324807B6DC5D8E00C372723C
SHA-256:	4A15F0E01742206D0680CC4F5C967EB760F90B0D0318B76A97DA4D17BFD97670
SHA-512:	9C377F0F8F6FAB08AC7AE058D496DD3EAF4B759E08DB64575B9AFA95F95D05573F98F9B03C50663874AF4D08A1191698A68E44441ECDA834869A51C97F442D1E
Malicious:	false
Preview:	7....-............x...W.?................x...WU.3...V................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477302856034905
Encrypted:	false
SSDEEP:	192:LnPOeRnLYbBp6CJ0aX+N6SEXKBmNP1I5RHWNBw8du8Sl:LDeTJUUAiWHEws0
MD5:	71F5356692C9BE636C2B9C81C01D3C22
SHA1:	4FDF6D3C7708CDF3372263100C7124FCF4B32ADC
SHA-256:	43EA573AE7968DFC249656D2491A30516762DFB1DA8A1218C7593AD05A009858
SHA-512:	CC3700A19F3893098A201809A9CF812E697C0CDFB4D1B4164EC6ABCC1197D027739F953481B2FF76CED0E4825790ABDB527EB60B5268992CCDB9198819155405
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734029728);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734029728);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734029728);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173402

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477302856034905
Encrypted:	false
SSDEEP:	192:LnPOeRnLYbBp6CJ0aX+N6SEXKBmNP1I5RHWNBw8du8Sl:LDeTJUUAiWHEws0
MD5:	71F5356692C9BE636C2B9C81C01D3C22
SHA1:	4FDF6D3C7708CDF3372263100C7124FCF4B32ADC
SHA-256:	43EA573AE7968DFC249656D2491A30516762DFB1DA8A1218C7593AD05A009858
SHA-512:	CC3700A19F3893098A201809A9CF812E697C0CDFB4D1B4164EC6ABCC1197D027739F953481B2FF76CED0E4825790ABDB527EB60B5268992CCDB9198819155405
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734029728);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734029728);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734029728);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173402

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\c06ca1bd-7621-4eee-b24e-fc2910b5fd2b (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.946808635755364
Encrypted:	false
SSDEEP:	12:YZFgYWJKDyIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:Y2aySlCOlZGV1AQIWZcy6ZXvx
MD5:	76441745FDF7E6297F55A2FAE18C1B21
SHA1:	89455DA532650AFCD9E2B2972D75C68FFC148228
SHA-256:	F3D776C8E8C8897F9F8224CE849DF5AC25A555256480DA625FBCE2BEC5D47585
SHA-512:	329F1602CE327EE4E63E029F868ED240150C321840DF11A69B760FB50392DEF28C86DC57340F64331800A6BE0E7291060A3F55C076E3CA178DAC87968A715390
Malicious:	false
Preview:	{"type":"health","id":"c06ca1bd-7621-4eee-b24e-fc2910b5fd2b","creationDate":"2024-12-12T18:55:59.927Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\c06ca1bd-7621-4eee-b24e-fc2910b5fd2b.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.946808635755364
Encrypted:	false
SSDEEP:	12:YZFgYWJKDyIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:Y2aySlCOlZGV1AQIWZcy6ZXvx
MD5:	76441745FDF7E6297F55A2FAE18C1B21
SHA1:	89455DA532650AFCD9E2B2972D75C68FFC148228
SHA-256:	F3D776C8E8C8897F9F8224CE849DF5AC25A555256480DA625FBCE2BEC5D47585
SHA-512:	329F1602CE327EE4E63E029F868ED240150C321840DF11A69B760FB50392DEF28C86DC57340F64331800A6BE0E7291060A3F55C076E3CA178DAC87968A715390
Malicious:	false
Preview:	{"type":"health","id":"c06ca1bd-7621-4eee-b24e-fc2910b5fd2b","creationDate":"2024-12-12T18:55:59.927Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1564
Entropy (8bit):	6.343766317246395
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSZ80LXnIrM/pnxQwRcWT5sKmgb0q3eHVpjO+TLamhujJwO2c0TiVm8:GUpOxiJnRcoegf3erjxTL4Jwc3zBtP
MD5:	0DA07351D548C2C562DC77CDACFA17F7
SHA1:	CA1B59830F480E0FD524F3AE94A39B2E83CCD4E1
SHA-256:	7948ED52035F6ECBB9CE2277867049D8FB8CC1092C9266859B53093E92D42223
SHA-512:	0FFC888EE0ECEAB65A5BDBDB1413FD7CA77612E728D0CF35610879CE3E49E855B6A341105A9CE2782144C6D61FB63029C2AF5F4D57BE6B48E028182238096943
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{be3a5d10-09fc-4530-8266-d49a0de8795a}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1734029732892,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...3,"startTim..`698259...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...02478,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1564
Entropy (8bit):	6.343766317246395
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSZ80LXnIrM/pnxQwRcWT5sKmgb0q3eHVpjO+TLamhujJwO2c0TiVm8:GUpOxiJnRcoegf3erjxTL4Jwc3zBtP
MD5:	0DA07351D548C2C562DC77CDACFA17F7
SHA1:	CA1B59830F480E0FD524F3AE94A39B2E83CCD4E1
SHA-256:	7948ED52035F6ECBB9CE2277867049D8FB8CC1092C9266859B53093E92D42223
SHA-512:	0FFC888EE0ECEAB65A5BDBDB1413FD7CA77612E728D0CF35610879CE3E49E855B6A341105A9CE2782144C6D61FB63029C2AF5F4D57BE6B48E028182238096943
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{be3a5d10-09fc-4530-8266-d49a0de8795a}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1734029732892,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...3,"startTim..`698259...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...02478,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1564
Entropy (8bit):	6.343766317246395
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSZ80LXnIrM/pnxQwRcWT5sKmgb0q3eHVpjO+TLamhujJwO2c0TiVm8:GUpOxiJnRcoegf3erjxTL4Jwc3zBtP
MD5:	0DA07351D548C2C562DC77CDACFA17F7
SHA1:	CA1B59830F480E0FD524F3AE94A39B2E83CCD4E1
SHA-256:	7948ED52035F6ECBB9CE2277867049D8FB8CC1092C9266859B53093E92D42223
SHA-512:	0FFC888EE0ECEAB65A5BDBDB1413FD7CA77612E728D0CF35610879CE3E49E855B6A341105A9CE2782144C6D61FB63029C2AF5F4D57BE6B48E028182238096943
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{be3a5d10-09fc-4530-8266-d49a0de8795a}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1734029732892,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...3,"startTim..`698259...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...02478,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.030561221390533
Encrypted:	false
SSDEEP:	96:ycY+MTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:q3TEr5NX0z3DhRe
MD5:	2C53613A78B126F695B94D656EE07482
SHA1:	8E6B9E3F302377D0EA5CE70EEC43452564A4AD22
SHA-256:	6044E7844258DF914C3F8BA2D883DC732198B4604FB2770EF4EF6B652960E18D
SHA-512:	50EE3BC38466453AE6398142E844B4FECA3834DFCB7E8C2D54183F0EF7260C853A32B95886C2BDA02650FF4640D278F6EB08962BC9551E9AEFB69D367FBB4F01
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-12T18:55:07.893Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.030561221390533
Encrypted:	false
SSDEEP:	96:ycY+MTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:q3TEr5NX0z3DhRe
MD5:	2C53613A78B126F695B94D656EE07482
SHA1:	8E6B9E3F302377D0EA5CE70EEC43452564A4AD22
SHA-256:	6044E7844258DF914C3F8BA2D883DC732198B4604FB2770EF4EF6B652960E18D
SHA-512:	50EE3BC38466453AE6398142E844B4FECA3834DFCB7E8C2D54183F0EF7260C853A32B95886C2BDA02650FF4640D278F6EB08962BC9551E9AEFB69D367FBB4F01
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-12T18:55:07.893Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.701472131673575
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	969'728 bytes
MD5:	124221b530ca975f2847f8f37293111b
SHA1:	5e51ff04704116f685e51409df3f90fbc9b2a550
SHA256:	96112838ce17a15021afa6dad493c52fa89486c2a145d658966c6618093635e3
SHA512:	ef1be3caef75db15ae5d6d611c72f3d0bbaa859ff64bb0d1cce84e8fa82bbc8ad3a8b15aed97a7faf8628f2a65d9bf78fddd255352fdb459e4c4405b46f98aaf
SSDEEP:	24576:KqDEvCTbMWu7rQYlBQcBiT6rprG8aRFLl:KTvC/MTQYxsWR7aRFL
TLSH:	5C259E0273D1C062FF9B92334B5AF6515BBC69260123E62F13A81DB9BD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675B0E6A [Thu Dec 12 16:25:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F02F08BFC13h
jmp 00007F02F08BF51Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F02F08BF6FDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F02F08BF6CAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F02F08C22BDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F02F08C2308h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F02F08C22F1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x16038	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xeb000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x16038	0x16200	e747e9d57588f214c5c82b19f5e35903	False	0.69775114759887	data	7.161985939168561	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xeb000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xd1ba	data			1.0004842615012106
RT_GROUP_ICON	0xe9ab8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe9b30	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe9b44	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe9b58	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe9b6c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xe9c48	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 18:09:17.171376944 CET	49710	443	192.168.2.5	35.190.72.216
Dec 12, 2024 18:09:17.171427011 CET	443	49710	35.190.72.216	192.168.2.5
Dec 12, 2024 18:09:17.175682068 CET	49710	443	192.168.2.5	35.190.72.216
Dec 12, 2024 18:09:17.175965071 CET	49710	443	192.168.2.5	35.190.72.216
Dec 12, 2024 18:09:17.175981998 CET	443	49710	35.190.72.216	192.168.2.5
Dec 12, 2024 18:09:17.966300011 CET	49711	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:17.966355085 CET	443	49711	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:17.968184948 CET	49711	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:17.968184948 CET	49711	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:17.968226910 CET	443	49711	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:18.404442072 CET	443	49710	35.190.72.216	192.168.2.5
Dec 12, 2024 18:09:18.404601097 CET	49710	443	192.168.2.5	35.190.72.216
Dec 12, 2024 18:09:18.413095951 CET	49710	443	192.168.2.5	35.190.72.216
Dec 12, 2024 18:09:18.413095951 CET	49710	443	192.168.2.5	35.190.72.216
Dec 12, 2024 18:09:18.413127899 CET	443	49710	35.190.72.216	192.168.2.5
Dec 12, 2024 18:09:18.413428068 CET	443	49710	35.190.72.216	192.168.2.5
Dec 12, 2024 18:09:18.413480043 CET	49710	443	192.168.2.5	35.190.72.216
Dec 12, 2024 18:09:18.535212040 CET	49712	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:18.535254002 CET	443	49712	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:18.538444042 CET	49712	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:18.540347099 CET	49712	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:18.540364027 CET	443	49712	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:18.584319115 CET	49713	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:18.704719067 CET	80	49713	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:18.705193043 CET	49713	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:18.705193043 CET	49713	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:18.825417995 CET	80	49713	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:19.003381014 CET	49715	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:19.003456116 CET	443	49715	34.117.188.166	192.168.2.5
Dec 12, 2024 18:09:19.007380009 CET	49716	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:19.007425070 CET	443	49716	34.117.188.166	192.168.2.5
Dec 12, 2024 18:09:19.009854078 CET	49715	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:19.011250973 CET	49715	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:19.011259079 CET	49716	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:19.011269093 CET	443	49715	34.117.188.166	192.168.2.5
Dec 12, 2024 18:09:19.012599945 CET	49716	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:19.012636900 CET	443	49716	34.117.188.166	192.168.2.5
Dec 12, 2024 18:09:19.145896912 CET	49717	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:19.146030903 CET	443	49717	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:19.146132946 CET	49717	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:19.146311045 CET	49717	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:19.146334887 CET	443	49717	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:19.418159008 CET	49718	443	192.168.2.5	34.160.144.191
Dec 12, 2024 18:09:19.418200016 CET	443	49718	34.160.144.191	192.168.2.5
Dec 12, 2024 18:09:19.418358088 CET	49718	443	192.168.2.5	34.160.144.191
Dec 12, 2024 18:09:19.418535948 CET	49718	443	192.168.2.5	34.160.144.191
Dec 12, 2024 18:09:19.418545961 CET	443	49718	34.160.144.191	192.168.2.5
Dec 12, 2024 18:09:19.667287111 CET	443	49711	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:19.667407990 CET	49711	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:19.668143034 CET	443	49711	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:19.668808937 CET	49711	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:19.673031092 CET	49711	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:19.673048019 CET	443	49711	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:19.673161030 CET	49711	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:19.673270941 CET	443	49711	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:19.673804045 CET	49711	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:19.792084932 CET	80	49713	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:19.906126976 CET	49713	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:20.180699110 CET	49719	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:20.234977007 CET	443	49715	34.117.188.166	192.168.2.5
Dec 12, 2024 18:09:20.235951900 CET	443	49716	34.117.188.166	192.168.2.5
Dec 12, 2024 18:09:20.238389969 CET	49715	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:20.238399982 CET	49716	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:20.242361069 CET	443	49712	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:20.244889021 CET	443	49712	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:20.246445894 CET	49715	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:20.246460915 CET	443	49715	34.117.188.166	192.168.2.5
Dec 12, 2024 18:09:20.246541977 CET	49715	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:20.246714115 CET	443	49715	34.117.188.166	192.168.2.5
Dec 12, 2024 18:09:20.249345064 CET	49716	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:20.249368906 CET	443	49716	34.117.188.166	192.168.2.5
Dec 12, 2024 18:09:20.249397993 CET	49716	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:20.249543905 CET	443	49716	34.117.188.166	192.168.2.5
Dec 12, 2024 18:09:20.253905058 CET	49715	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:20.254019022 CET	49712	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:20.254040003 CET	443	49712	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:20.260442019 CET	49716	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:20.264139891 CET	49712	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:20.264139891 CET	49712	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:20.264167070 CET	443	49712	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:20.264405966 CET	49720	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:20.264446020 CET	443	49712	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:20.264483929 CET	443	49720	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:20.264630079 CET	49712	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:20.264631033 CET	49720	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:20.265819073 CET	49720	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:20.265857935 CET	443	49720	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:20.279680014 CET	49721	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:20.279735088 CET	443	49721	34.117.188.166	192.168.2.5
Dec 12, 2024 18:09:20.285206079 CET	49721	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:20.286555052 CET	49721	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:20.286571980 CET	443	49721	34.117.188.166	192.168.2.5
Dec 12, 2024 18:09:20.300642014 CET	80	49719	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:20.305910110 CET	49719	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:20.306328058 CET	49719	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:20.365962982 CET	443	49717	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:20.366938114 CET	49717	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:20.382689953 CET	49717	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:20.382752895 CET	443	49717	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:20.382802963 CET	49713	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:20.382989883 CET	443	49717	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:20.386410952 CET	49717	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:20.386495113 CET	49717	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:20.386560917 CET	443	49717	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:20.393378973 CET	49717	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:20.468724966 CET	80	49719	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:20.502844095 CET	80	49713	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:20.605479956 CET	49723	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:20.605566978 CET	443	49723	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:20.606488943 CET	49723	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:20.607989073 CET	49723	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:20.608028889 CET	443	49723	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:20.635184050 CET	443	49718	34.160.144.191	192.168.2.5
Dec 12, 2024 18:09:20.638851881 CET	49718	443	192.168.2.5	34.160.144.191
Dec 12, 2024 18:09:20.642399073 CET	49718	443	192.168.2.5	34.160.144.191
Dec 12, 2024 18:09:20.642436981 CET	443	49718	34.160.144.191	192.168.2.5
Dec 12, 2024 18:09:20.642672062 CET	443	49718	34.160.144.191	192.168.2.5
Dec 12, 2024 18:09:20.644520044 CET	49718	443	192.168.2.5	34.160.144.191
Dec 12, 2024 18:09:20.644520044 CET	49718	443	192.168.2.5	34.160.144.191
Dec 12, 2024 18:09:20.644680977 CET	443	49718	34.160.144.191	192.168.2.5
Dec 12, 2024 18:09:20.648394108 CET	49718	443	192.168.2.5	34.160.144.191
Dec 12, 2024 18:09:20.648394108 CET	49718	443	192.168.2.5	34.160.144.191
Dec 12, 2024 18:09:20.697590113 CET	80	49713	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:20.698762894 CET	49724	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:20.698812962 CET	443	49724	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:20.699485064 CET	49713	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:20.699768066 CET	49719	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:20.700625896 CET	49724	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:20.723320007 CET	49724	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:20.723361969 CET	443	49724	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:20.732867002 CET	49725	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:20.732966900 CET	443	49725	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:20.733192921 CET	49725	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:20.734555960 CET	49725	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:20.734594107 CET	443	49725	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:20.772949934 CET	49726	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:20.772996902 CET	443	49726	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:20.783956051 CET	49726	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:20.787837982 CET	49726	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:20.787853956 CET	443	49726	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:20.822474957 CET	80	49713	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:20.828660011 CET	49713	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:20.837205887 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:20.862994909 CET	80	49719	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:20.957063913 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:20.961366892 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:20.961622000 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:21.081594944 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:21.206305981 CET	80	49719	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:21.206491947 CET	49719	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:21.548960924 CET	443	49721	34.117.188.166	192.168.2.5
Dec 12, 2024 18:09:21.549046040 CET	49721	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:21.553956985 CET	49721	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:21.553988934 CET	443	49721	34.117.188.166	192.168.2.5
Dec 12, 2024 18:09:21.554083109 CET	49721	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:21.554311991 CET	443	49721	34.117.188.166	192.168.2.5
Dec 12, 2024 18:09:21.557094097 CET	49721	443	192.168.2.5	34.117.188.166
Dec 12, 2024 18:09:21.559971094 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:21.680017948 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:21.680114985 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:21.680361032 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:21.800158978 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:21.830157995 CET	443	49723	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:21.830261946 CET	49723	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:21.834017038 CET	49723	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:21.834053040 CET	443	49723	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:21.834119081 CET	49723	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:21.834202051 CET	443	49723	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:21.835154057 CET	49723	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:21.943541050 CET	443	49724	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:21.943952084 CET	49724	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:21.946461916 CET	49724	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:21.946475029 CET	443	49724	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:21.946835041 CET	443	49724	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:21.949403048 CET	49724	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:21.949487925 CET	49724	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:21.950023890 CET	443	49724	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:21.950881958 CET	49724	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:21.955617905 CET	443	49725	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:21.955739975 CET	49725	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:21.960056067 CET	49725	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:21.960114002 CET	443	49725	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:21.960161924 CET	49725	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:21.960304022 CET	443	49725	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:21.960872889 CET	49725	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:21.975442886 CET	49730	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:21.975493908 CET	443	49730	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:21.976022959 CET	49730	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:21.976151943 CET	49730	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:21.976166010 CET	443	49730	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:21.978250027 CET	49731	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:21.978295088 CET	443	49731	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:21.978368044 CET	49732	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:21.978413105 CET	443	49732	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:21.978703976 CET	49731	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:21.979707003 CET	49732	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:21.980009079 CET	49731	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:21.980024099 CET	443	49731	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:21.980247021 CET	49732	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:21.980266094 CET	443	49732	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:22.011583090 CET	443	49726	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:22.011600018 CET	443	49726	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:22.011703968 CET	49726	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:22.015461922 CET	49726	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:22.015476942 CET	443	49726	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:22.015556097 CET	49726	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:22.015633106 CET	443	49726	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:22.016037941 CET	49726	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:22.019601107 CET	443	49720	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:22.019711971 CET	49720	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:22.020215034 CET	443	49720	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:22.020602942 CET	49720	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:22.034084082 CET	49720	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:22.034132957 CET	443	49720	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:22.034205914 CET	49720	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:22.034409046 CET	443	49720	142.250.181.110	192.168.2.5
Dec 12, 2024 18:09:22.034463882 CET	49720	443	192.168.2.5	142.250.181.110
Dec 12, 2024 18:09:22.058037996 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:22.112147093 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:22.774929047 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:22.831731081 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:22.847704887 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:22.967636108 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:23.164643049 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:23.194463015 CET	443	49730	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:23.194535971 CET	49730	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:23.197118044 CET	49730	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:23.197128057 CET	443	49730	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:23.197927952 CET	443	49731	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:23.197989941 CET	49731	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:23.198148012 CET	443	49730	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:23.200043917 CET	443	49732	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:23.200175047 CET	49730	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:23.200251102 CET	49730	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:23.200367928 CET	443	49730	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:23.200464964 CET	49730	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:23.200505972 CET	49732	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:23.202424049 CET	49732	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:23.202451944 CET	443	49732	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:23.202825069 CET	443	49732	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:23.203027010 CET	49731	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:23.203042984 CET	443	49731	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:23.203092098 CET	49731	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:23.203205109 CET	443	49731	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:23.203480959 CET	49731	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:23.204683065 CET	49732	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:23.204746962 CET	49732	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:23.204881907 CET	443	49732	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:23.204941034 CET	49732	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:23.206732988 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:25.639305115 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:25.641786098 CET	49734	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:25.641838074 CET	443	49734	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:25.642045021 CET	49734	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:25.643332958 CET	49734	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:25.643357992 CET	443	49734	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:25.765770912 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:25.965051889 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:26.015291929 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:26.865497112 CET	443	49734	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:26.865592003 CET	49734	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:26.869323015 CET	49734	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:26.869337082 CET	443	49734	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:26.869430065 CET	49734	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:26.869508028 CET	443	49734	34.120.208.123	192.168.2.5
Dec 12, 2024 18:09:26.869584084 CET	49734	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:09:29.504580975 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:29.626738071 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:29.661809921 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:29.782459021 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:29.822530985 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:29.872751951 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:29.979823112 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:30.019915104 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:30.759109974 CET	49739	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:30.759211063 CET	443	49739	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:30.759783030 CET	49739	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:30.761149883 CET	49739	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:30.761179924 CET	443	49739	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:30.796883106 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:30.918061018 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:31.113053083 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:31.160938978 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:31.985940933 CET	443	49739	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:31.986032009 CET	49739	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:32.521888018 CET	49739	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:32.521936893 CET	443	49739	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:32.521960974 CET	49739	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:32.522511005 CET	443	49739	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:32.522685051 CET	49739	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:32.609435081 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:32.730225086 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:32.925484896 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:32.966279030 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:33.319473028 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:33.439786911 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:33.634918928 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:33.683983088 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:42.661633015 CET	49767	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:42.661696911 CET	443	49767	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:42.661854029 CET	49767	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:42.663280010 CET	49767	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:42.663291931 CET	443	49767	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:42.941322088 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:43.061387062 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:43.643423080 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:43.763420105 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:43.876744032 CET	443	49767	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:43.876972914 CET	49767	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:43.881917953 CET	49767	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:43.881937981 CET	443	49767	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:43.881966114 CET	49767	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:43.882188082 CET	443	49767	34.107.243.93	192.168.2.5
Dec 12, 2024 18:09:43.882977009 CET	49767	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:09:43.885358095 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:44.008033991 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:44.209680080 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:44.214135885 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:44.260818958 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:44.335633039 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:44.538587093 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:44.592977047 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:45.961461067 CET	49777	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:45.961519003 CET	443	49777	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:45.965972900 CET	49777	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:45.966248035 CET	49777	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:45.966260910 CET	443	49777	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:45.990621090 CET	49778	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:45.990673065 CET	443	49778	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:45.990864992 CET	49778	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:45.991041899 CET	49778	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:45.991055965 CET	443	49778	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:46.019864082 CET	49779	443	192.168.2.5	35.190.72.216
Dec 12, 2024 18:09:46.019906998 CET	443	49779	35.190.72.216	192.168.2.5
Dec 12, 2024 18:09:46.025172949 CET	49779	443	192.168.2.5	35.190.72.216
Dec 12, 2024 18:09:46.027252913 CET	49779	443	192.168.2.5	35.190.72.216
Dec 12, 2024 18:09:46.027293921 CET	443	49779	35.190.72.216	192.168.2.5
Dec 12, 2024 18:09:46.227530003 CET	49780	443	192.168.2.5	151.101.1.91
Dec 12, 2024 18:09:46.227570057 CET	443	49780	151.101.1.91	192.168.2.5
Dec 12, 2024 18:09:46.228044987 CET	49780	443	192.168.2.5	151.101.1.91
Dec 12, 2024 18:09:46.228159904 CET	49780	443	192.168.2.5	151.101.1.91
Dec 12, 2024 18:09:46.228167057 CET	443	49780	151.101.1.91	192.168.2.5
Dec 12, 2024 18:09:46.348320007 CET	49781	443	192.168.2.5	35.201.103.21
Dec 12, 2024 18:09:46.348370075 CET	443	49781	35.201.103.21	192.168.2.5
Dec 12, 2024 18:09:46.348938942 CET	49781	443	192.168.2.5	35.201.103.21
Dec 12, 2024 18:09:46.350991011 CET	49781	443	192.168.2.5	35.201.103.21
Dec 12, 2024 18:09:46.351011992 CET	443	49781	35.201.103.21	192.168.2.5
Dec 12, 2024 18:09:47.191057920 CET	443	49777	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:47.194418907 CET	49777	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:47.198494911 CET	49777	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:47.198514938 CET	443	49777	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:47.198940992 CET	443	49777	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:47.201745987 CET	49777	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:47.201833010 CET	49777	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:47.202413082 CET	443	49777	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:47.204210997 CET	49777	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:47.205718994 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:47.215286016 CET	443	49778	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:47.215389013 CET	49778	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:47.219749928 CET	49778	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:47.219762087 CET	443	49778	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:47.220088959 CET	443	49778	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:47.222786903 CET	49778	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:47.222917080 CET	49778	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:47.222974062 CET	443	49778	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:47.223123074 CET	49778	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:47.247348070 CET	443	49779	35.190.72.216	192.168.2.5
Dec 12, 2024 18:09:47.247433901 CET	49779	443	192.168.2.5	35.190.72.216
Dec 12, 2024 18:09:47.251791000 CET	49779	443	192.168.2.5	35.190.72.216
Dec 12, 2024 18:09:47.251799107 CET	443	49779	35.190.72.216	192.168.2.5
Dec 12, 2024 18:09:47.251882076 CET	49779	443	192.168.2.5	35.190.72.216
Dec 12, 2024 18:09:47.252094984 CET	443	49779	35.190.72.216	192.168.2.5
Dec 12, 2024 18:09:47.252703905 CET	49779	443	192.168.2.5	35.190.72.216
Dec 12, 2024 18:09:47.325495005 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:47.452348948 CET	443	49780	151.101.1.91	192.168.2.5
Dec 12, 2024 18:09:47.452450991 CET	49780	443	192.168.2.5	151.101.1.91
Dec 12, 2024 18:09:47.456876993 CET	49780	443	192.168.2.5	151.101.1.91
Dec 12, 2024 18:09:47.456907034 CET	443	49780	151.101.1.91	192.168.2.5
Dec 12, 2024 18:09:47.457233906 CET	443	49780	151.101.1.91	192.168.2.5
Dec 12, 2024 18:09:47.459960938 CET	49780	443	192.168.2.5	151.101.1.91
Dec 12, 2024 18:09:47.460078001 CET	49780	443	192.168.2.5	151.101.1.91
Dec 12, 2024 18:09:47.460128069 CET	443	49780	151.101.1.91	192.168.2.5
Dec 12, 2024 18:09:47.464229107 CET	49780	443	192.168.2.5	151.101.1.91
Dec 12, 2024 18:09:47.468647957 CET	49785	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:47.468693972 CET	443	49785	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:47.470053911 CET	49786	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:47.470096111 CET	443	49786	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:47.470360041 CET	49785	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:47.470366955 CET	49786	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:47.470843077 CET	49785	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:47.470855951 CET	443	49785	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:47.471101046 CET	49786	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:47.471116066 CET	443	49786	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:47.473712921 CET	49787	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:47.473721027 CET	443	49787	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:47.473849058 CET	49787	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:47.473973989 CET	49787	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:47.473987103 CET	443	49787	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:47.520797014 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:47.523638010 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:47.570921898 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:47.607081890 CET	443	49781	35.201.103.21	192.168.2.5
Dec 12, 2024 18:09:47.607180119 CET	49781	443	192.168.2.5	35.201.103.21
Dec 12, 2024 18:09:47.612723112 CET	49781	443	192.168.2.5	35.201.103.21
Dec 12, 2024 18:09:47.612756968 CET	443	49781	35.201.103.21	192.168.2.5
Dec 12, 2024 18:09:47.612862110 CET	49781	443	192.168.2.5	35.201.103.21
Dec 12, 2024 18:09:47.612890005 CET	443	49781	35.201.103.21	192.168.2.5
Dec 12, 2024 18:09:47.613106966 CET	49781	443	192.168.2.5	35.201.103.21
Dec 12, 2024 18:09:47.616311073 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:47.627484083 CET	49789	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:47.627526999 CET	443	49789	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:47.627612114 CET	49789	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:47.627748013 CET	49789	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:47.627758026 CET	443	49789	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:47.643969059 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:47.736273050 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:47.839088917 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:47.887443066 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:47.932017088 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:47.935703039 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:47.972090006 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:48.057719946 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:48.252933025 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:48.304138899 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:48.683458090 CET	443	49785	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:48.683540106 CET	49785	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:48.684354067 CET	443	49786	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:48.684444904 CET	49786	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:48.686747074 CET	49785	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:48.686769962 CET	443	49785	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:48.686996937 CET	443	49785	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:48.689091921 CET	49786	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:48.689104080 CET	443	49786	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:48.689413071 CET	443	49786	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:48.690001965 CET	443	49787	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:48.690200090 CET	49787	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:48.692598104 CET	49787	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:48.692604065 CET	443	49787	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:48.692833900 CET	443	49787	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:48.696264982 CET	49786	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:48.696281910 CET	49785	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:48.696449995 CET	443	49786	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:48.696511030 CET	443	49785	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:48.696607113 CET	49786	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:48.696614027 CET	443	49786	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:48.696675062 CET	49785	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:48.696685076 CET	443	49785	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:48.696997881 CET	49787	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:48.697040081 CET	49787	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:48.697146893 CET	443	49787	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:48.702080011 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:48.702941895 CET	49787	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:48.702958107 CET	49785	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:48.822479010 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:48.840131044 CET	443	49789	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:48.840318918 CET	49789	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:48.843539000 CET	49789	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:48.843569994 CET	443	49789	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:48.843826056 CET	443	49789	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:48.846240044 CET	49789	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:48.846328020 CET	49789	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:48.846379042 CET	443	49789	34.149.100.209	192.168.2.5
Dec 12, 2024 18:09:48.846482992 CET	49789	443	192.168.2.5	34.149.100.209
Dec 12, 2024 18:09:48.903371096 CET	443	49786	35.244.181.201	192.168.2.5
Dec 12, 2024 18:09:48.903450012 CET	49786	443	192.168.2.5	35.244.181.201
Dec 12, 2024 18:09:49.017535925 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:49.020775080 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:49.059719086 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:49.140784979 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:49.335843086 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:49.376138926 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:59.031111002 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:59.151328087 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:09:59.347594976 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:09:59.467726946 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:03.950191021 CET	49827	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:10:03.950288057 CET	443	49827	34.107.243.93	192.168.2.5
Dec 12, 2024 18:10:03.950402975 CET	49827	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:10:03.952361107 CET	49827	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:10:03.952393055 CET	443	49827	34.107.243.93	192.168.2.5
Dec 12, 2024 18:10:05.178746939 CET	443	49827	34.107.243.93	192.168.2.5
Dec 12, 2024 18:10:05.179039001 CET	49827	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:10:05.184783936 CET	49827	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:10:05.184808969 CET	443	49827	34.107.243.93	192.168.2.5
Dec 12, 2024 18:10:05.184847116 CET	49827	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:10:05.185040951 CET	443	49827	34.107.243.93	192.168.2.5
Dec 12, 2024 18:10:05.185094118 CET	49827	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:10:05.188210011 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:05.308003902 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:05.505326986 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:05.508761883 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:05.549438953 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:05.628784895 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:05.827961922 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:05.887934923 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:15.521596909 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:15.642101049 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:15.828399897 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:15.948944092 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:16.409704924 CET	49855	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:16.409753084 CET	443	49855	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:16.409951925 CET	49856	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:16.409960985 CET	443	49856	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:16.415566921 CET	49855	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:16.415566921 CET	49856	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:16.415618896 CET	49855	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:16.415627003 CET	443	49855	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:16.415738106 CET	49856	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:16.415745974 CET	443	49856	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:17.635978937 CET	443	49856	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:17.636085033 CET	49856	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.638895988 CET	443	49855	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:17.638981104 CET	49855	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.639234066 CET	49856	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.639260054 CET	443	49856	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:17.639677048 CET	443	49856	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:17.641355991 CET	49855	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.641366959 CET	443	49855	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:17.642127037 CET	443	49855	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:17.644414902 CET	49856	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.644530058 CET	49856	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.644620895 CET	443	49856	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:17.644731998 CET	49855	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.644782066 CET	49855	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.644937992 CET	49856	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.645137072 CET	443	49855	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:17.645211935 CET	49855	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.651812077 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:17.654691935 CET	49859	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.654772043 CET	443	49859	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:17.658839941 CET	49859	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.659622908 CET	49859	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.659651041 CET	443	49859	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:17.661154032 CET	49860	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.661221981 CET	443	49860	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:17.661837101 CET	49860	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.661942005 CET	49860	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.661976099 CET	443	49860	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:17.663583040 CET	49861	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.663621902 CET	443	49861	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:17.663846016 CET	49861	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.663943052 CET	49861	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:17.663959026 CET	443	49861	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:17.771949053 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:17.972687960 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:17.976345062 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:18.012923956 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:18.096292019 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:18.291716099 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:18.345046997 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:18.877542973 CET	443	49861	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:18.877549887 CET	443	49859	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:18.877661943 CET	49861	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:18.877994061 CET	49859	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:18.879616022 CET	443	49860	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:18.879683018 CET	49860	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:18.880181074 CET	49861	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:18.880184889 CET	443	49861	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:18.880409956 CET	443	49861	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:18.882154942 CET	49859	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:18.882184029 CET	443	49859	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:18.882533073 CET	443	49859	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:18.885171890 CET	49860	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:18.885184050 CET	443	49860	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:18.885531902 CET	443	49860	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:18.888843060 CET	49861	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:18.888983011 CET	443	49861	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:18.889110088 CET	49861	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:18.889113903 CET	443	49861	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:18.889676094 CET	49859	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:18.889759064 CET	49859	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:18.890064001 CET	443	49859	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:18.890201092 CET	49860	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:18.890290022 CET	49860	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:18.890536070 CET	443	49860	34.120.208.123	192.168.2.5
Dec 12, 2024 18:10:18.890743971 CET	49860	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:18.890750885 CET	49859	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:18.890757084 CET	49861	443	192.168.2.5	34.120.208.123
Dec 12, 2024 18:10:18.892460108 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:19.012187958 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:19.214457035 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:19.217169046 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:19.263328075 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:19.337647915 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:19.533149958 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:19.579886913 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:24.496567011 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:24.616697073 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:24.811517000 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:24.815367937 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:24.854871988 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:24.935180902 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:25.130619049 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:25.171691895 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:34.812263966 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:34.935235977 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:35.135356903 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:35.260150909 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:44.941567898 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:45.064790010 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:45.264308929 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:45.388613939 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:45.808584929 CET	49929	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:10:45.808644056 CET	443	49929	34.107.243.93	192.168.2.5
Dec 12, 2024 18:10:45.809045076 CET	49929	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:10:45.810568094 CET	49929	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:10:45.810587883 CET	443	49929	34.107.243.93	192.168.2.5
Dec 12, 2024 18:10:47.036537886 CET	443	49929	34.107.243.93	192.168.2.5
Dec 12, 2024 18:10:47.036663055 CET	49929	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:10:47.042589903 CET	49929	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:10:47.042601109 CET	443	49929	34.107.243.93	192.168.2.5
Dec 12, 2024 18:10:47.042716980 CET	49929	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:10:47.042850971 CET	443	49929	34.107.243.93	192.168.2.5
Dec 12, 2024 18:10:47.043620110 CET	49929	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:10:47.045743942 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:47.165668011 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:47.361512899 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:47.364881992 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:47.402337074 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:47.484777927 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:47.679779053 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:47.733889103 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:57.361613035 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:57.482323885 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:10:57.700508118 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:10:57.820938110 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:11:07.505821943 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:11:07.627888918 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:11:07.828948021 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:11:07.949549913 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:11:17.635365009 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:11:17.756324053 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:11:17.958266020 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:11:18.078705072 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:11:27.763962984 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:11:27.885220051 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:11:28.080573082 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:11:28.200928926 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:11:37.893120050 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:11:38.013597965 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:11:38.209616899 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:11:38.329726934 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:11:48.022291899 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:11:48.142149925 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:11:48.338681936 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:11:48.458702087 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:11:58.150188923 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:11:58.270195007 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:11:58.466571093 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:11:58.586539030 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:12:07.489022970 CET	50027	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:12:07.489074945 CET	443	50027	34.107.243.93	192.168.2.5
Dec 12, 2024 18:12:07.489155054 CET	50027	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:12:07.490639925 CET	50027	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:12:07.490669012 CET	443	50027	34.107.243.93	192.168.2.5
Dec 12, 2024 18:12:08.280335903 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:12:08.400521040 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:12:08.596714973 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:12:08.717107058 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:12:08.717890024 CET	443	50027	34.107.243.93	192.168.2.5
Dec 12, 2024 18:12:08.717967987 CET	50027	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:12:08.723650932 CET	50027	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:12:08.723685026 CET	443	50027	34.107.243.93	192.168.2.5
Dec 12, 2024 18:12:08.723741055 CET	50027	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:12:08.723963976 CET	443	50027	34.107.243.93	192.168.2.5
Dec 12, 2024 18:12:08.726944923 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:12:08.727814913 CET	50027	443	192.168.2.5	34.107.243.93
Dec 12, 2024 18:12:08.847673893 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:12:09.043173075 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:12:09.046473026 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:12:09.097768068 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:12:09.166959047 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:12:09.362040997 CET	80	49727	34.107.221.82	192.168.2.5
Dec 12, 2024 18:12:09.414148092 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:12:19.057708979 CET	49729	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:12:19.177540064 CET	80	49729	34.107.221.82	192.168.2.5
Dec 12, 2024 18:12:19.374187946 CET	49727	80	192.168.2.5	34.107.221.82
Dec 12, 2024 18:12:19.494123936 CET	80	49727	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 18:09:17.171499968 CET	56816	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:17.315603971 CET	53	56816	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:17.387388945 CET	63532	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:17.527864933 CET	53	63532	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:17.801453114 CET	62570	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:17.939311981 CET	53	62570	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:17.966710091 CET	59250	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:18.105065107 CET	53	59250	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:18.109812021 CET	50989	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:18.248229027 CET	53	50989	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:18.445410967 CET	63548	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:18.585342884 CET	63087	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:18.723635912 CET	53	63087	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:18.724663973 CET	49262	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:18.725343943 CET	58180	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:18.737185955 CET	64055	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:18.869925022 CET	53	49262	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:18.869976044 CET	53	58180	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:18.891546011 CET	53	64055	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:19.008328915 CET	55333	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:19.008583069 CET	53383	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:19.145896912 CET	60175	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:19.146193027 CET	53	53383	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:19.146841049 CET	53	55333	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:19.147109985 CET	64552	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:19.147599936 CET	56794	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:19.279454947 CET	62480	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:19.284425974 CET	53	60175	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:19.284656048 CET	53	56794	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:19.285052061 CET	53	64552	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:19.285993099 CET	53802	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:19.416443110 CET	53	62480	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:19.418207884 CET	64321	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:19.423347950 CET	53	53802	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:19.555425882 CET	53	64321	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:19.556556940 CET	62431	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:19.697994947 CET	53	62431	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:19.811559916 CET	60184	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:19.813533068 CET	61757	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:19.952217102 CET	53	60184	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:19.954962969 CET	53	61757	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:20.040787935 CET	56162	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:20.196356058 CET	58436	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:20.274173975 CET	49446	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:20.439034939 CET	53	49446	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:20.448076010 CET	60911	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:20.546211004 CET	61008	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:20.585916042 CET	53	60911	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:20.586918116 CET	51575	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:20.620944977 CET	54056	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:20.684814930 CET	53	61008	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:20.724756002 CET	53	51575	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:20.758157969 CET	53	54056	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:20.789136887 CET	57894	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:20.837759018 CET	64635	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:20.926323891 CET	53	57894	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:20.927472115 CET	58966	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:20.944998980 CET	53	52909	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:20.974997044 CET	53	64635	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:21.065541983 CET	53	58966	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:25.612704039 CET	63166	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:25.612970114 CET	53100	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:25.613204002 CET	62304	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:25.757344961 CET	53	53100	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:25.758526087 CET	51262	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:25.759120941 CET	53	62304	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:25.759879112 CET	52601	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:25.760832071 CET	53	63166	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:25.761441946 CET	62407	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:25.897559881 CET	53	51262	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:25.898411036 CET	61030	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:25.898425102 CET	53	52601	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:25.899033070 CET	51656	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:25.910408020 CET	53	62407	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:25.911211014 CET	52223	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:26.036464930 CET	53	61030	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:26.037544012 CET	51334	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:26.039364100 CET	53	51656	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:26.040067911 CET	57896	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:26.175966978 CET	53	51334	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:26.176932096 CET	58976	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:26.178127050 CET	53	57896	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:26.178827047 CET	54207	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:26.254743099 CET	53	52223	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:26.255609035 CET	64009	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:26.316402912 CET	53	54207	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:26.317426920 CET	53	58976	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:26.332674026 CET	59967	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:26.335803986 CET	50431	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:26.393601894 CET	53	64009	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:26.395813942 CET	53918	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:26.472862959 CET	53	50431	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:26.475044012 CET	50257	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:26.533411026 CET	53	53918	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:26.534534931 CET	58100	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:26.549180031 CET	53	59967	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:26.612735987 CET	53	50257	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:26.672214031 CET	53	58100	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:30.763916969 CET	49799	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:30.905616999 CET	53	49799	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:42.662201881 CET	59261	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:42.799772024 CET	53	59261	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:45.961958885 CET	53351	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:45.986594915 CET	65086	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:46.021876097 CET	51523	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:46.099647999 CET	53	53351	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:46.226517916 CET	53	65086	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:46.228115082 CET	53803	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:46.347218037 CET	53	51523	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:46.348872900 CET	57638	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:46.372539043 CET	53	53803	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:46.373449087 CET	56142	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:46.493187904 CET	53	57638	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:46.493942022 CET	57864	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:09:46.605612040 CET	53	56142	1.1.1.1	192.168.2.5
Dec 12, 2024 18:09:46.634056091 CET	53	57864	1.1.1.1	192.168.2.5
Dec 12, 2024 18:10:03.950011015 CET	56071	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:10:04.087353945 CET	53	56071	1.1.1.1	192.168.2.5
Dec 12, 2024 18:10:05.189174891 CET	56694	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:10:16.414813042 CET	64100	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:10:16.551903009 CET	53	64100	1.1.1.1	192.168.2.5
Dec 12, 2024 18:10:45.669483900 CET	58930	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:10:45.807385921 CET	53	58930	1.1.1.1	192.168.2.5
Dec 12, 2024 18:10:45.809111118 CET	58412	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:10:45.946849108 CET	53	58412	1.1.1.1	192.168.2.5
Dec 12, 2024 18:12:07.195554972 CET	55382	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:12:07.348747015 CET	53	55382	1.1.1.1	192.168.2.5
Dec 12, 2024 18:12:07.350208998 CET	51530	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:12:07.487674952 CET	53	51530	1.1.1.1	192.168.2.5
Dec 12, 2024 18:12:07.488903046 CET	55229	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:12:07.650652885 CET	53	55229	1.1.1.1	192.168.2.5
Dec 12, 2024 18:12:08.727720976 CET	63671	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:12:08.868341923 CET	50311	53	192.168.2.5	1.1.1.1
Dec 12, 2024 18:12:09.008649111 CET	53	50311	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 12, 2024 18:09:17.171499968 CET	192.168.2.5	1.1.1.1	0xe475	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:17.387388945 CET	192.168.2.5	1.1.1.1	0x330e	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 12, 2024 18:09:17.801453114 CET	192.168.2.5	1.1.1.1	0xbd0f	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:17.966710091 CET	192.168.2.5	1.1.1.1	0x8563	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:18.109812021 CET	192.168.2.5	1.1.1.1	0x27d9	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 12, 2024 18:09:18.445410967 CET	192.168.2.5	1.1.1.1	0xd447	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:18.585342884 CET	192.168.2.5	1.1.1.1	0x81c3	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:18.724663973 CET	192.168.2.5	1.1.1.1	0x376a	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 12, 2024 18:09:18.725343943 CET	192.168.2.5	1.1.1.1	0x1a6a	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:18.737185955 CET	192.168.2.5	1.1.1.1	0x6464	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.008328915 CET	192.168.2.5	1.1.1.1	0xc725	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.008583069 CET	192.168.2.5	1.1.1.1	0x1d95	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.145896912 CET	192.168.2.5	1.1.1.1	0x831	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.147109985 CET	192.168.2.5	1.1.1.1	0x3f24	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 12, 2024 18:09:19.147599936 CET	192.168.2.5	1.1.1.1	0x9c4	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 12, 2024 18:09:19.279454947 CET	192.168.2.5	1.1.1.1	0x14f4	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.285993099 CET	192.168.2.5	1.1.1.1	0x4331	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 12, 2024 18:09:19.418207884 CET	192.168.2.5	1.1.1.1	0xcca0	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.556556940 CET	192.168.2.5	1.1.1.1	0x8652	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 12, 2024 18:09:19.811559916 CET	192.168.2.5	1.1.1.1	0xa3b2	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.813533068 CET	192.168.2.5	1.1.1.1	0xece	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.040787935 CET	192.168.2.5	1.1.1.1	0x5648	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.196356058 CET	192.168.2.5	1.1.1.1	0xfe46	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.274173975 CET	192.168.2.5	1.1.1.1	0xb939	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.448076010 CET	192.168.2.5	1.1.1.1	0xb8b8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.546211004 CET	192.168.2.5	1.1.1.1	0x992e	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.586918116 CET	192.168.2.5	1.1.1.1	0x6211	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 12, 2024 18:09:20.620944977 CET	192.168.2.5	1.1.1.1	0xa758	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.789136887 CET	192.168.2.5	1.1.1.1	0x5690	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.837759018 CET	192.168.2.5	1.1.1.1	0x75b1	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 12, 2024 18:09:20.927472115 CET	192.168.2.5	1.1.1.1	0x84cc	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 12, 2024 18:09:25.612704039 CET	192.168.2.5	1.1.1.1	0x2cd3	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.612970114 CET	192.168.2.5	1.1.1.1	0xcc53	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.613204002 CET	192.168.2.5	1.1.1.1	0xa344	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.758526087 CET	192.168.2.5	1.1.1.1	0x2291	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.759879112 CET	192.168.2.5	1.1.1.1	0x9418	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.761441946 CET	192.168.2.5	1.1.1.1	0xeda1	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.898411036 CET	192.168.2.5	1.1.1.1	0x33d7	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 12, 2024 18:09:25.899033070 CET	192.168.2.5	1.1.1.1	0xf529	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 12, 2024 18:09:25.911211014 CET	192.168.2.5	1.1.1.1	0x7831	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 12, 2024 18:09:26.037544012 CET	192.168.2.5	1.1.1.1	0x2883	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.040067911 CET	192.168.2.5	1.1.1.1	0x10d6	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.176932096 CET	192.168.2.5	1.1.1.1	0x36f1	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.178827047 CET	192.168.2.5	1.1.1.1	0x179c	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.255609035 CET	192.168.2.5	1.1.1.1	0x459b	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.332674026 CET	192.168.2.5	1.1.1.1	0x203b	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Dec 12, 2024 18:09:26.335803986 CET	192.168.2.5	1.1.1.1	0x5f59	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 12, 2024 18:09:26.395813942 CET	192.168.2.5	1.1.1.1	0xca10	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.475044012 CET	192.168.2.5	1.1.1.1	0x2707	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 12, 2024 18:09:26.534534931 CET	192.168.2.5	1.1.1.1	0x909c	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 12, 2024 18:09:30.763916969 CET	192.168.2.5	1.1.1.1	0xbf7d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 12, 2024 18:09:42.662201881 CET	192.168.2.5	1.1.1.1	0x7a51	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 12, 2024 18:09:45.961958885 CET	192.168.2.5	1.1.1.1	0x59c9	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 12, 2024 18:09:45.986594915 CET	192.168.2.5	1.1.1.1	0x456b	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:46.021876097 CET	192.168.2.5	1.1.1.1	0x285c	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:46.228115082 CET	192.168.2.5	1.1.1.1	0x70d0	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:46.348872900 CET	192.168.2.5	1.1.1.1	0x4dca	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:46.373449087 CET	192.168.2.5	1.1.1.1	0x9521	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 12, 2024 18:09:46.493942022 CET	192.168.2.5	1.1.1.1	0xb2ed	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 12, 2024 18:10:03.950011015 CET	192.168.2.5	1.1.1.1	0x5579	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 12, 2024 18:10:05.189174891 CET	192.168.2.5	1.1.1.1	0xd73b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:10:16.414813042 CET	192.168.2.5	1.1.1.1	0x8f14	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 12, 2024 18:10:45.669483900 CET	192.168.2.5	1.1.1.1	0xfca6	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:10:45.809111118 CET	192.168.2.5	1.1.1.1	0xac83	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 12, 2024 18:12:07.195554972 CET	192.168.2.5	1.1.1.1	0x53a6	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:12:07.350208998 CET	192.168.2.5	1.1.1.1	0x6cff	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:12:07.488903046 CET	192.168.2.5	1.1.1.1	0xe7a5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 12, 2024 18:12:08.727720976 CET	192.168.2.5	1.1.1.1	0x62ab	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:12:08.868341923 CET	192.168.2.5	1.1.1.1	0x20ba	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 12, 2024 18:09:17.168664932 CET	1.1.1.1	192.168.2.5	0xad46	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:17.315603971 CET	1.1.1.1	192.168.2.5	0xe475	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:17.939311981 CET	1.1.1.1	192.168.2.5	0xbd0f	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:18.105065107 CET	1.1.1.1	192.168.2.5	0x8563	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:18.248229027 CET	1.1.1.1	192.168.2.5	0x27d9	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 12, 2024 18:09:18.583226919 CET	1.1.1.1	192.168.2.5	0xd447	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:18.583226919 CET	1.1.1.1	192.168.2.5	0xd447	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:18.723635912 CET	1.1.1.1	192.168.2.5	0x81c3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:18.869925022 CET	1.1.1.1	192.168.2.5	0x376a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 12, 2024 18:09:18.869976044 CET	1.1.1.1	192.168.2.5	0x1a6a	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:18.891546011 CET	1.1.1.1	192.168.2.5	0x6464	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:18.891546011 CET	1.1.1.1	192.168.2.5	0x6464	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.144608974 CET	1.1.1.1	192.168.2.5	0x2c6	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:19.144608974 CET	1.1.1.1	192.168.2.5	0x2c6	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.146193027 CET	1.1.1.1	192.168.2.5	0x1d95	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.146841049 CET	1.1.1.1	192.168.2.5	0xc725	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.284425974 CET	1.1.1.1	192.168.2.5	0x831	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.416443110 CET	1.1.1.1	192.168.2.5	0x14f4	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:19.416443110 CET	1.1.1.1	192.168.2.5	0x14f4	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:19.416443110 CET	1.1.1.1	192.168.2.5	0x14f4	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.555425882 CET	1.1.1.1	192.168.2.5	0xcca0	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.697994947 CET	1.1.1.1	192.168.2.5	0x8652	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 12, 2024 18:09:19.952217102 CET	1.1.1.1	192.168.2.5	0xa3b2	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.954962969 CET	1.1.1.1	192.168.2.5	0xece	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:19.954962969 CET	1.1.1.1	192.168.2.5	0xece	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.179253101 CET	1.1.1.1	192.168.2.5	0x5648	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:20.179253101 CET	1.1.1.1	192.168.2.5	0x5648	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.436733961 CET	1.1.1.1	192.168.2.5	0xfe46	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:20.439034939 CET	1.1.1.1	192.168.2.5	0xb939	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.585916042 CET	1.1.1.1	192.168.2.5	0xb8b8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.603423119 CET	1.1.1.1	192.168.2.5	0x2cf1	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.659375906 CET	1.1.1.1	192.168.2.5	0xb311	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:20.659375906 CET	1.1.1.1	192.168.2.5	0xb311	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.684814930 CET	1.1.1.1	192.168.2.5	0x992e	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:20.684814930 CET	1.1.1.1	192.168.2.5	0x992e	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.758157969 CET	1.1.1.1	192.168.2.5	0xa758	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:20.926323891 CET	1.1.1.1	192.168.2.5	0x5690	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:21.976308107 CET	1.1.1.1	192.168.2.5	0x3ce6	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.757344961 CET	1.1.1.1	192.168.2.5	0xcc53	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:25.757344961 CET	1.1.1.1	192.168.2.5	0xcc53	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.757344961 CET	1.1.1.1	192.168.2.5	0xcc53	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.757344961 CET	1.1.1.1	192.168.2.5	0xcc53	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.757344961 CET	1.1.1.1	192.168.2.5	0xcc53	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.757344961 CET	1.1.1.1	192.168.2.5	0xcc53	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.757344961 CET	1.1.1.1	192.168.2.5	0xcc53	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.757344961 CET	1.1.1.1	192.168.2.5	0xcc53	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.757344961 CET	1.1.1.1	192.168.2.5	0xcc53	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.757344961 CET	1.1.1.1	192.168.2.5	0xcc53	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.757344961 CET	1.1.1.1	192.168.2.5	0xcc53	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.757344961 CET	1.1.1.1	192.168.2.5	0xcc53	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.759120941 CET	1.1.1.1	192.168.2.5	0xa344	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:25.759120941 CET	1.1.1.1	192.168.2.5	0xa344	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.760832071 CET	1.1.1.1	192.168.2.5	0x2cd3	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:25.760832071 CET	1.1.1.1	192.168.2.5	0x2cd3	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:25.760832071 CET	1.1.1.1	192.168.2.5	0x2cd3	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.897559881 CET	1.1.1.1	192.168.2.5	0x2291	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.897559881 CET	1.1.1.1	192.168.2.5	0x2291	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.897559881 CET	1.1.1.1	192.168.2.5	0x2291	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.897559881 CET	1.1.1.1	192.168.2.5	0x2291	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.897559881 CET	1.1.1.1	192.168.2.5	0x2291	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.897559881 CET	1.1.1.1	192.168.2.5	0x2291	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.897559881 CET	1.1.1.1	192.168.2.5	0x2291	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.897559881 CET	1.1.1.1	192.168.2.5	0x2291	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.897559881 CET	1.1.1.1	192.168.2.5	0x2291	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.897559881 CET	1.1.1.1	192.168.2.5	0x2291	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.897559881 CET	1.1.1.1	192.168.2.5	0x2291	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.898425102 CET	1.1.1.1	192.168.2.5	0x9418	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:25.910408020 CET	1.1.1.1	192.168.2.5	0xeda1	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.036464930 CET	1.1.1.1	192.168.2.5	0x33d7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 12, 2024 18:09:26.036464930 CET	1.1.1.1	192.168.2.5	0x33d7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 12, 2024 18:09:26.036464930 CET	1.1.1.1	192.168.2.5	0x33d7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 12, 2024 18:09:26.036464930 CET	1.1.1.1	192.168.2.5	0x33d7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 12, 2024 18:09:26.039364100 CET	1.1.1.1	192.168.2.5	0xf529	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 12, 2024 18:09:26.175966978 CET	1.1.1.1	192.168.2.5	0x2883	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:26.175966978 CET	1.1.1.1	192.168.2.5	0x2883	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.178127050 CET	1.1.1.1	192.168.2.5	0x10d6	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:26.178127050 CET	1.1.1.1	192.168.2.5	0x10d6	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.178127050 CET	1.1.1.1	192.168.2.5	0x10d6	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.178127050 CET	1.1.1.1	192.168.2.5	0x10d6	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.178127050 CET	1.1.1.1	192.168.2.5	0x10d6	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.316402912 CET	1.1.1.1	192.168.2.5	0x179c	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.316402912 CET	1.1.1.1	192.168.2.5	0x179c	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.316402912 CET	1.1.1.1	192.168.2.5	0x179c	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.316402912 CET	1.1.1.1	192.168.2.5	0x179c	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.317426920 CET	1.1.1.1	192.168.2.5	0x36f1	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.393601894 CET	1.1.1.1	192.168.2.5	0x459b	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:26.472862959 CET	1.1.1.1	192.168.2.5	0x5f59	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 12, 2024 18:09:26.533411026 CET	1.1.1.1	192.168.2.5	0xca10	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:46.226517916 CET	1.1.1.1	192.168.2.5	0x456b	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:46.226517916 CET	1.1.1.1	192.168.2.5	0x456b	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:46.226517916 CET	1.1.1.1	192.168.2.5	0x456b	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:46.226517916 CET	1.1.1.1	192.168.2.5	0x456b	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:46.347218037 CET	1.1.1.1	192.168.2.5	0x285c	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:46.347218037 CET	1.1.1.1	192.168.2.5	0x285c	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:46.372539043 CET	1.1.1.1	192.168.2.5	0x70d0	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:46.372539043 CET	1.1.1.1	192.168.2.5	0x70d0	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:46.372539043 CET	1.1.1.1	192.168.2.5	0x70d0	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:46.372539043 CET	1.1.1.1	192.168.2.5	0x70d0	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:46.493187904 CET	1.1.1.1	192.168.2.5	0x4dca	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:09:46.605612040 CET	1.1.1.1	192.168.2.5	0x9521	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 12, 2024 18:09:46.605612040 CET	1.1.1.1	192.168.2.5	0x9521	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 12, 2024 18:09:46.605612040 CET	1.1.1.1	192.168.2.5	0x9521	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 12, 2024 18:09:46.605612040 CET	1.1.1.1	192.168.2.5	0x9521	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 12, 2024 18:09:49.476141930 CET	1.1.1.1	192.168.2.5	0xf406	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:09:49.476141930 CET	1.1.1.1	192.168.2.5	0xf406	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:10:05.327542067 CET	1.1.1.1	192.168.2.5	0xd73b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:10:05.327542067 CET	1.1.1.1	192.168.2.5	0xd73b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:10:16.408102036 CET	1.1.1.1	192.168.2.5	0xa325	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:10:45.807385921 CET	1.1.1.1	192.168.2.5	0xfca6	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:12:07.348747015 CET	1.1.1.1	192.168.2.5	0x53a6	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:12:07.487674952 CET	1.1.1.1	192.168.2.5	0x6cff	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:12:08.866189957 CET	1.1.1.1	192.168.2.5	0x62ab	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:12:08.866189957 CET	1.1.1.1	192.168.2.5	0x62ab	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:12:09.008649111 CET	1.1.1.1	192.168.2.5	0x20ba	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	4068	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 18:09:18.705193043 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:09:19.792084932 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80001 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 12, 2024 18:09:20.382802963 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:09:20.697590113 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80002 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49719	34.107.221.82	80	4068	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 18:09:20.306328058 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49727	34.107.221.82	80	4068	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 18:09:20.961622000 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 12, 2024 18:09:22.058037996 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 25253 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 12, 2024 18:09:22.847704887 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 12, 2024 18:09:23.164643049 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 25255 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 12, 2024 18:09:29.504580975 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 12, 2024 18:09:29.822530985 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 25261 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 12, 2024 18:09:30.796883106 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 12, 2024 18:09:31.113053083 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 25262 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 12, 2024 18:09:33.319473028 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 12, 2024 18:09:33.634918928 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 25265 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 12, 2024 18:09:43.643423080 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:09:44.214135885 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 12, 2024 18:09:44.538587093 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 25276 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 12, 2024 18:09:47.523638010 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 12, 2024 18:09:47.839088917 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 25279 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 12, 2024 18:09:47.935703039 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 12, 2024 18:09:48.252933025 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 25280 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 12, 2024 18:09:49.020775080 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 12, 2024 18:09:49.335843086 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 25281 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 12, 2024 18:09:59.347594976 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:10:05.508761883 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 12, 2024 18:10:05.827961922 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 25297 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 12, 2024 18:10:15.828399897 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:10:17.976345062 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 12, 2024 18:10:18.291716099 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 25310 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 12, 2024 18:10:19.217169046 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 12, 2024 18:10:19.533149958 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 25311 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 12, 2024 18:10:24.815367937 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 12, 2024 18:10:25.130619049 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 25316 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 12, 2024 18:10:35.135356903 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:10:45.264308929 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:10:47.364881992 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 12, 2024 18:10:47.679779053 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 25339 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 12, 2024 18:10:57.700508118 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:11:07.828948021 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:11:17.958266020 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:11:28.080573082 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:11:38.209616899 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:12:09.046473026 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 12, 2024 18:12:09.362040997 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 25421 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49729	34.107.221.82	80	4068	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 18:09:21.680361032 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:09:22.774929047 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80004 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 12, 2024 18:09:25.639305115 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:09:25.965051889 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80007 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 12, 2024 18:09:29.661809921 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:09:29.979823112 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80011 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 12, 2024 18:09:32.609435081 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:09:32.925484896 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80014 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 12, 2024 18:09:42.941322088 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:09:43.885358095 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:09:44.209680080 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80026 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 12, 2024 18:09:47.205718994 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:09:47.520797014 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80029 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 12, 2024 18:09:47.616311073 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:09:47.932017088 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80029 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 12, 2024 18:09:48.702080011 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:09:49.017535925 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80030 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 12, 2024 18:09:59.031111002 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:10:05.188210011 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:10:05.505326986 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80047 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 12, 2024 18:10:15.521596909 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:10:17.651812077 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:10:17.972687960 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80059 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 12, 2024 18:10:18.892460108 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:10:19.214457035 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80061 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 12, 2024 18:10:24.496567011 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:10:24.811517000 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80066 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 12, 2024 18:10:34.812263966 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:10:44.941567898 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:10:47.045743942 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:10:47.361512899 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80089 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 12, 2024 18:10:57.361613035 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:11:07.505821943 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:11:17.635365009 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:11:27.763962984 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:11:37.893120050 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 12, 2024 18:12:08.726944923 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 12, 2024 18:12:09.043173075 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 11 Dec 2024 18:55:58 GMT Age: 80170 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Target ID:	0
Start time:	12:09:09
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xc30000
File size:	969'728 bytes
MD5 hash:	124221B530CA975F2847F8F37293111B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:09:10
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x650000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:09:10
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:09:12
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x650000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:09:12
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:09:12
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x650000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:09:12
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:09:12
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x650000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:09:13
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:09:13
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x650000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:09:13
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:09:13
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:09:13
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:09:13
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	12:09:14
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9c498fc-5a65-420d-ab47-2949d9af209f} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 1c878e6ff10 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	12:09:16
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -parentBuildID 20230927232528 -prefsHandle 4124 -prefMapHandle 3448 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5adba865-d61c-4404-a32a-e340b4d1a3c6} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 1c809bf6710 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	12:09:19
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4876 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4888 -prefMapHandle 4880 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8bcef83-51b2-46da-97d3-fe6f72949a97} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 1c80ac13710 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1721
Total number of Limit Nodes:	59

Executed Functions

Function 00C342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C3430D

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

GetCurrentProcess.KERNEL32(?,00CCCB64,00000000,?,?), ref: 00C34422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00C34429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C34454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C34466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00C34474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00C3447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00C344A0

Strings

kernel32.dll, xrefs: 00C3444F
|O, xrefs: 00C736F8
GetNativeSystemInfo, xrefs: 00C34460

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: e99ce3213e31a652347b9b2e52db3a465358aa31dcb7024bfa0f076c42720e2e
Instruction ID: 735e60f12776dfe48aa85a3d2873f0e681cb51c8ce1b61875bcaa080f5d79fef
Opcode Fuzzy Hash: e99ce3213e31a652347b9b2e52db3a465358aa31dcb7024bfa0f076c42720e2e
Instruction Fuzzy Hash: 26A1A47AD1A3C0DFC719C769BC817D97FA47B26300F0898A9E09DD3B62D2215A09DB71

Function 00C342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C350AA,?,?,00000000,00000000), ref: 00C342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C350AA,?,?,00000000,00000000), ref: 00C342C9
LoadResource.KERNEL32(?,00000000,?,?,00C350AA,?,?,00000000,00000000,?,?,?,?,?,?,00C34F20), ref: 00C735BE
SizeofResource.KERNEL32(?,00000000,?,?,00C350AA,?,?,00000000,00000000,?,?,?,?,?,?,00C34F20), ref: 00C735D3
LockResource.KERNEL32(00C350AA,?,?,00C350AA,?,?,00000000,00000000,?,?,?,?,?,?,00C34F20,?), ref: 00C735E6

Strings

SCRIPT, xrefs: 00C342BF

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 7e246927e26e87ddabdc2c9c1c49b060c9bf0991c829bf4393f212f9dae419c5
Instruction ID: 2932bd104e78bd29f779b6e19936e6ae439fd58477e2b648d6e955f7d8d3f6b2
Opcode Fuzzy Hash: 7e246927e26e87ddabdc2c9c1c49b060c9bf0991c829bf4393f212f9dae419c5
Instruction Fuzzy Hash: 9A118E70200700BFD7258BA6DC88F2B7BBDEBC6B51F14816DF426D6690DB72ED008A20

Function 00C72BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00C32B6B

Part of subcall function 00C33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D01418,?,00C32E7F,?,?,?,00000000), ref: 00C33A78

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00CF2224), ref: 00C72C10
ShellExecuteW.SHELL32(00000000,?,?,00CF2224), ref: 00C72C17

Strings

runas, xrefs: 00C72C0B

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 840cd12071b8e27125002b1bd331755c37fa101540cbb879ba120b39bb6561a4
Instruction ID: 9f371c98f823d5522bd49791f65b7823b28afaa9f9f75dd67ca2f9cd18a172ce
Opcode Fuzzy Hash: 840cd12071b8e27125002b1bd331755c37fa101540cbb879ba120b39bb6561a4
Instruction Fuzzy Hash: 6F11B1312183856BCB14FF60E891EBEB7A49B91310F04542DF29A520B2CF708A0AE722

Function 00C9D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C9D501
Process32FirstW.KERNEL32(00000000,?), ref: 00C9D50F
Process32NextW.KERNEL32(00000000,?), ref: 00C9D52F
CloseHandle.KERNEL32(00000000), ref: 00C9D5DC

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 06372ad45933dd9d24f9cfaab10d6f074b73128d9825dcdc279c2c081c53126a
Instruction ID: f716459127c4553baf9d9a6afd47d2a7e43e7637e5c4b3b2ae3c2f3eba911b34
Opcode Fuzzy Hash: 06372ad45933dd9d24f9cfaab10d6f074b73128d9825dcdc279c2c081c53126a
Instruction Fuzzy Hash: 5931BC711083009FD300EF64D885BAFBBE8EF99354F14092DF586961A1EB719A48DBA3

Function 00C9DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00C75222), ref: 00C9DBCE
GetFileAttributesW.KERNEL32(?), ref: 00C9DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00C9DBEE
FindClose.KERNEL32(00000000), ref: 00C9DBFA

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 5e58f9e0c8dbc6112a44dc0cf54e7613a158b1a14e175eb1e3b2a912af1707e7
Instruction ID: 0b076411fb5ce06d5bd6343dbaf4359215452905bc7c5ef4bbf3089911293c05
Opcode Fuzzy Hash: 5e58f9e0c8dbc6112a44dc0cf54e7613a158b1a14e175eb1e3b2a912af1707e7
Instruction Fuzzy Hash: 8EF0A030810910978B206B78EC4DAAE776C9F01334B144702F83AD20F0EBB05A568695

Function 00C8D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C8D220

Strings

%.3d, xrefs: 00C8D22B
X64, xrefs: 00C8D2A8

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 49c2eee6224dcabcf1c0e0bc1861364c24c23d0797bfcacf38d985eaf0e666f1
Instruction ID: cd3ec0e8accc84fab0d236d73bb7a36789c11a6a1cce3282316132f7d3e243b6
Opcode Fuzzy Hash: 49c2eee6224dcabcf1c0e0bc1861364c24c23d0797bfcacf38d985eaf0e666f1
Instruction Fuzzy Hash: D7D012A1808108FACB90B7D1DC89DBAB37CFB09305F508462F90792080D624D9086765

Function 00C54CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00C628E9,?,00C54CBE,00C628E9,00CF88B8,0000000C,00C54E15,00C628E9,00000002,00000000,?,00C628E9), ref: 00C54D09
TerminateProcess.KERNEL32(00000000,?,00C54CBE,00C628E9,00CF88B8,0000000C,00C54E15,00C628E9,00000002,00000000,?,00C628E9), ref: 00C54D10
ExitProcess.KERNEL32 ref: 00C54D22

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6c14b3ce3aee39ed185d9b2a51043ff09086083f27518ce7d3ee3336eddca176
Instruction ID: 7c6e6fd7ad27d7b7157c01d2580c13f58b3ef5e62b94ec03858d9c3b90ed123f
Opcode Fuzzy Hash: 6c14b3ce3aee39ed185d9b2a51043ff09086083f27518ce7d3ee3336eddca176
Instruction Fuzzy Hash: E1E0B675400188ABCF25AF54EE49F9C3B79FB41796B144018FC198B132CB3ADE86DA94

Function 00C8D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C8D28C

Strings

X64, xrefs: 00C8D2A8

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 9c762bf99b59f10fa75ce19e409a1f64f8c70ca56c71fe3180b2bb096111bfa9
Instruction ID: 7a0fd52630d0927456032b315873476880dd4d0abe0e452a7b500e0ded48764f
Opcode Fuzzy Hash: 9c762bf99b59f10fa75ce19e409a1f64f8c70ca56c71fe3180b2bb096111bfa9
Instruction Fuzzy Hash: 31D0C9B480111DEACB90DB90ECC8EDDB77CBB04305F100191F106A2040D73095488F10

Function 00CBAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00CBB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB1D4
_wcslen.LIBCMT ref: 00CBB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB236
_wcslen.LIBCMT ref: 00CBB332

Part of subcall function 00CA05A7: GetStdHandle.KERNEL32(000000F6), ref: 00CA05C6

_wcslen.LIBCMT ref: 00CBB34B
_wcslen.LIBCMT ref: 00CBB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CBB3B6
GetLastError.KERNEL32(00000000), ref: 00CBB407
CloseHandle.KERNEL32(?), ref: 00CBB439
CloseHandle.KERNEL32(00000000), ref: 00CBB44A
CloseHandle.KERNEL32(00000000), ref: 00CBB45C
CloseHandle.KERNEL32(00000000), ref: 00CBB46E
CloseHandle.KERNEL32(?), ref: 00CBB4E3

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: e483818cc340538ca262f704e5ec9a85a6b618914d2c69cbebdeb38dc9ee9fe1
Instruction ID: 764804eedb8b75574647d9dbe96810da4fbe025ce630d920a83398ce2427dd64
Opcode Fuzzy Hash: e483818cc340538ca262f704e5ec9a85a6b618914d2c69cbebdeb38dc9ee9fe1
Instruction Fuzzy Hash: B2F1BD715083009FCB24EF24C891BAEBBE4BF85314F18855DF8999B2A2CB71ED45DB52

Function 00C3D733 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C3D807
timeGetTime.WINMM ref: 00C3DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C3DB28
TranslateMessage.USER32(?), ref: 00C3DB7B
DispatchMessageW.USER32(?), ref: 00C3DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C3DB9F
Sleep.KERNEL32(0000000A), ref: 00C3DBB1

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: ef0225e366881cd096e732fe96b9ddfe4df4c28e5bb6657a0d9c79bae42473ea
Instruction ID: 90d503ca4c915d2c92b69e371459e52c1f8be8f608a814ab46cd46a7847826ec
Opcode Fuzzy Hash: ef0225e366881cd096e732fe96b9ddfe4df4c28e5bb6657a0d9c79bae42473ea
Instruction Fuzzy Hash: FF420130618341EFD728DF25D888BAAB7E0FF45308F14865DF86A87291DB70E944DB96

Function 00C32CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C32D07
RegisterClassExW.USER32(00000030), ref: 00C32D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C32D42
InitCommonControlsEx.COMCTL32(?), ref: 00C32D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C32D6F
LoadIconW.USER32(000000A9), ref: 00C32D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C32D94

Strings

0, xrefs: 00C32CE9
TaskbarCreated, xrefs: 00C32D37
+, xrefs: 00C32CF0
AutoIt v3 GUI, xrefs: 00C32D23

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 71fe56a2c9e6efffdee01bbd5cd3afd1b56664f760baf18342c5e95f6ad27a89
Instruction ID: f7d95c39be0f1cc37131f6811e5533272f1ca9b2219ef3b53a4f533aab4236cf
Opcode Fuzzy Hash: 71fe56a2c9e6efffdee01bbd5cd3afd1b56664f760baf18342c5e95f6ad27a89
Instruction Fuzzy Hash: D721BFB9D01319AFDB00DFA4E889B9DBBB4FB08700F00811AF629E62A0D7B155448FA1

Function 00C7065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C7039A: CreateFileW.KERNEL32(00000000,00000000,?,00C70704,?,?,00000000,?,00C70704,00000000,0000000C), ref: 00C703B7

GetLastError.KERNEL32 ref: 00C7076F
__dosmaperr.LIBCMT ref: 00C70776
GetFileType.KERNEL32(00000000), ref: 00C70782
GetLastError.KERNEL32 ref: 00C7078C
__dosmaperr.LIBCMT ref: 00C70795
CloseHandle.KERNEL32(00000000), ref: 00C707B5
CloseHandle.KERNEL32(?), ref: 00C708FF
GetLastError.KERNEL32 ref: 00C70931
__dosmaperr.LIBCMT ref: 00C70938

Strings

H, xrefs: 00C708BD

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: bb099bd509f247e5e607b6a561516d3224893e4a978f0073fc62923e7db35644
Instruction ID: 7c7e232e29bff517f8a1a6a5ed39a3f706298944b0ba2344acc0677d991804c0
Opcode Fuzzy Hash: bb099bd509f247e5e607b6a561516d3224893e4a978f0073fc62923e7db35644
Instruction Fuzzy Hash: 2EA12732A101459FDF19AF68DC91BAD3FA0AB06320F24815DF829DB3E1DB319913DB91

Function 00C3344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D01418,?,00C32E7F,?,?,?,00000000), ref: 00C33A78

Part of subcall function 00C33357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C33379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C3356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C7318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C731CE
RegCloseKey.ADVAPI32(?), ref: 00C73210
_wcslen.LIBCMT ref: 00C73277
_wcslen.LIBCMT ref: 00C73286

Strings

\Include\, xrefs: 00C33527
Include, xrefs: 00C73184, 00C731C5
\, xrefs: 00C7328C
Software\AutoIt v3\AutoIt, xrefs: 00C33560

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 2aac561e4083f316ffd09e7bf038fd2c6019a8af93a2a37bbd6d3c764eb6a4a8
Instruction ID: 0358262abbc254bf28e73dc01d6824fc5d291f9687e33d7d36fa4c182396cc0c
Opcode Fuzzy Hash: 2aac561e4083f316ffd09e7bf038fd2c6019a8af93a2a37bbd6d3c764eb6a4a8
Instruction Fuzzy Hash: F471A2714153009FC304EF65EC89AABBBE8FF85340F40482EF559D32A1EB749A48DB62

Function 00C32B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C32B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00C32B9D
LoadIconW.USER32(00000063), ref: 00C32BB3
LoadIconW.USER32(000000A4), ref: 00C32BC5
LoadIconW.USER32(000000A2), ref: 00C32BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C32BEF
RegisterClassExW.USER32(?), ref: 00C32C40

Part of subcall function 00C32CD4: GetSysColorBrush.USER32(0000000F), ref: 00C32D07
Part of subcall function 00C32CD4: RegisterClassExW.USER32(00000030), ref: 00C32D31
Part of subcall function 00C32CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C32D42
Part of subcall function 00C32CD4: InitCommonControlsEx.COMCTL32(?), ref: 00C32D5F
Part of subcall function 00C32CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C32D6F
Part of subcall function 00C32CD4: LoadIconW.USER32(000000A9), ref: 00C32D85
Part of subcall function 00C32CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C32D94

Strings

AutoIt v3, xrefs: 00C32C2F
0, xrefs: 00C32C0F
#, xrefs: 00C32C16

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e2bd600e2e940dbf201883e7af636b4333cb459542763f4d63b86837287f7c5c
Instruction ID: 9a38c9ba3d53cfeec348f9e5543ee111ad5f512fd4cd82805cc37a862c5663d0
Opcode Fuzzy Hash: e2bd600e2e940dbf201883e7af636b4333cb459542763f4d63b86837287f7c5c
Instruction Fuzzy Hash: 8921D579E10318ABDB109FA5EC99BAD7FB4FB48B50F04401AE508E67A0D7B155409FA4

Function 00C33170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C3316A,?,?), ref: 00C331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00C3316A,?,?), ref: 00C33204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C33227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C3316A,?,?), ref: 00C33232
CreatePopupMenu.USER32 ref: 00C33246
PostQuitMessage.USER32(00000000), ref: 00C33267

Strings

TaskbarCreated, xrefs: 00C3322D

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 8e469f1b93b81f1cc7df425d4434d731c689f77c0a0e94d508b43587fbbcbcc4
Instruction ID: ce6f94aef016d6e5f7f273c122c7caa293c3c1206c87dcc7ac83fdd1fbf7e251
Opcode Fuzzy Hash: 8e469f1b93b81f1cc7df425d4434d731c689f77c0a0e94d508b43587fbbcbcc4
Instruction Fuzzy Hash: 77412639620284ABDF251B79DD4DB7E3A19E705340F044125F92EC62E2CBB28F40ABB1

Function 00C31410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C31459
CoUninitialize.COMBASE ref: 00C314F8
UnregisterHotKey.USER32(?), ref: 00C316DD
DestroyWindow.USER32(?), ref: 00C724B9
FreeLibrary.KERNEL32(?), ref: 00C7251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C7254B

Strings

close all, xrefs: 00C31454

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 93ec52339dc0594b1007b71c97d7a62e7fbca43d3ee500cb62256511bf5fc984
Instruction ID: 9cf0c8f5377bc63eb6f7354cb086f44a8dd2b1279a77ea4962b7229fdecfca2f
Opcode Fuzzy Hash: 93ec52339dc0594b1007b71c97d7a62e7fbca43d3ee500cb62256511bf5fc984
Instruction Fuzzy Hash: 19D15B31711212CFCB29EF55C899B29F7A4FF05700F1882ADE84AAB252DB31AD12DF51

Function 00C9DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00C9DE42
gethostname.WS2_32(?,00000100), ref: 00C9DE5C
gethostbyname.WS2_32(?), ref: 00C9DE69
inet_ntoa.WSOCK32(?), ref: 00C9DEAB
_strcat.LIBCMT ref: 00C9DEB9
WSACleanup.WSOCK32 ref: 00C9DEDE

Strings

0.0.0.0, xrefs: 00C9DE87

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 683ff731f0edecfaea8781b4be9ccf4c4573288b44cf086039b183d4c8f37070
Instruction ID: e28968e9ab8818408b93433a71aa142c79ccd21d2cbc810751b5e281d8e8fa9e
Opcode Fuzzy Hash: 683ff731f0edecfaea8781b4be9ccf4c4573288b44cf086039b183d4c8f37070
Instruction Fuzzy Hash: 0A110371904109ABCF24AB60DC8EFEF77ACDF10751F0001A9F55AEA091EF708AC19B60

Function 00C32C63 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C32C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C32CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C31CAD,?), ref: 00C32CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C31CAD,?), ref: 00C32CCF

Strings

_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00C32C84
AutoIt v3, xrefs: 00C32C89, 00C32C8E, 00C32C8F
edit, xrefs: 00C32CAC

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{$edit
API String ID: 1584632944-3899645675
Opcode ID: bd8cec21f6c8deed86727e2c3818ceba6b982519d378b676cefd26d4edf32bf0
Instruction ID: c5d2e6bab984e717502194177473c599c8f4c220562c069d3a13c933789c81ce
Opcode Fuzzy Hash: bd8cec21f6c8deed86727e2c3818ceba6b982519d378b676cefd26d4edf32bf0
Instruction Fuzzy Hash: 97F0DA799403907AEB311757AC48F772EBDD7C6F50B00105EF908E26A0C6711851DAB0

Function 00C33B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C33B0F,SwapMouseButtons,00000004,?), ref: 00C33B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C33B0F,SwapMouseButtons,00000004,?), ref: 00C33B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00C33B0F,SwapMouseButtons,00000004,?), ref: 00C33B83

Strings

Control Panel\Mouse, xrefs: 00C33B3E

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 73952bd38b7dcb88b79d678f8a55387b4645c9b62ccb18ad6f592b61d5fe06b1
Instruction ID: 0882784734fc72b81c76355f88aed65b23b41758b65075f15101ca3648a9fb24
Opcode Fuzzy Hash: 73952bd38b7dcb88b79d678f8a55387b4645c9b62ccb18ad6f592b61d5fe06b1
Instruction Fuzzy Hash: AA112AB5520248FFDB208FA5DC84EAEB7B8EF04748F104459E805D7110D2319F409B60

Function 00C8D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00C8D3BF
FreeLibrary.KERNEL32 ref: 00C8D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00C8D3B9
X64, xrefs: 00C8D2A8

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 427a6e91d40d75c0c5cb6f1b12fe0fb1f9d0a5db18aa6ec51d575dde7cbc9b17
Instruction ID: 28b67d44da87af34656fe8025f6c7d103c5659b433748ba0fd07151311cef336
Opcode Fuzzy Hash: 427a6e91d40d75c0c5cb6f1b12fe0fb1f9d0a5db18aa6ec51d575dde7cbc9b17
Instruction Fuzzy Hash: ECF0AB71841A20EBCB313212DC98F6D7320AF10705F5D816CF80BE21D4DB20CF41839A

Function 00C3DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00C832B7

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 29b62e5cafc83f49d49453c0dc157d1c2a050863aa207ce21d6460bb91598113
Instruction ID: a30c6790ad749b6abcf7eddbd226e4c308e0f80761fbd741a140888e73ac46b3
Opcode Fuzzy Hash: 29b62e5cafc83f49d49453c0dc157d1c2a050863aa207ce21d6460bb91598113
Instruction Fuzzy Hash: 01C2A971E10205CFCB24DF98C884BADB7B1BF09704F248169E956AB3A1D371EE42DB95

Function 00C3EC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C3FE66

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 9eea29ee176d2495f93f8d54ac6fe08f484d7536ad075c85050927e2ffcfaaa0
Instruction ID: 1c142abdce4585e627b6c8e0f1d1e03e0f1fb3cd1e803a49023ccbe9850b0ce8
Opcode Fuzzy Hash: 9eea29ee176d2495f93f8d54ac6fe08f484d7536ad075c85050927e2ffcfaaa0
Instruction Fuzzy Hash: 82B27A74A18341CFCB28DF19C490B2AB7E1BF89304F24482DE8999B391D771ED46DB92

Function 00C33923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C733A2

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C33A04

Strings

Line: , xrefs: 00C733EB

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 9284161d2b69f7f90ca70a30e4c5f43eec8c75754142e8c02bc9dd744d923092
Instruction ID: 5d40d666e3fcc6fa60bf0e765532201d384e8d3f7814dc5a7c1f1cd4c2eb3109
Opcode Fuzzy Hash: 9284161d2b69f7f90ca70a30e4c5f43eec8c75754142e8c02bc9dd744d923092
Instruction Fuzzy Hash: 0131C171418340AAC325EB20DC45BEFB7E8AB84714F00852EF599821E1EB709B49DBD2

Function 00C4FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00C50668

Part of subcall function 00C532A4: RaiseException.KERNEL32(?,?,?,00C5068A,?,00D01444,?,?,?,?,?,?,00C5068A,00C31129,00CF8738,00C31129), ref: 00C53304

__CxxThrowException@8.LIBVCRUNTIME ref: 00C50685

Strings

Unknown exception, xrefs: 00C50692

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 6b56f81f7e2a24300503a2930415fbd19f9a5589e07144a5ef05dd3a5179d3a5
Instruction ID: 6b919a4c303beb018ada57cf174b888b5d3bbd7d2450aeaa66846eec9fffd720
Opcode Fuzzy Hash: 6b56f81f7e2a24300503a2930415fbd19f9a5589e07144a5ef05dd3a5179d3a5
Instruction Fuzzy Hash: B0F0223890060DB3CB00BAA4DC46D9E7B6CAE00341BB04435BD24C2492EF71DBEED599

Function 00C310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C31BF4
Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C31BFC
Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C31C07
Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C31C12
Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C31C1A
Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C31C22

Part of subcall function 00C31B4A: RegisterWindowMessageW.USER32(00000004,?,00C312C4), ref: 00C31BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C3136A
OleInitialize.OLE32 ref: 00C31388
CloseHandle.KERNEL32(00000000,00000000), ref: 00C724AB

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 8382ecec528e7528108f13e58c737fed26f0bceb024467582ff8c80fb21d7e66
Instruction ID: 3cf9490ebfea8de65ca9471e7bc9bce5ece33b5c89e131024ab6a74bab6ec25b
Opcode Fuzzy Hash: 8382ecec528e7528108f13e58c737fed26f0bceb024467582ff8c80fb21d7e66
Instruction Fuzzy Hash: 9C718ABC9113019EC784DF7AAC897593AF0BB89354B58822EE44EDB3B1EB3085459F71

Function 00C9C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C33A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C9C259
KillTimer.USER32(?,00000001,?,?), ref: 00C9C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C9C270

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 1f82a1b4fd277b05dea6cbd24d7a47873ad5fc2c529ed630830f50b0e169faa3
Instruction ID: 3b78bac83e255a4b3434001ad09584715a8a16695edf1c937dd9e8480c7b0f67
Opcode Fuzzy Hash: 1f82a1b4fd277b05dea6cbd24d7a47873ad5fc2c529ed630830f50b0e169faa3
Instruction Fuzzy Hash: 7D319370904784AFEF22DF64C899BEBBBEC9B06708F00449ED5EE97241C7745A84CB51

Function 00C686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,00C685CC,?,00CF8CC8,0000000C), ref: 00C68704
GetLastError.KERNEL32(?,00C685CC,?,00CF8CC8,0000000C), ref: 00C6870E
__dosmaperr.LIBCMT ref: 00C68739

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 6989a8c2aff293666310c2e436b98c496be797f5fd0b25ca90e3f5ccbd978f33
Instruction ID: 7c4e3df73079335e492fbd0af7cc833cff3b82475c1ce25901c4cfdf609fe129
Opcode Fuzzy Hash: 6989a8c2aff293666310c2e436b98c496be797f5fd0b25ca90e3f5ccbd978f33
Instruction Fuzzy Hash: 6B014E3260566026D6346334E8C5B7E6B494F81B74F390329F928CB2E2DEA0CD859150

Function 00C3DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00C3DB7B
DispatchMessageW.USER32(?), ref: 00C3DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C3DB9F
Sleep.KERNEL32(0000000A), ref: 00C3DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00C81CC9

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 420c9ceb867e927fcf8da199dcd443de112778e2423b27d6b2fc0ca2c1b9af0d
Instruction ID: 48d9706eb0c40e089740d4ffece54dcd865037bd9059194a10d5eaae31bb4c95
Opcode Fuzzy Hash: 420c9ceb867e927fcf8da199dcd443de112778e2423b27d6b2fc0ca2c1b9af0d
Instruction Fuzzy Hash: 13F05E306443409BE730DB60DC89FAA73ACEB44314F104A18E61EC30C0DB30A5889B65

Function 00C41310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C417F6

Strings

CALL, xrefs: 00C417C6

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 195f95ffe51b5d78251caab9d4115a295e0343cfa861c63c1a6e0c3998947836
Instruction ID: e84db23be68193771d4e04e856f25223f69ba5bc61c69c972cc9755d8295ac40
Opcode Fuzzy Hash: 195f95ffe51b5d78251caab9d4115a295e0343cfa861c63c1a6e0c3998947836
Instruction Fuzzy Hash: C022AB706083019FC714DF15C494B6ABBF1BF89314F28891DF89A8B3A2D731E985DB92

Function 00C401E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e91fed9c633eaa23939990663c4eab6eaabd93574ce950c068f3bc01376f852
Instruction ID: baced322d0207817e64dd794f72a9873ec90c5e8b9ddd5d30af076e00ffb27d1
Opcode Fuzzy Hash: 5e91fed9c633eaa23939990663c4eab6eaabd93574ce950c068f3bc01376f852
Instruction Fuzzy Hash: CC320330A00605DFCB24EF54C885BAEB7B1FF05314F248569F926AB2A1D7B1EE40DB95

Function 00C32DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00C72C8C

Part of subcall function 00C33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C33A97,?,?,00C32E7F,?,?,?,00000000), ref: 00C33AC2

Part of subcall function 00C32DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00C32DC4

Strings

X, xrefs: 00C72C5A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: d6d57009b060001b61a6ae365a303a715f87eb6aff7eaef31711347bbf12d72a
Instruction ID: bcdca90430af8a34268f17aec8935caff1b5e841026d7edfe2c9c23584f50771
Opcode Fuzzy Hash: d6d57009b060001b61a6ae365a303a715f87eb6aff7eaef31711347bbf12d72a
Instruction Fuzzy Hash: CC21D270A1029C9FDF41EF94C849BEEBBFCAF48305F008059E509B7241DBB45A899FA1

Function 00C8D363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 00C8D375

Strings

X64, xrefs: 00C8D2A8

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: a790ccdfd469cd3c10177469448bf2d9961bb5de5b549afa18ec09a0b52a94ba
Instruction ID: 3141b80b1b4c68341c2dd79fb95d6bb12a4c44dccabb40ff3cd11107972b63ae
Opcode Fuzzy Hash: a790ccdfd469cd3c10177469448bf2d9961bb5de5b549afa18ec09a0b52a94ba
Instruction Fuzzy Hash: 49D0C9B5805118EACB90EB41ECC8EDDB37CBB04305F504191F407A2040DB30A9489B10

Function 00C33837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C33908

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ae45493e529aa30547de099e3e11624cac3708f21219bfad271bad27f2d9aecf
Instruction ID: e8a11559fcc8aef1b55d0ab46117393beb9b56f588eb586c1c797b3fe7c032c2
Opcode Fuzzy Hash: ae45493e529aa30547de099e3e11624cac3708f21219bfad271bad27f2d9aecf
Instruction Fuzzy Hash: 32318E745043419FD720DF24D88479BBBE8FB49709F00092EF9A9C7290E771AA44CBA2

Function 00C4F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C4F661

Part of subcall function 00C3D733: GetInputState.USER32 ref: 00C3D807

Sleep.KERNEL32(00000000), ref: 00C8F2DE

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: d06cfcc824781df9fcc0b31a8ef33fb3f6a9e2443459bbb7671a1c0710f59655
Instruction ID: 07040fccac770656a33a0df154e1a3a36e815b1fa575684bcee9410b5bd17d24
Opcode Fuzzy Hash: d06cfcc824781df9fcc0b31a8ef33fb3f6a9e2443459bbb7671a1c0710f59655
Instruction Fuzzy Hash: B8F01C312506059FD314EF69D489F6AB7E8FF45761F004029F95EC7261DB70AC10DB95

Function 00C3B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C3BB4E

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: ff691ab672648df6d1d492c0eb6f382cb70c7653b783569b474a0867fca08dfe
Instruction ID: 26b5f64ef22059703ec9532d1cdaff08c3bc783743bc81b87be43154f326ddd7
Opcode Fuzzy Hash: ff691ab672648df6d1d492c0eb6f382cb70c7653b783569b474a0867fca08dfe
Instruction Fuzzy Hash: 9232BE34A00209DFDB24DF54C898BBEB7B5FF44314F248059EA25AB3A1C774AE45CBA5

Function 00C34ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C34E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C34EDD,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E9C
Part of subcall function 00C34E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C34EAE
Part of subcall function 00C34E90: FreeLibrary.KERNEL32(00000000,?,?,00C34EDD,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34EFD

Part of subcall function 00C34E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C73CDE,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E62
Part of subcall function 00C34E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C34E74
Part of subcall function 00C34E59: FreeLibrary.KERNEL32(00000000,?,?,00C73CDE,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E87

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: de118b66e17bc8a12fb07eb573d9e1dc450bfb6b7e958a74abb2528a66a8d53b
Instruction ID: 79e8c94271a4caebaea300239b24ca26f05f695f6931ba23e76072c994be5d87
Opcode Fuzzy Hash: de118b66e17bc8a12fb07eb573d9e1dc450bfb6b7e958a74abb2528a66a8d53b
Instruction Fuzzy Hash: EB112332620205ABCB28ABA4DC02FAD77A5AF44710F24842DF442A61C1EE70AA05AB50

Function 00C68402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00C68440

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ad1a886cbdf7280e26a8147bfc85148efc80012277b4c88d607086ce3502584b
Instruction ID: dbb4bfbc9a09e035e859005549b0db9e25852cc56613225d979aa22141bec158
Opcode Fuzzy Hash: ad1a886cbdf7280e26a8147bfc85148efc80012277b4c88d607086ce3502584b
Instruction Fuzzy Hash: C311487190420AAFCB15DF58E980AAE7BF4EF48300F104199F808AB312DA30DA15CBA4

Function 00C5E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 298ac76e29bd10556a0c875ddc01be64290c3cdbea06ae39ece58ffed8f3941b
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 2DF02D3A510E18DAC7353A66CC05B5A33999F523B3F100715FC21931D2CF70D68E96AD

Function 00C63820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6,?,00C31129), ref: 00C63852

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 96e5101c272eb2028911ff564849914448923605b28798be7d39f02f874271bd
Instruction ID: f15fcec1ef92262f062ed04772435d7b79a3a008f44987703a5709522eaf1581
Opcode Fuzzy Hash: 96e5101c272eb2028911ff564849914448923605b28798be7d39f02f874271bd
Instruction Fuzzy Hash: D1E0E5351002A456E73126A79C45BDA3749EF467B5F050122FC25975C1CB10DF4292F4

Function 00C34F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34F6D

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: cf4ab712b9ff7a6e3a9683f522e4c29e59ee8090e517790d45f426556ce40ebb
Instruction ID: d84696e4c494f76403167ca6f9f38d763c1cbc352e7cb0602cfd444d2c728107
Opcode Fuzzy Hash: cf4ab712b9ff7a6e3a9683f522e4c29e59ee8090e517790d45f426556ce40ebb
Instruction Fuzzy Hash: 75F03071115751CFDB389FA5D490916B7E4EF1831971889BEE1EA82611C731A944DF10

Function 00CC2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CC2A66

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: ebda74c7b0b1aad9cea7abc1f0399db6b03cae6e071911a7728576278d64dfb2
Instruction ID: e74fecf658acc4fdf4f344eb5b92444d3f61241e2ff78813e4775ee5ef58a0ac
Opcode Fuzzy Hash: ebda74c7b0b1aad9cea7abc1f0399db6b03cae6e071911a7728576278d64dfb2
Instruction Fuzzy Hash: 97E08C36354116AACB14EB35EC84EFEB35CEF50395B10453AFC2AC2140EB309A96B6E0

Function 00C330F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C3314E

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 3966a68749f3ca2dba2939ec85b2a64cdafb83a73bedf0c2654aa899823d2c7b
Instruction ID: 47a18f57a873438baafaea262bed57cbd30ffc521994cb7f3bed1f5e001decef
Opcode Fuzzy Hash: 3966a68749f3ca2dba2939ec85b2a64cdafb83a73bedf0c2654aa899823d2c7b
Instruction Fuzzy Hash: 02F037749143549FE752DB64DC497D97BFCA701708F0040E9A54CD6291D7745788CF61

Function 00C32DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00C32DC4

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: fb4797b6f514a124e720344f625ba852134f1bc2ad872e2e5e1a24bb99a5bd41
Instruction ID: 1747035774fff61c3d044b7dac4f5db8134608731676e3d9ca5f25c52e4d59b1
Opcode Fuzzy Hash: fb4797b6f514a124e720344f625ba852134f1bc2ad872e2e5e1a24bb99a5bd41
Instruction Fuzzy Hash: 4AE0CD72A001245BC710D698DC05FDA77DDDFC8790F044071FD0DD7248D960AD809650

Function 00C32B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C33837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C33908

Part of subcall function 00C3D733: GetInputState.USER32 ref: 00C3D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00C32B6B

Part of subcall function 00C330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C3314E

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 2791e9fde7a1652b64a130b4176b17f593b7b67a0362c6ca17c1eb8a7b4ce5eb
Instruction ID: b9b62ad7dda7c444de1fddeba580573d30c5ca70e48541df3f7ab6e135049a84
Opcode Fuzzy Hash: 2791e9fde7a1652b64a130b4176b17f593b7b67a0362c6ca17c1eb8a7b4ce5eb
Instruction Fuzzy Hash: D4E08C2672428807CA08BB74A852AADA7599BD2365F40153EF14B872B2CF648A499262

Function 00C9DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00C9DF40

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 969e6a4fd5dbeed45955d0aff744d4ef283868b8893000d3371eb1e75c49e5c0
Instruction ID: 3cbee0be6ad1fb8797f6efceaaea28ac0c90a96616702426f1cb93a0beffe586
Opcode Fuzzy Hash: 969e6a4fd5dbeed45955d0aff744d4ef283868b8893000d3371eb1e75c49e5c0
Instruction Fuzzy Hash: 82D05EA2A002283BDF64E6749C0DEFB7AACC740214F0046A0B86DD3152E920DD448AB0

Function 00C7039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00C70704,?,?,00000000,?,00C70704,00000000,0000000C), ref: 00C703B7

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d21f8b6fbac0c3e0daf5a0756a8d40583f033ae71961169a0c22b792f8b66cad
Instruction ID: 8744a9c52526f34a33f91bdef1cb130bd61ee9445eb4c0b4bb91dcc07cc6b8e1
Opcode Fuzzy Hash: d21f8b6fbac0c3e0daf5a0756a8d40583f033ae71961169a0c22b792f8b66cad
Instruction Fuzzy Hash: B0D06C3204010DBBDF028F85DD46EDE3BAAFB48714F014040FE1856020C732E821AB90

Function 00C31CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00C31CBC

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0161c9f26b856640dc4285e4dd0348036391cee3acdc085e77f9eb751674d811
Instruction ID: d5caebe21cc3096625d6f8e479eaeec3e2b3b03892b443720bc8562a76ca96b0
Opcode Fuzzy Hash: 0161c9f26b856640dc4285e4dd0348036391cee3acdc085e77f9eb751674d811
Instruction Fuzzy Hash: E5C0923A280304AFF3148B80FC8EF247764A348B00F048001F60DE96E3C3E22821EA64

Non-executed Functions

Function 00CC9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CC961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CC965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00CC969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CC96C9
SendMessageW.USER32 ref: 00CC96F2
GetKeyState.USER32(00000011), ref: 00CC978B
GetKeyState.USER32(00000009), ref: 00CC9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CC97AE
GetKeyState.USER32(00000010), ref: 00CC97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CC97E9
SendMessageW.USER32 ref: 00CC9810
SendMessageW.USER32(?,00001030,?,00CC7E95), ref: 00CC9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CC992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CC9941
SetCapture.USER32(?), ref: 00CC994A
ClientToScreen.USER32(?,?), ref: 00CC99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CC99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CC99D6
ReleaseCapture.USER32 ref: 00CC99E1
GetCursorPos.USER32(?), ref: 00CC9A19
ScreenToClient.USER32(?,?), ref: 00CC9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CC9A80
SendMessageW.USER32 ref: 00CC9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CC9AEB
SendMessageW.USER32 ref: 00CC9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CC9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CC9B4A
GetCursorPos.USER32(?), ref: 00CC9B68
ScreenToClient.USER32(?,?), ref: 00CC9B75
GetParent.USER32(?), ref: 00CC9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CC9BFA
SendMessageW.USER32 ref: 00CC9C2B
ClientToScreen.USER32(?,?), ref: 00CC9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CC9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CC9CDE
SendMessageW.USER32 ref: 00CC9D01
ClientToScreen.USER32(?,?), ref: 00CC9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CC9D82

Part of subcall function 00C49944: GetWindowLongW.USER32(?,000000EB), ref: 00C49952

GetWindowLongW.USER32(?,000000F0), ref: 00CC9E05

Strings

F, xrefs: 00CC9D07
@GUI_DRAGID, xrefs: 00CC997D

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 6476d7736a6e28dfc513bcbd0fd71ee65f4a66c54f3a3daa3ce1d189f4c3f598
Instruction ID: cb1046b8a1d637c80da27cd6fe527997d532e332b70b3cc0958d7cc8b3be2a13
Opcode Fuzzy Hash: 6476d7736a6e28dfc513bcbd0fd71ee65f4a66c54f3a3daa3ce1d189f4c3f598
Instruction Fuzzy Hash: F0425835604601AFDB25CF24C888FAABBF5FF49310F14061DF6A9972A1D731AA60DF52

Function 00CC4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00CC48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00CC4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00CC4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00CC494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00CC495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00CC497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00CC49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00CC49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00CC4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CC4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CC4A7E
IsMenu.USER32(?), ref: 00CC4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CC4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CC4B20
GetWindowLongW.USER32(?,000000F0), ref: 00CC4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00CC4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00CC4C82
wsprintfW.USER32 ref: 00CC4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CC4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CC4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CC4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CC4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CC4D5A

Strings

%d/%02d/%02d, xrefs: 00CC4CA8

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: a98ddb186aca8c06498c7f2397de3a3a204a5dd92671e20304ddbfd5eb4069da
Instruction ID: 52f3ba73504ed15c7909c9bbf8f5d03bcd2021d668a82a76cd73daf2f8e5c17a
Opcode Fuzzy Hash: a98ddb186aca8c06498c7f2397de3a3a204a5dd92671e20304ddbfd5eb4069da
Instruction Fuzzy Hash: 37120271A00214ABEB288F65CC59FAE7BF8EF45310F10812DF52ADB2E1DB749A41CB50

Function 00C4F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00C4F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C8F474
IsIconic.USER32(00000000), ref: 00C8F47D
ShowWindow.USER32(00000000,00000009), ref: 00C8F48A
SetForegroundWindow.USER32(00000000), ref: 00C8F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C8F4AA
GetCurrentThreadId.KERNEL32 ref: 00C8F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C8F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C8F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C8F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00C8F4DE
SetForegroundWindow.USER32(00000000), ref: 00C8F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C8F4F6
keybd_event.USER32(00000012,00000000), ref: 00C8F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C8F50B
keybd_event.USER32(00000012,00000000), ref: 00C8F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C8F519
keybd_event.USER32(00000012,00000000), ref: 00C8F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C8F528
keybd_event.USER32(00000012,00000000), ref: 00C8F52D
SetForegroundWindow.USER32(00000000), ref: 00C8F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00C8F557

Strings

Shell_TrayWnd, xrefs: 00C8F46F

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 14e3a9ec2152bd425f1b3dd4a7cfcbb796c7677ec0ab5c23c9582265708f4b96
Instruction ID: 51bee6ef6edd3f881dd36bede2f21e5d319ddbad613fce9e370efcdbe1b40bdc
Opcode Fuzzy Hash: 14e3a9ec2152bd425f1b3dd4a7cfcbb796c7677ec0ab5c23c9582265708f4b96
Instruction Fuzzy Hash: 10316671A40218BFEB206BB59C8AFBF7E6CEB44B54F10006AFA05E61D1C7B55D01AF64

Function 00C91201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00C916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C9170D
Part of subcall function 00C916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C9173A
Part of subcall function 00C916C3: GetLastError.KERNEL32 ref: 00C9174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C91286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C912A8
CloseHandle.KERNEL32(?), ref: 00C912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C912D1
GetProcessWindowStation.USER32 ref: 00C912EA
SetProcessWindowStation.USER32(00000000), ref: 00C912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C91310

Part of subcall function 00C910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C911FC), ref: 00C910D4
Part of subcall function 00C910BF: CloseHandle.KERNEL32(?,?,00C911FC), ref: 00C910E9

Strings

default, xrefs: 00C9130B
, xrefs: 00C9125A
winsta0, xrefs: 00C912CC

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: f279191bd701db0f4836abe36b3dd1be0318d184f471a0d7a66ea6802b01af66
Instruction ID: 7c72736be173e5822fe1928ebd50fc93cab62ed670932c5ed6c06364e6520b06
Opcode Fuzzy Hash: f279191bd701db0f4836abe36b3dd1be0318d184f471a0d7a66ea6802b01af66
Instruction Fuzzy Hash: A981A37190020AAFEF119FA5DC4AFEE7BB9FF08704F184119FD25A61A0C7318A55DB21

Function 00C90B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C91114
Part of subcall function 00C910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91120
Part of subcall function 00C910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C9112F
Part of subcall function 00C910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91136
Part of subcall function 00C910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C90BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C90C00
GetLengthSid.ADVAPI32(?), ref: 00C90C17
GetAce.ADVAPI32(?,00000000,?), ref: 00C90C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C90C6D
GetLengthSid.ADVAPI32(?), ref: 00C90C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C90C8C
HeapAlloc.KERNEL32(00000000), ref: 00C90C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C90CB4
CopySid.ADVAPI32(00000000), ref: 00C90CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C90CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C90D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C90D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90D45
HeapFree.KERNEL32(00000000), ref: 00C90D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90D55
HeapFree.KERNEL32(00000000), ref: 00C90D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90D65
HeapFree.KERNEL32(00000000), ref: 00C90D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C90D78
HeapFree.KERNEL32(00000000), ref: 00C90D7F

Part of subcall function 00C91193: GetProcessHeap.KERNEL32(00000008,00C90BB1,?,00000000,?,00C90BB1,?), ref: 00C911A1
Part of subcall function 00C91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C90BB1,?), ref: 00C911A8
Part of subcall function 00C91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C90BB1,?), ref: 00C911B7

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7bca1dd9cf086147e9aed748153c65ec1d500dd8f842d1186f9fede4be6e4410
Instruction ID: 19e427dd3146bbc613dfb982e15a8c97517370c365fc324a61f6a8715ddad9c3
Opcode Fuzzy Hash: 7bca1dd9cf086147e9aed748153c65ec1d500dd8f842d1186f9fede4be6e4410
Instruction Fuzzy Hash: 8F716B7290020AAFDF10DFA5DC88FAEBBBCBF04304F144519F929A7291D771AA05CB60

Function 00CAEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00CCCC08), ref: 00CAEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00CAEB37
GetClipboardData.USER32(0000000D), ref: 00CAEB43
CloseClipboard.USER32 ref: 00CAEB4F
GlobalLock.KERNEL32(00000000), ref: 00CAEB87
CloseClipboard.USER32 ref: 00CAEB91
GlobalUnlock.KERNEL32(00000000), ref: 00CAEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00CAEBC9
GetClipboardData.USER32(00000001), ref: 00CAEBD1
GlobalLock.KERNEL32(00000000), ref: 00CAEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00CAEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00CAEC38
GetClipboardData.USER32(0000000F), ref: 00CAEC44
GlobalLock.KERNEL32(00000000), ref: 00CAEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00CAEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CAEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CAECD2
GlobalUnlock.KERNEL32(00000000), ref: 00CAECF3
CountClipboardFormats.USER32 ref: 00CAED14
CloseClipboard.USER32 ref: 00CAED59

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 40fc8c249058b9152740604e84c15b60f5e90091236254cb85f1068be657339b
Instruction ID: 68e1a369c475d12052630ae0047fe8a9b40be5519b43993adeeb77565e783745
Opcode Fuzzy Hash: 40fc8c249058b9152740604e84c15b60f5e90091236254cb85f1068be657339b
Instruction Fuzzy Hash: E061CF34204302AFD300EF24D889F6EB7A4EF85718F14455DF46A972A2DB71DE46DBA2

Function 00CA698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CA69BE
FindClose.KERNEL32(00000000), ref: 00CA6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CA6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CA6A75

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00CA6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00CA6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00CA6B6A
%02d, xrefs: 00CA6C00, 00CA6C0A, 00CA6C5A, 00CA6CAA, 00CA6CFA, 00CA6D4A
%4d, xrefs: 00CA6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00CA6B32
%03d, xrefs: 00CA6DA2

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d1984acbdfac4ec36f4b22bf720f600bf64da34d292c4b3315bdff855c53978d
Instruction ID: 85b4c379e488074f89a15d807f7affbb625750faa61e7b66be1289e4961dad2f
Opcode Fuzzy Hash: d1984acbdfac4ec36f4b22bf720f600bf64da34d292c4b3315bdff855c53978d
Instruction Fuzzy Hash: A8D15DB2518300AFC714EBA4C885EAFB7ECEF89704F04491DF589D6291EB74DA44DB62

Function 00CA9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00CA9663
GetFileAttributesW.KERNEL32(?), ref: 00CA96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00CA96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00CA96D3
FindClose.KERNEL32(00000000), ref: 00CA96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00CA96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA974A
SetCurrentDirectoryW.KERNEL32(00CF6B7C), ref: 00CA9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CA9772
FindClose.KERNEL32(00000000), ref: 00CA977F
FindClose.KERNEL32(00000000), ref: 00CA978F

Strings

*.*, xrefs: 00CA96F5

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: fb1d3fd1fc9d719b2e8926b6932cb9a8d1a3d2fd329f9b4d0c2425897c72436e
Instruction ID: 1e178e1f8032b4b3ad5104ba78ff9a84cd0f346dea01035eb6771e47fc334fb8
Opcode Fuzzy Hash: fb1d3fd1fc9d719b2e8926b6932cb9a8d1a3d2fd329f9b4d0c2425897c72436e
Instruction Fuzzy Hash: 3631C23250021A6BDB14EFB4EC4AFEE77ACDF4A325F144165F919E20A0DB30DA858A24

Function 00CA979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00CA97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00CA9819
FindClose.KERNEL32(00000000), ref: 00CA9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00CA9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA9890
SetCurrentDirectoryW.KERNEL32(00CF6B7C), ref: 00CA98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CA98B8
FindClose.KERNEL32(00000000), ref: 00CA98C5
FindClose.KERNEL32(00000000), ref: 00CA98D5

Part of subcall function 00C9DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C9DB00

Strings

*.*, xrefs: 00CA983B

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 7a49a6e13adccc279f3fc65f8e342fa572332b2fd7ab323edb012e5865b9def7
Instruction ID: f0b7842897e026fd12b0ad6f6b8309d6f88136fef60f05da33071361a32545d6
Opcode Fuzzy Hash: 7a49a6e13adccc279f3fc65f8e342fa572332b2fd7ab323edb012e5865b9def7
Instruction Fuzzy Hash: 5C31C33150021A6ADB14EFB4EC8AFEE77BCDF07324F144165E924A20E0DB38DA85DB24

Function 00C9D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C33A97,?,?,00C32E7F,?,?,?,00000000), ref: 00C33AC2

Part of subcall function 00C9E199: GetFileAttributesW.KERNEL32(?,00C9CF95), ref: 00C9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C9D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C9D1DD
MoveFileW.KERNEL32(?,?), ref: 00C9D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C9D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C9D237

Part of subcall function 00C9D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C9D21C,?,?), ref: 00C9D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00C9D253
FindClose.KERNEL32(00000000), ref: 00C9D264

Strings

\*.*, xrefs: 00C9D0CD, 00C9D0D6, 00C9D0EB

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: b44896854a47fffeb46d7856cba45571664df3427d003798a2f8a774e5b93969
Instruction ID: c7bcb1e1aaf336db823ef01537114edc43f517cd16828ac4ed47fde46a8994f9
Opcode Fuzzy Hash: b44896854a47fffeb46d7856cba45571664df3427d003798a2f8a774e5b93969
Instruction Fuzzy Hash: 1D618C31C0524DAFCF05EBE0DA96AEDB7B5AF55300F204165E452771A2EB30AF09EB61

Function 00CAED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00CAED91
EmptyClipboard.USER32 ref: 00CAED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00CAEDAC
CloseClipboard.USER32 ref: 00CAEEA3

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 79dc26607cb9b09661432544bc4b8c969cf667951d8d75335edc0c54a307fc0c
Instruction ID: 43323a45b548cfcea29792304399f6d4e302e9a2d70ebdef41009e320877a3f9
Opcode Fuzzy Hash: 79dc26607cb9b09661432544bc4b8c969cf667951d8d75335edc0c54a307fc0c
Instruction Fuzzy Hash: D341AB35604612AFE720CF19D888F19BBE5EF45329F14C099E4298B762C735ED42CBD0

Function 00C9E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C9170D
Part of subcall function 00C916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C9173A
Part of subcall function 00C916C3: GetLastError.KERNEL32 ref: 00C9174A

ExitWindowsEx.USER32(?,00000000), ref: 00C9E932

Strings

, xrefs: 00C9E95C
, xrefs: 00C9E920
SeShutdownPrivilege, xrefs: 00C9E902
@, xrefs: 00C9E925

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 4d147147ecc6578e71af8b0dd8b88eb20b765267737d660ed9eb6fc1447b147a
Instruction ID: f608c4dccc0d5a6efde3a8a7b06838669a2417a4ed17164bde79dd0e1a108c69
Opcode Fuzzy Hash: 4d147147ecc6578e71af8b0dd8b88eb20b765267737d660ed9eb6fc1447b147a
Instruction Fuzzy Hash: 0401F972A10211AFEF54A6B59CCEFFF726CA724750F1A0421FD13E21D1D9A15D409290

Function 00CB1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CB1276
WSAGetLastError.WSOCK32 ref: 00CB1283
bind.WSOCK32(00000000,?,00000010), ref: 00CB12BA
WSAGetLastError.WSOCK32 ref: 00CB12C5
closesocket.WSOCK32(00000000), ref: 00CB12F4
listen.WSOCK32(00000000,00000005), ref: 00CB1303
WSAGetLastError.WSOCK32 ref: 00CB130D
closesocket.WSOCK32(00000000), ref: 00CB133C

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: d65d5c8ef04cda3e442d154ac2aa295d2e78e9c1fd8fe3124cef3c5dcb789afb
Instruction ID: cfcfa6c6a7a70eda4ad1e03bbf81097d3d403c13cb8e3d8bb738dde989849e05
Opcode Fuzzy Hash: d65d5c8ef04cda3e442d154ac2aa295d2e78e9c1fd8fe3124cef3c5dcb789afb
Instruction Fuzzy Hash: 50417071A001409FD710DF68C4D8B6ABBE5AF46318F588198E8669F2E2C771ED81CBE1

Function 00C6B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C6B9D4
_free.LIBCMT ref: 00C6B9F8
_free.LIBCMT ref: 00C6BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CD3700), ref: 00C6BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D0121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C6BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D01270,000000FF,?,0000003F,00000000,?), ref: 00C6BC36
_free.LIBCMT ref: 00C6BD4B

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 82a52de488806b1b8882d9451645e762fe91b65245b27d988027e19e35a2c262
Instruction ID: 444dbcb292cb047bcee3d105cc88fc2b84b9d3ed0a2bcc26762162f20025fecd
Opcode Fuzzy Hash: 82a52de488806b1b8882d9451645e762fe91b65245b27d988027e19e35a2c262
Instruction Fuzzy Hash: 33C1E575A04205AFDB349F7988C1BAEBBB9EF41350F1441AAE4A4D7252EB309F81DB50

Function 00C9D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C33A97,?,?,00C32E7F,?,?,?,00000000), ref: 00C33AC2

Part of subcall function 00C9E199: GetFileAttributesW.KERNEL32(?,00C9CF95), ref: 00C9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C9D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C9D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C9D481
FindClose.KERNEL32(00000000), ref: 00C9D498
FindClose.KERNEL32(00000000), ref: 00C9D4A1

Strings

\*.*, xrefs: 00C9D3F2

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 11c31d4e7428f38cab0ee553f25d736f9c739ba44c062d4075a13e1ca79e0f49
Instruction ID: 912bf9d1bd0d2ed7e7e8a8cecbd7fc6310c662e1c171ffe7546d1395e63db35f
Opcode Fuzzy Hash: 11c31d4e7428f38cab0ee553f25d736f9c739ba44c062d4075a13e1ca79e0f49
Instruction Fuzzy Hash: 26316E710183859BC704EF64D8959AFB7A8AE91314F444E1DF4E6A31A1EB30AA09DB63

Function 00C6E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C6E645

Strings

1#QNAN, xrefs: 00C6F84B
1#IND, xrefs: 00C6F83D
1#SNAN, xrefs: 00C6F844
1#INF, xrefs: 00C6F852

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 26d28540a205294ee9ff2d8ead1c11f4a2b3415d95cb1da93d8d39d8c1892a91
Instruction ID: 8e118b7cfbca4355724f648e610ca9696a7ecf25a45fc1fbe25829ddfd9b84b0
Opcode Fuzzy Hash: 26d28540a205294ee9ff2d8ead1c11f4a2b3415d95cb1da93d8d39d8c1892a91
Instruction Fuzzy Hash: 09C25D75E086288FDB35CE28DD807EAB7B5EB49305F1441EAD85DE7241E774AE828F40

Function 00CA648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CA64DC
CoInitialize.OLE32(00000000), ref: 00CA6639
CoCreateInstance.OLE32(00CCFCF8,00000000,00000001,00CCFB68,?), ref: 00CA6650
CoUninitialize.OLE32 ref: 00CA68D4

Strings

.lnk, xrefs: 00CA64BA, 00CA6524, 00CA65E0

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: ee39bca5d99eb3bc1c4dc48a42a2018cb9db4d637b01869ef973ba4769a3a1d3
Instruction ID: c53e9470c0b6288a0bec416b908ae3e124527bc4c31f106821add060dba6e65f
Opcode Fuzzy Hash: ee39bca5d99eb3bc1c4dc48a42a2018cb9db4d637b01869ef973ba4769a3a1d3
Instruction Fuzzy Hash: 81D14871518301AFC314EF24C881E6BB7E9FF99708F04496DF5958B2A1EB70EA45CB92

Function 00CB22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00CB22E8

Part of subcall function 00CAE4EC: GetWindowRect.USER32(?,?), ref: 00CAE504

GetDesktopWindow.USER32 ref: 00CB2312
GetWindowRect.USER32(00000000), ref: 00CB2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00CB2355
GetCursorPos.USER32(?), ref: 00CB2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CB23DF

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: c80f3091de3b48d0dc4a86a3ff572cf71e15cd5a8c5b3abeafbe2ae6a1b58e7f
Instruction ID: 400405644868166f56dad20541fcc8b0a4c9832968c6775080024181e5fe2d36
Opcode Fuzzy Hash: c80f3091de3b48d0dc4a86a3ff572cf71e15cd5a8c5b3abeafbe2ae6a1b58e7f
Instruction Fuzzy Hash: 5531EF72504315ABCB20DF54C848F9BB7EDFF88310F000919F899971A1DB34EA08CB92

Function 00CA9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00CA9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00CA9C8B

Part of subcall function 00CA3874: GetInputState.USER32 ref: 00CA38CB
Part of subcall function 00CA3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CA3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00CA9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00CA9C75

Strings

*.*, xrefs: 00CA9B5D

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: c9a6ac3737eb10fa57b27077cb69567d9cc9dbd4dcdcc574f583f8ce1c40a802
Instruction ID: 90e38e5eab3ebcfd9358e3f4bbe35d881489415652d7324842ebcd7d63280205
Opcode Fuzzy Hash: c9a6ac3737eb10fa57b27077cb69567d9cc9dbd4dcdcc574f583f8ce1c40a802
Instruction Fuzzy Hash: 6041A37194460A9FCF14DFA4CC8ABEEBBB4EF06318F248055E815A2191EB309F85DF61

Function 00C4997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C49A4E
GetSysColor.USER32(0000000F), ref: 00C49B23
SetBkColor.GDI32(?,00000000), ref: 00C49B36

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 19559c6a15127461ae533dd316b55fd296a0a069ec2a5814a9f1ff7816ee54a2
Instruction ID: 8fb498c10ffcaf4e20de71fde263d2651e0637e71eac1ae2275b174208bb181d
Opcode Fuzzy Hash: 19559c6a15127461ae533dd316b55fd296a0a069ec2a5814a9f1ff7816ee54a2
Instruction Fuzzy Hash: 8BA11770108564BEE729AA2D9C88F7F2A9DFB42354B244309F422C66A1DA35DF01E379

Function 00CB1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CB307A
Part of subcall function 00CB304E: _wcslen.LIBCMT ref: 00CB309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00CB185D
WSAGetLastError.WSOCK32 ref: 00CB1884
bind.WSOCK32(00000000,?,00000010), ref: 00CB18DB
WSAGetLastError.WSOCK32 ref: 00CB18E6
closesocket.WSOCK32(00000000), ref: 00CB1915

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 6cc04712c9b4f434900eea5261df457fae72fd284d0815a67ced42fae3963f3f
Instruction ID: d8656081d6c33dea3bdabf1552b691806f1d3e1a2f280d7c14cfdc1fcc37f5e6
Opcode Fuzzy Hash: 6cc04712c9b4f434900eea5261df457fae72fd284d0815a67ced42fae3963f3f
Instruction Fuzzy Hash: 7751C375A00200AFDB10AF24C8D6F6A77E5AB44718F58805CFA1AAF3D3C771AD41DBA1

Function 00CC1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00CC1CC0
IsWindowEnabled.USER32 ref: 00CC1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00CC1CDB
IsIconic.USER32 ref: 00CC1CE9
IsZoomed.USER32 ref: 00CC1CF7

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 48a4da1d833a20096058d7639f5550c3b481e547ae91488173fb6378d0aa45a3
Instruction ID: b879912ef53daf0c859cc80cd9b0cd925d26ee08b324d9ea0d7b5540f667cb13
Opcode Fuzzy Hash: 48a4da1d833a20096058d7639f5550c3b481e547ae91488173fb6378d0aa45a3
Instruction Fuzzy Hash: FD217E317402105FD7218F1BC884F6A7BA5AF96325F1D805CE85A8B252C771D942CB90

Function 00C38060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00C75DF0
ERCP, xrefs: 00C3813C
VUUU, xrefs: 00C383E8
VUUU, xrefs: 00C3843C
VUUU, xrefs: 00C383FA

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1334b0f2b2693b1262675bcd14d2bb32a7a7f5421d456ea108a00f2aef820fa2
Instruction ID: a4086a948c4f2a9066655de6980e0c89f716e178858833eb9e916f1744b734c5
Opcode Fuzzy Hash: 1334b0f2b2693b1262675bcd14d2bb32a7a7f5421d456ea108a00f2aef820fa2
Instruction Fuzzy Hash: AAA29071E1061ACBDF24CF59C9417AEB7B1BF54310F2481AAE829A7385DB709E85CF90

Function 00C9AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C9AAAC
SetKeyboardState.USER32(00000080), ref: 00C9AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C9AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C9AB88

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e8312ac68e49e1ad7e3ff743f40a92acc91c97996e82af512d2b51ed30f9e5f8
Instruction ID: 08845d7284067b3250dd9d3504a6180eeb63ac237e611950607613207f2aadb9
Opcode Fuzzy Hash: e8312ac68e49e1ad7e3ff743f40a92acc91c97996e82af512d2b51ed30f9e5f8
Instruction Fuzzy Hash: 82314630A40248AFFF34CB69CC0DBFE7BA6AB44320F04421AF1A5921D0D7748A81D7E6

Function 00CACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00CACE89
GetLastError.KERNEL32(?,00000000), ref: 00CACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00CACEFE

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 7f2b1156f20d9bc3ab9ad0490ae7e66b28b4f4e7963135b3c4021e8e60092829
Instruction ID: 626dd01abfb36b3218e45270340fc438ab8b5f0606d08a9527d7d68e4445ad30
Opcode Fuzzy Hash: 7f2b1156f20d9bc3ab9ad0490ae7e66b28b4f4e7963135b3c4021e8e60092829
Instruction Fuzzy Hash: 3521BD75500306AFEB20CFA5C988BAA77F8EB11358F10442EE65692151EB70EE48DB94

Function 00C98298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C982AA

Strings

(, xrefs: 00C982F0
|, xrefs: 00C982DA

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 8e494ad06f4d3ad69c2af896e6c4a870224c1152268e6a86fd8b69d5f2ab39e3
Instruction ID: f14d614bede32793dd67e1769ac5bd79c20f40f6869435429abb67bc9963686b
Opcode Fuzzy Hash: 8e494ad06f4d3ad69c2af896e6c4a870224c1152268e6a86fd8b69d5f2ab39e3
Instruction Fuzzy Hash: 99324475A00605DFCB28CF59C484A6AB7F0FF48710B15C46EE5AADB3A1EB70E981CB40

Function 00CA5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CA5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00CA5D17
FindClose.KERNEL32(?), ref: 00CA5D5F

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 53baee794a7700b7ac8a51ad1664b4d3e92a8db5ab128cfd0f9882d15f789314
Instruction ID: 3c2bfcb892d31285956a038e9bcaf61f8b319bbcfdd571de67da37dd86a23192
Opcode Fuzzy Hash: 53baee794a7700b7ac8a51ad1664b4d3e92a8db5ab128cfd0f9882d15f789314
Instruction Fuzzy Hash: BD519C75A046029FC714CF28C494E9AB7E4FF4A328F14855DE9AA8B3A1CB30ED45CF91

Function 00C62622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00C6271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C62724
UnhandledExceptionFilter.KERNEL32(?), ref: 00C62731

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1e0c5cdaa9d9c9018ee5aa521da4a3add9821a272d78db04ba3f7599b1482750
Instruction ID: a43acf1f06de243735044788ad7cc01bc2c088d722a64a1b4737d99535cfc7d0
Opcode Fuzzy Hash: 1e0c5cdaa9d9c9018ee5aa521da4a3add9821a272d78db04ba3f7599b1482750
Instruction Fuzzy Hash: C831B37491121CABCB21DF68DD89BDDBBB8AF08310F5041EAE81CA7261E7309F859F45

Function 00CA51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CA51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00CA5238
SetErrorMode.KERNEL32(00000000), ref: 00CA52A1

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2db74d651e4d6a4925f387b19fad454dc68eb17575d4841c9759b2ee546e7195
Instruction ID: 38dad3f3b11e8565229805b857f96b091d6b35f7df94eb953854a84a3226fcb5
Opcode Fuzzy Hash: 2db74d651e4d6a4925f387b19fad454dc68eb17575d4841c9759b2ee546e7195
Instruction Fuzzy Hash: 46315A75A00509DFDB00DF95D884FADBBB4FF49318F088099E809AB3A2CB31E845CB90

Function 00C916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C50668
Part of subcall function 00C4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C50685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C9170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C9173A
GetLastError.KERNEL32 ref: 00C9174A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 4c46d3fd52a8996749593609bbd3c35b2a718b8550b258f1e28f1486d869eb42
Instruction ID: a315a4bdd2490ec3831e76ebf65a3591f8e805b87a3d73b9ae7b3e47ff6e1826
Opcode Fuzzy Hash: 4c46d3fd52a8996749593609bbd3c35b2a718b8550b258f1e28f1486d869eb42
Instruction Fuzzy Hash: 301191B2814305AFE7189F54ECCAE6AB7B9FF44714B24852EF45657641EB70BC428A20

Function 00C9D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C9D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C9D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C9D650

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 2768affdd73bf55b2ffa1c06bef544f1928fdc31ea74dc4eddf83af7eaf98eec
Instruction ID: faafc4ac55dc0a4c8bca80dd4a27a3a32113350b93389912c21cc42d73979c6c
Opcode Fuzzy Hash: 2768affdd73bf55b2ffa1c06bef544f1928fdc31ea74dc4eddf83af7eaf98eec
Instruction Fuzzy Hash: 22118E71E01228BFDB108F95EC88FAFBBBCEB45B60F108115F918F7290C2704A018BA1

Function 00C91663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C9168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C916A1
FreeSid.ADVAPI32(?), ref: 00C916B1

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: df95b5d3ba38f97991a9a5ba3ad475ac498412397410125119cc5b1a4586e270
Instruction ID: b5326772929f73a584ee4c00fe9ab7bba2de5c74c85fc9e28af3706742892ed1
Opcode Fuzzy Hash: df95b5d3ba38f97991a9a5ba3ad475ac498412397410125119cc5b1a4586e270
Instruction Fuzzy Hash: AAF0F471950309FBDF00DFE4DC89EAEBBBCFB08604F504565E901E2181E774AA448A54

Function 00C6C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00C6C36C

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: dbe58c3353d1770c566aa9804fa9747ae6dd4182e4b1f92af994a9cd715b41e7
Instruction ID: dfc272ddacb0d0121f4e510800be225a2b855169285ada2e122adb25bd92868a
Opcode Fuzzy Hash: dbe58c3353d1770c566aa9804fa9747ae6dd4182e4b1f92af994a9cd715b41e7
Instruction Fuzzy Hash: 7F413676900219ABCB349FB9CCC8EBB77B8EB84314F1042A9F955C7290E6309E81CB50

Function 00C5CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 7e0f3c2bfa45d1ee8fa32d049a49d368d9e2c55044db4c5ce44fc5035c6868a6
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: CA021C75E002199FDF14CFA9C8C06ADBBF1EF48315F25826AD829E7380D731AA45CB94

Function 00CA68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CA6918
FindClose.KERNEL32(00000000), ref: 00CA6961

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9fbdaab7c8e54dc23aea5b04032cb7c0de971e383201ee38fb21b515133959d0
Instruction ID: 3a0dd52f770706c6df0028b219e6dcb61f4ff0b9547a697a2c197956a9e98e5b
Opcode Fuzzy Hash: 9fbdaab7c8e54dc23aea5b04032cb7c0de971e383201ee38fb21b515133959d0
Instruction Fuzzy Hash: 691190756142019FC710DF69D4C8A1ABBE5FF89328F18C699E4698F7A2CB30EC05CB91

Function 00CA37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00CB4891,?,?,00000035,?), ref: 00CA37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00CB4891,?,?,00000035,?), ref: 00CA37F4

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: adcd0becdc0e4d65479e7bc7328cf99a74e0af65872578629f292cb487efa646
Instruction ID: bfcbc2d38f66744642b08d3c5a82970ef6471c82f2b06e02b5f716815aa44271
Opcode Fuzzy Hash: adcd0becdc0e4d65479e7bc7328cf99a74e0af65872578629f292cb487efa646
Instruction Fuzzy Hash: 30F0E5B17043292AE72057A69C8DFEB3AAEEFC5765F000165F509D22D1D9A09904C6B0

Function 00C9B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C9B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00C9B270

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 4e1769ec42bce2317eb77d17681fcc4b81f667d6d606c9706da483495ceb419e
Instruction ID: a061a4573e2f08a6a0b54b7bc0f1dcc4a62c021e771b9e0f0255b7ae5e66235d
Opcode Fuzzy Hash: 4e1769ec42bce2317eb77d17681fcc4b81f667d6d606c9706da483495ceb419e
Instruction Fuzzy Hash: 40F01D7180424EABDF059FA1D849BAE7BB4FF04305F00801AF965A5192C37996119F94

Function 00C910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C911FC), ref: 00C910D4
CloseHandle.KERNEL32(?,?,00C911FC), ref: 00C910E9

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 00a1eb64949af251ad471a583820e66e335dd5a17a97ffd43bd1db2dc2b612fa
Instruction ID: 5abb3359b0f96b21fdd7361cc147e233e661537826719ed40d41d342d1543bd8
Opcode Fuzzy Hash: 00a1eb64949af251ad471a583820e66e335dd5a17a97ffd43bd1db2dc2b612fa
Instruction Fuzzy Hash: 3BE0BF72014651AEE7252B51FC49F7777A9FB04321B14882DF5A6804B1DB62AC91EB50

Function 00C3CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00C80C40

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 864c5ad9fca7666b66436c708669be3f2175200b97b8a1b68726e79871ce2ad2
Instruction ID: 8b870baed2aa72c65dafceffa43cdbd44640c8b4b75798b7a4b1c82d992c876a
Opcode Fuzzy Hash: 864c5ad9fca7666b66436c708669be3f2175200b97b8a1b68726e79871ce2ad2
Instruction Fuzzy Hash: 4632AD34920218DBCF14EF94D8C5BEDB7B5BF08308F244069E816BB292D735AE49DB61

Function 00C6676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C66766,?,?,00000008,?,?,00C6FEFE,00000000), ref: 00C66998

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fc573107e1ff50a94afbb4627ee56d86e95fb4f5ee4ff98110857f5d6c272fcb
Instruction ID: a11760153e740219a5f3887fea6af427b543f26858021b3f0c974d88227e01dd
Opcode Fuzzy Hash: fc573107e1ff50a94afbb4627ee56d86e95fb4f5ee4ff98110857f5d6c272fcb
Instruction Fuzzy Hash: D5B10B716106099FD725CF28C4C6B657BE0FF45368F258658E8A9CF2A2C735EA91CB40

Function 00C4B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00C8851F

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5247f5399b5ba632f2cef3dea32582a263974da7957720b9931830a713e50e4f
Instruction ID: 42f2d55abe1d1e94ba59b680a1d4a46932ad957d1d1fc90b7812402fd115c629
Opcode Fuzzy Hash: 5247f5399b5ba632f2cef3dea32582a263974da7957720b9931830a713e50e4f
Instruction Fuzzy Hash: CB126E719002299BDB24DF59C880AEEB7F5FF48310F54819AE849EB251DB30DE85DF94

Function 00CAEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00CAEABD

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 0f65881710ccc08439cc2bceca86b25e781a034761341585089f68e052e09447
Instruction ID: 7c68ec8407bd084c9e59d3a9a6a81f0b54d8105698baef41ed2074199e2a5641
Opcode Fuzzy Hash: 0f65881710ccc08439cc2bceca86b25e781a034761341585089f68e052e09447
Instruction Fuzzy Hash: F1E04F362102059FC710EF5AD844E9AFBE9AF99764F00841AFD49DB351DB70EC409B90

Function 00C509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00C503EE), ref: 00C509DA

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: de11f30a421806d52a60ebbce604578256c5f066e54c39db4ab014a8796e32c2
Instruction ID: 33caccf2bd8d2aaab26b858305ba9659f2c99387ca15dfa7a4cc4f550007fe82
Opcode Fuzzy Hash: de11f30a421806d52a60ebbce604578256c5f066e54c39db4ab014a8796e32c2
Instruction Fuzzy Hash:

Function 00C5781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00C5798B

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 1986b509d04622fc88b2e319ecd962d18c20ebb083548df47dec8106570e57bb
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 3F51696D60C6055BDB384569A95D7BE23899B12303F180709DCA2FB2C2C615DFCDE36E

Function 00C66DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd51be2846ba9b45df43ee43222c868d0409dbe9c319251488080b408cef5c1
Instruction ID: 7d9de333c31d5a80e375f64ad5cff8984bf307eb59f572b6070495226bd1f563
Opcode Fuzzy Hash: fbd51be2846ba9b45df43ee43222c868d0409dbe9c319251488080b408cef5c1
Instruction Fuzzy Hash: D4320422D2AF414DD7239634CC62339A749AFB73C9F15DB37E82AB5DA5EB29C5834100

Function 00C4CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c613124ffe8047933fe6889796e7c217bf92a8ce0b0c0f579caa8ea016909555
Instruction ID: 0c6713bb3590a92ebc28e42a9f74d088fc3ad5eda76e09d3f83ce68fee69181c
Opcode Fuzzy Hash: c613124ffe8047933fe6889796e7c217bf92a8ce0b0c0f579caa8ea016909555
Instruction Fuzzy Hash: 6F323831A001558BCF28EF2DC4D46BD77A1FF45308F28856AD56ADB2A1D330DE81EB69

Function 00C37920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fd4afdd1361382090a9c94f277abe7e73636f2572d1fe6eda7511ea4b9b3d2
Instruction ID: 99f39b8aa88ad5b87c93271d462084c025984f9bbf2a5636d25bdd582a773279
Opcode Fuzzy Hash: 02fd4afdd1361382090a9c94f277abe7e73636f2572d1fe6eda7511ea4b9b3d2
Instruction Fuzzy Hash: 9522C3B0A04609DFDF14CF65C881AAEB7F5FF44300F208629E816E72A1EB75AE55DB50

Function 00C391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b7125e0833d34ed79807dd96d1bcb6b99eeb93b52ed3c21dc0d0031c338157
Instruction ID: 41b8aa9b5011852da5ccb5e40b4ae271269796f2f6c9dab7759ef2f658e72c4e
Opcode Fuzzy Hash: e6b7125e0833d34ed79807dd96d1bcb6b99eeb93b52ed3c21dc0d0031c338157
Instruction Fuzzy Hash: 0002D7B1E10205EBCB05DF55D881AAEBBB1FF48300F108169E81A9B290EB71EE55DB95

Function 00C69EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94de0200a4f8b1eea1c05909d982efa8bd802c88eb3b62073f0b015f62aa772e
Instruction ID: 1f790d89480d3f25e874ea2848c21863b7d18efed61fd68bf662a3c114d77f08
Opcode Fuzzy Hash: 94de0200a4f8b1eea1c05909d982efa8bd802c88eb3b62073f0b015f62aa772e
Instruction Fuzzy Hash: 0DB1F120D2AF814DC3239639897133AB75CAFBB6D5F91D31BFC2674D62EB2286834141

Function 00C51C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 93758ad3bdcda92781493b2451fa8ad47a146794c384d18380a89bcbc6290110
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: E99178361080A34ADB2A463A853D67DFFF15A523A371E079DDCF2CA1C1FE109A9CD624

Function 00C519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 7437c229923d49a09d93ff438f4f0f2db4b2be0aa85858de6dc20f1adb04ae8a
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 2891667A2090A34ADB2A427A857C13DFFE15A923A331D079DDCF2CA1C1FD14969CE624

Function 00C57A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f318c20050a19d7bd96bfa08b88bc01cd88272bb019be704881c7cfe4e5a71
Instruction ID: a7a047fe7188a04d4b1c7f164a2fc66da8709257784051b5555166f6c1bd9a3c
Opcode Fuzzy Hash: e6f318c20050a19d7bd96bfa08b88bc01cd88272bb019be704881c7cfe4e5a71
Instruction Fuzzy Hash: 5461773C60830957EE349A28B899BBE2384DF41703F141B19EC53DB281DA11AFCEA35D

Function 00C57CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491290d893089b78657c299bc054a9f0e07c55325e35fac0a1a47e00b974b6b3
Instruction ID: f6d8344e51e3b0fa874393910b1e7b051b446a5657f1bf36d38d44e2bb5b0774
Opcode Fuzzy Hash: 491290d893089b78657c299bc054a9f0e07c55325e35fac0a1a47e00b974b6b3
Instruction Fuzzy Hash: 7F616D7D2087095ADE344A287856BBF23A4DF41703F100B59EC53DB281EA529FCE925D

Function 00C51706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: bba2e23547b54c75059887c05803c15dab07f668508e812176ee280db6bb9e2c
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8B81657A5080A309DB29463E853857EFFE15A923A371E079DDCF2CA1C1EE149A9CD624

Function 00CA2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e91d2f2bcec35446d52ee00e4f82563b572145f1a56670e2256e9f96414411
Instruction ID: 0af34ae44d9ea5f02ce21d44717716aeb9b7212aa057300e84f7f6dc497c8e2c
Opcode Fuzzy Hash: 18e91d2f2bcec35446d52ee00e4f82563b572145f1a56670e2256e9f96414411
Instruction Fuzzy Hash: EE21E7322216118BD728CF79C82377E77E5AB54314F14862EE4A7C33D0DE3AAA04CB90

Function 00CB2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CB2B30
DeleteObject.GDI32(00000000), ref: 00CB2B43
DestroyWindow.USER32 ref: 00CB2B52
GetDesktopWindow.USER32 ref: 00CB2B6D
GetWindowRect.USER32(00000000), ref: 00CB2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00CB2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00CB2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2CF8
GetClientRect.USER32(00000000,?), ref: 00CB2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CB2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2D80
GlobalLock.KERNEL32(00000000), ref: 00CB2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2D98
GlobalUnlock.KERNEL32(00000000), ref: 00CB2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2DA8
GlobalFree.KERNEL32(00000000), ref: 00CB2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CCFC38,00000000), ref: 00CB2DDB
GlobalFree.KERNEL32(00000000), ref: 00CB2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00CB2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00CB2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB303F

Strings

AutoIt v3, xrefs: 00CB2CF2
DISPLAY, xrefs: 00CB2EA2
, xrefs: 00CB2FC5
static, xrefs: 00CB2D3A, 00CB2E91

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 635ec1e4683893c236f2dd53ac1b6c41672dfaebddab3fd9f07188207011c8bd
Instruction ID: 6cebde7c9baeb297aec7842ad268323151d1850fa1831b9c4f4042cfab5ad802
Opcode Fuzzy Hash: 635ec1e4683893c236f2dd53ac1b6c41672dfaebddab3fd9f07188207011c8bd
Instruction Fuzzy Hash: 82025975900219AFDB14DFA4CD89FAE7BB9EF48311F048158F919AB2A1CB74ED01CB60

Function 00CC70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CC712F
GetSysColorBrush.USER32(0000000F), ref: 00CC7160
GetSysColor.USER32(0000000F), ref: 00CC716C
SetBkColor.GDI32(?,000000FF), ref: 00CC7186
SelectObject.GDI32(?,?), ref: 00CC7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00CC71C0
GetSysColor.USER32(00000010), ref: 00CC71C8
CreateSolidBrush.GDI32(00000000), ref: 00CC71CF
FrameRect.USER32(?,?,00000000), ref: 00CC71DE
DeleteObject.GDI32(00000000), ref: 00CC71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00CC7230
FillRect.USER32(?,?,?), ref: 00CC7262
GetWindowLongW.USER32(?,000000F0), ref: 00CC7284

Part of subcall function 00CC73E8: GetSysColor.USER32(00000012), ref: 00CC7421
Part of subcall function 00CC73E8: SetTextColor.GDI32(?,?), ref: 00CC7425
Part of subcall function 00CC73E8: GetSysColorBrush.USER32(0000000F), ref: 00CC743B
Part of subcall function 00CC73E8: GetSysColor.USER32(0000000F), ref: 00CC7446
Part of subcall function 00CC73E8: GetSysColor.USER32(00000011), ref: 00CC7463
Part of subcall function 00CC73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CC7471
Part of subcall function 00CC73E8: SelectObject.GDI32(?,00000000), ref: 00CC7482
Part of subcall function 00CC73E8: SetBkColor.GDI32(?,00000000), ref: 00CC748B
Part of subcall function 00CC73E8: SelectObject.GDI32(?,?), ref: 00CC7498
Part of subcall function 00CC73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00CC74B7
Part of subcall function 00CC73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CC74CE
Part of subcall function 00CC73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00CC74DB

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 072dbed393e26279ba2bbd613edd4c5c13c54f048ae1bf2451a23a8a01c65a4f
Instruction ID: 5101c1bc06ac51c53b4f8e58ce2206f6ed38b1d135b2964ae64a90ad2a5bcd76
Opcode Fuzzy Hash: 072dbed393e26279ba2bbd613edd4c5c13c54f048ae1bf2451a23a8a01c65a4f
Instruction Fuzzy Hash: D9A18B72408301AFDB009F60DC88F6EBBA9FB89320F140B19F96A961A1D771E9459F51

Function 00C48D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00C48E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C86AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C86AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C86F43

Part of subcall function 00C48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C48BE8,?,00000000,?,?,?,?,00C48BBA,00000000,?), ref: 00C48FC5

SendMessageW.USER32(?,00001053), ref: 00C86F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C86F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C86FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C86FB7

Strings

0, xrefs: 00C86DCF

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 0d2780e7a0b86c73ca8c1c1e5975c9d39e008148d8505772cff2b370b9316db7
Instruction ID: 31dd32c46c004166cf5eebb317a8b9a0088106a95ca7b8bc6fe06188e3f3e733
Opcode Fuzzy Hash: 0d2780e7a0b86c73ca8c1c1e5975c9d39e008148d8505772cff2b370b9316db7
Instruction Fuzzy Hash: 9012DF38600201EFDB25EF24D884BAAB7E1FB44308F144469F5A9CB661CB31ED96DF95

Function 00CB2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00CB273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CB286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00CB28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00CB28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00CB2900
GetClientRect.USER32(00000000,?), ref: 00CB290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00CB2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CB2964
GetStockObject.GDI32(00000011), ref: 00CB2974
SelectObject.GDI32(00000000,00000000), ref: 00CB2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00CB2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CB2991
DeleteDC.GDI32(00000000), ref: 00CB299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CB29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00CB29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00CB2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CB2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00CB2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00CB2A77
GetStockObject.GDI32(00000011), ref: 00CB2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CB2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00CB2A97

Strings

AutoIt v3, xrefs: 00CB28F8
DISPLAY, xrefs: 00CB295A
msctls_progress32, xrefs: 00CB2A13
static, xrefs: 00CB294F, 00CB2A71

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e88b14bc90707006d071f30873d501f79aba64d1b1a4810584c256af9406dcb4
Instruction ID: 9054f189cf9bb734ffd3f25c44ea9790bb842978c3331234f6bef34dcd8dea5b
Opcode Fuzzy Hash: e88b14bc90707006d071f30873d501f79aba64d1b1a4810584c256af9406dcb4
Instruction Fuzzy Hash: BFB14E75A10215AFEB14DFA9CC89FAE7BA9EB48710F004215F919E7290DB74ED40CBA4

Function 00CA4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CA4AED
GetDriveTypeW.KERNEL32(?,00CCCB68,?,\\.\,00CCCC08), ref: 00CA4BCA
SetErrorMode.KERNEL32(00000000,00CCCB68,?,\\.\,00CCCC08), ref: 00CA4D36

Strings

Removable, xrefs: 00CA4C10, 00CA4C15
RAMDisk, xrefs: 00CA4BF4
USB, xrefs: 00CA4CB4
ATAPI, xrefs: 00CA4C91
RAID, xrefs: 00CA4CBB
Fixed, xrefs: 00CA4C09
Network, xrefs: 00CA4C02
SAS, xrefs: 00CA4CC9
iSCSI, xrefs: 00CA4CC2
SSA, xrefs: 00CA4CA6
Unknown, xrefs: 00CA4BED, 00CA4C83
ATA, xrefs: 00CA4C98
Virtual, xrefs: 00CA4CE5
PhysicalDrive, xrefs: 00CA4B76
CDROM, xrefs: 00CA4BFB
SATA, xrefs: 00CA4CD0
Fibre, xrefs: 00CA4CAD
1394, xrefs: 00CA4C9F
SSD, xrefs: 00CA4C4A
MMC, xrefs: 00CA4CDE
FileBackedVirtual, xrefs: 00CA4CEC
\\.\, xrefs: 00CA4B3F
SCSI, xrefs: 00CA4C8A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: c2d0d99a98d57218e1c1537e9d78431cae42350f317c0eb87aee2b5108af1d10
Instruction ID: cadd76c1e48a61d4bfff32810608a569ba8f43d407bbea03b51c8ed99cb24cfd
Opcode Fuzzy Hash: c2d0d99a98d57218e1c1537e9d78431cae42350f317c0eb87aee2b5108af1d10
Instruction Fuzzy Hash: EE61C43060520BDBCB4CDF25CA81D7C77B0EB8635CB248425F90AAB691DBB1DE41EB52

Function 00CC73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00CC7421
SetTextColor.GDI32(?,?), ref: 00CC7425
GetSysColorBrush.USER32(0000000F), ref: 00CC743B
GetSysColor.USER32(0000000F), ref: 00CC7446
CreateSolidBrush.GDI32(?), ref: 00CC744B
GetSysColor.USER32(00000011), ref: 00CC7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CC7471
SelectObject.GDI32(?,00000000), ref: 00CC7482
SetBkColor.GDI32(?,00000000), ref: 00CC748B
SelectObject.GDI32(?,?), ref: 00CC7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00CC74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CC74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00CC74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CC752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CC7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00CC7572
DrawFocusRect.USER32(?,?), ref: 00CC757D
GetSysColor.USER32(00000011), ref: 00CC758E
SetTextColor.GDI32(?,00000000), ref: 00CC7596
DrawTextW.USER32(?,00CC70F5,000000FF,?,00000000), ref: 00CC75A8
SelectObject.GDI32(?,?), ref: 00CC75BF
DeleteObject.GDI32(?), ref: 00CC75CA
SelectObject.GDI32(?,?), ref: 00CC75D0
DeleteObject.GDI32(?), ref: 00CC75D5
SetTextColor.GDI32(?,?), ref: 00CC75DB
SetBkColor.GDI32(?,?), ref: 00CC75E5

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: f939c8ba4ae5c92811063389b89d32625766b5a295b46d6a95c8cf40d3a216a5
Instruction ID: dd2ff192614e34f33b1cc0d4566f3db5828cc1d24cb62a813b1d31cba26d364e
Opcode Fuzzy Hash: f939c8ba4ae5c92811063389b89d32625766b5a295b46d6a95c8cf40d3a216a5
Instruction Fuzzy Hash: 23613B72904218AFDF019FA4DC89FEEBFB9EB08320F154215F915AB2A1D7759A40DF90

Function 00CC0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CC1128
GetDesktopWindow.USER32 ref: 00CC113D
GetWindowRect.USER32(00000000), ref: 00CC1144
GetWindowLongW.USER32(?,000000F0), ref: 00CC1199
DestroyWindow.USER32(?), ref: 00CC11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CC11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CC120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CC121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00CC1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00CC1245
IsWindowVisible.USER32(00000000), ref: 00CC12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00CC12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00CC12D0
GetWindowRect.USER32(00000000,?), ref: 00CC12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00CC130E
GetMonitorInfoW.USER32(00000000,?), ref: 00CC1328
CopyRect.USER32(?,?), ref: 00CC133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00CC13AA

Strings

tooltips_class32, xrefs: 00CC11E6
0, xrefs: 00CC10D3
(, xrefs: 00CC131B

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 56f8a30a3e3c9f0a0535b36e05a32da034616b68eacd501ce1585f95a4f60f15
Instruction ID: 9f3d35d78ef0d77ec14900378caf231cb2d21ac72a189f33305bb5ddc2832f85
Opcode Fuzzy Hash: 56f8a30a3e3c9f0a0535b36e05a32da034616b68eacd501ce1585f95a4f60f15
Instruction Fuzzy Hash: E2B18871608341AFD710DF65C884F6EBBE4EF89314F04891CF9999B2A2C771E845DB92

Function 00CC0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CC02E5
_wcslen.LIBCMT ref: 00CC031F
_wcslen.LIBCMT ref: 00CC0389
_wcslen.LIBCMT ref: 00CC03F1
_wcslen.LIBCMT ref: 00CC0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CC04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CC0504

Part of subcall function 00C4F9F2: _wcslen.LIBCMT ref: 00C4F9FD

Part of subcall function 00C9223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C92258
Part of subcall function 00C9223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C9228A

Strings

GETSELECTEDCOUNT, xrefs: 00CC0470, 00CC048B
SELECTCLEAR, xrefs: 00CC052D
VIEWCHANGE, xrefs: 00CC0675
GETSELECTED, xrefs: 00CC05E1
GETTEXT, xrefs: 00CC03EC, 00CC0407
ISSELECTED, xrefs: 00CC04DD
SELECT, xrefs: 00CC0548
DESELECT, xrefs: 00CC059C
GETSUBITEMCOUNT, xrefs: 00CC0384, 00CC039F
SELECTALL, xrefs: 00CC0515
FINDITEM, xrefs: 00CC0627
SELECTINVERT, xrefs: 00CC057E
GETITEMCOUNT, xrefs: 00CC0316, 00CC0337

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 66855da311e01684adfd79b4783016db4788506218b5510683c9d1f7fb62ac63
Instruction ID: 8ed45f422042d8228f22accf42f7f13b6eaea80d62773c0c48c7f70997627421
Opcode Fuzzy Hash: 66855da311e01684adfd79b4783016db4788506218b5510683c9d1f7fb62ac63
Instruction Fuzzy Hash: 47E18E31218301DBCB18DF24C591E2EB3E5BF98714F244A5CF9A69B2A1DB30EE45DB52

Function 00C48891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C48968
GetSystemMetrics.USER32(00000007), ref: 00C48970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C4899B
GetSystemMetrics.USER32(00000008), ref: 00C489A3
GetSystemMetrics.USER32(00000004), ref: 00C489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C48A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C48A3C
GetClientRect.USER32(00000000,000000FF), ref: 00C48A5A
GetStockObject.GDI32(00000011), ref: 00C48A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C48A81

Part of subcall function 00C4912D: GetCursorPos.USER32(?), ref: 00C49141
Part of subcall function 00C4912D: ScreenToClient.USER32(00000000,?), ref: 00C4915E
Part of subcall function 00C4912D: GetAsyncKeyState.USER32(00000001), ref: 00C49183
Part of subcall function 00C4912D: GetAsyncKeyState.USER32(00000002), ref: 00C4919D

SetTimer.USER32(00000000,00000000,00000028,00C490FC), ref: 00C48AA8

Strings

AutoIt v3 GUI, xrefs: 00C48A20

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 48233f3201463d359e65e968c1e63f307681ee4ce20cc0ea710517c0ab1c1915
Instruction ID: 4a6f14506e080131aad5e3064fc4186a79f556866b72c38f47c378dd709cb509
Opcode Fuzzy Hash: 48233f3201463d359e65e968c1e63f307681ee4ce20cc0ea710517c0ab1c1915
Instruction Fuzzy Hash: 94B17B35A00209AFDB14DFA8DC85FAE3BB5FB48314F104229FA19E7290DB74A941CF65

Function 00C90D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C91114
Part of subcall function 00C910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91120
Part of subcall function 00C910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C9112F
Part of subcall function 00C910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91136
Part of subcall function 00C910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C90DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C90E29
GetLengthSid.ADVAPI32(?), ref: 00C90E40
GetAce.ADVAPI32(?,00000000,?), ref: 00C90E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C90E96
GetLengthSid.ADVAPI32(?), ref: 00C90EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C90EB5
HeapAlloc.KERNEL32(00000000), ref: 00C90EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C90EDD
CopySid.ADVAPI32(00000000), ref: 00C90EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C90F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C90F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C90F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90F6E
HeapFree.KERNEL32(00000000), ref: 00C90F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90F7E
HeapFree.KERNEL32(00000000), ref: 00C90F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90F8E
HeapFree.KERNEL32(00000000), ref: 00C90F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00C90FA1
HeapFree.KERNEL32(00000000), ref: 00C90FA8

Part of subcall function 00C91193: GetProcessHeap.KERNEL32(00000008,00C90BB1,?,00000000,?,00C90BB1,?), ref: 00C911A1
Part of subcall function 00C91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C90BB1,?), ref: 00C911A8
Part of subcall function 00C91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C90BB1,?), ref: 00C911B7

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a6c3e9dbf80e52bd969c5749c62dd5df4bf75261c9fb003e23ef2aeddb67ddef
Instruction ID: c2e5371e303c79f073a1beab75f27eae9ee390506ecabe8d8fa281b0d4112f9e
Opcode Fuzzy Hash: a6c3e9dbf80e52bd969c5749c62dd5df4bf75261c9fb003e23ef2aeddb67ddef
Instruction Fuzzy Hash: 9F71597290020AAFDF20DFA5DC89FAEBBB8FF05301F244115F969A6191D731DA15CB60

Function 00CBC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00CCCC08,00000000,?,00000000,?,?), ref: 00CBC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00CBC5A4
_wcslen.LIBCMT ref: 00CBC5F4
_wcslen.LIBCMT ref: 00CBC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00CBC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00CBC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00CBC84D
RegCloseKey.ADVAPI32(?), ref: 00CBC881
RegCloseKey.ADVAPI32(00000000), ref: 00CBC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00CBC960

Strings

REG_MULTI_SZ, xrefs: 00CBC6F5
REG_BINARY, xrefs: 00CBC913
REG_QWORD, xrefs: 00CBC8C3
REG_EXPAND_SZ, xrefs: 00CBC5CD
REG_SZ, xrefs: 00CBC644
REG_DWORD, xrefs: 00CBC804

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: a77360f97402ac4d22a457ff76148c3c010f88c4d02f953a42521738ac144572
Instruction ID: e2134fb8216e4bd626afbe9d5d0bcf1c48ca0380f6b683c1a6f93e6c0e99bf09
Opcode Fuzzy Hash: a77360f97402ac4d22a457ff76148c3c010f88c4d02f953a42521738ac144572
Instruction Fuzzy Hash: B21277756042019FDB24DF24C881F6AB7E5EF88714F04895DF89A9B3A2DB31ED41DB81

Function 00CC091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CC09C6
_wcslen.LIBCMT ref: 00CC0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CC0A54
_wcslen.LIBCMT ref: 00CC0A8A
_wcslen.LIBCMT ref: 00CC0B06
_wcslen.LIBCMT ref: 00CC0B81

Part of subcall function 00C4F9F2: _wcslen.LIBCMT ref: 00C4F9FD

Part of subcall function 00C92BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C92BFA

Strings

CHECK, xrefs: 00CC0A85, 00CC0AA0
EXPAND, xrefs: 00CC0BF8
SELECT, xrefs: 00CC0D11
COLLAPSE, xrefs: 00CC0B01, 00CC0B1C
GETSELECTED, xrefs: 00CC0C4E
EXISTS, xrefs: 00CC0B7C, 00CC0B97
GETTEXT, xrefs: 00CC0C97
GETTOTALCOUNT, xrefs: 00CC09F2, 00CC0A17
ISCHECKED, xrefs: 00CC0CE1
UNCHECK, xrefs: 00CC0D3E
GETITEMCOUNT, xrefs: 00CC0C1E

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 84f06513cb091a455e23d28e2d0b4d188075f3e19108142227ac2f8c38b26eff
Instruction ID: 11386db4f2bf1042fbfb3f3e11522feb4bab24b2255985b349f6569000074858
Opcode Fuzzy Hash: 84f06513cb091a455e23d28e2d0b4d188075f3e19108142227ac2f8c38b26eff
Instruction Fuzzy Hash: 86E17975208301DFCB14DF29C451A2AB7E1BF98314F25895CF8A69B3A2D731EE45DB82

Function 00CBC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBB6AE,?,?), ref: 00CBC9B5
_wcslen.LIBCMT ref: 00CBC9F1
_wcslen.LIBCMT ref: 00CBCA68
_wcslen.LIBCMT ref: 00CBCA9E
_wcslen.LIBCMT ref: 00CBCAF9
_wcslen.LIBCMT ref: 00CBCB2F
_wcslen.LIBCMT ref: 00CBCB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 00CBCAF3, 00CBCAF8
HKCU, xrefs: 00CBCBCE
HKLM, xrefs: 00CBCA98, 00CBCA9D
HKEY_USERS, xrefs: 00CBCBDF
HKEY_CURRENT_CONFIG, xrefs: 00CBCB79, 00CBCB7E
HKEY_LOCAL_MACHINE, xrefs: 00CBCA62, 00CBCA67
HKCR, xrefs: 00CBCB29, 00CBCB2E
HKU, xrefs: 00CBCBF0
HKCC, xrefs: 00CBCBAC
HKEY_CURRENT_USER, xrefs: 00CBCBBD

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 469913f197a9500db99b9d9f723ebcc67d011b3e11173b4d4153ea324608358f
Instruction ID: 7cc5d0b57ea01649b4bdd3cc86bce7bf9af79095d20dfdcb05307527f8695374
Opcode Fuzzy Hash: 469913f197a9500db99b9d9f723ebcc67d011b3e11173b4d4153ea324608358f
Instruction Fuzzy Hash: 9871E53261012A8BCF20DF7DCDD16FF3795AB60754F250529FC66AB284E631CE85A3A1

Function 00CC833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CC835A
_wcslen.LIBCMT ref: 00CC836E
_wcslen.LIBCMT ref: 00CC8391
_wcslen.LIBCMT ref: 00CC83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CC83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00CC5BF2), ref: 00CC844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CC8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CC84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CC8501
FreeLibrary.KERNEL32(?), ref: 00CC850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CC851D
DestroyIcon.USER32(?,?,?,?,?,00CC5BF2), ref: 00CC852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CC8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CC8555

Strings

.icl, xrefs: 00CC8368
.exe, xrefs: 00CC8388
.dll, xrefs: 00CC83AB

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: e3f6dc8ff0c469a3d13eff0e09aa687a833390c56e206ba7f5e5e11633c340d7
Instruction ID: 5203741b909b12f6caa056c8c2acaf1bd56b4c8d4ec01d5dd403a17e5ad23da0
Opcode Fuzzy Hash: e3f6dc8ff0c469a3d13eff0e09aa687a833390c56e206ba7f5e5e11633c340d7
Instruction Fuzzy Hash: D461D071940219BEEB18DF64CC81FBF77A8BB08711F10460AF925D60D1DBB4AA94DBA0

Function 00C37778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 00C3785F, 00C378B1
Bad directive syntax error, xrefs: 00C7519A
#OnAutoItStartRegister, xrefs: 00C37817
#include-once, xrefs: 00C3782F
#cs, xrefs: 00C37873, 00C378C5
#include, xrefs: 00C37847
Unterminated group of comments, xrefs: 00C7528C
Cannot parse #include, xrefs: 00C75279
", xrefs: 00C75153
', xrefs: 00C75169
#comments-end, xrefs: 00C378D9
#pragma compile, xrefs: 00C377D3
#requireadmin, xrefs: 00C377FF
#ce, xrefs: 00C378ED
#notrayicon, xrefs: 00C377E7

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: dbc0c5cf8c082ad999aed66971b7b16b8df2d8268a5dfe00ae4a7ddb20f796cc
Instruction ID: 6a9f4a18636b5f8bd5a7f700428570c447515f378418e211d61a0fdf4723834c
Opcode Fuzzy Hash: dbc0c5cf8c082ad999aed66971b7b16b8df2d8268a5dfe00ae4a7ddb20f796cc
Instruction Fuzzy Hash: 5D81F7B1A14605BBDF21AF60CC43FAE37B9AF15300F044128F919BA192EBB0DA55D791

Function 00C95A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C95A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C95A40
SetWindowTextW.USER32(?,?), ref: 00C95A57
GetDlgItem.USER32(?,000003EA), ref: 00C95A6C
SetWindowTextW.USER32(00000000,?), ref: 00C95A72
GetDlgItem.USER32(?,000003E9), ref: 00C95A82
SetWindowTextW.USER32(00000000,?), ref: 00C95A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C95AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C95AC3
GetWindowRect.USER32(?,?), ref: 00C95ACC
_wcslen.LIBCMT ref: 00C95B33
SetWindowTextW.USER32(?,?), ref: 00C95B6F
GetDesktopWindow.USER32 ref: 00C95B75
GetWindowRect.USER32(00000000), ref: 00C95B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C95BD3
GetClientRect.USER32(?,?), ref: 00C95BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00C95C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C95C2F

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 6d05d8ee6bf140cb1e6eb764f78fb797a6547f909143821014949f402c5e4166
Instruction ID: a4f4cb3037d4bdb7504dd43a6886a1b979323dfeabe8da0e404999edffe53442
Opcode Fuzzy Hash: 6d05d8ee6bf140cb1e6eb764f78fb797a6547f909143821014949f402c5e4166
Instruction Fuzzy Hash: 26716A31900B09AFDF21DFA9CE89FAEBBF5FF48704F104518E596A25A0D775AA40CB50

Function 00C500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C500C6

Part of subcall function 00C500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00D0070C,00000FA0,230831EF,?,?,?,?,00C723B3,000000FF), ref: 00C5011C
Part of subcall function 00C500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00C723B3,000000FF), ref: 00C50127
Part of subcall function 00C500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00C723B3,000000FF), ref: 00C50138
Part of subcall function 00C500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C5014E
Part of subcall function 00C500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C5015C
Part of subcall function 00C500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C5016A
Part of subcall function 00C500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C50195
Part of subcall function 00C500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C501A0

___scrt_fastfail.LIBCMT ref: 00C500E7

Part of subcall function 00C500A3: __onexit.LIBCMT ref: 00C500A9

Strings

InitializeConditionVariable, xrefs: 00C50148
kernel32.dll, xrefs: 00C50133
SleepConditionVariableCS, xrefs: 00C50154
WakeAllConditionVariable, xrefs: 00C50162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C50122

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 50fd9eee3b083fa8cbb3a74cb94fa06dbeeb8fc44ef2de8e4e689b1d8e4ac081
Instruction ID: 4f34280b2d806b6c25027bc8bcfbf1ab8989643a1ce79c7b09b5aa032a4d63d3
Opcode Fuzzy Hash: 50fd9eee3b083fa8cbb3a74cb94fa06dbeeb8fc44ef2de8e4e689b1d8e4ac081
Instruction Fuzzy Hash: 3B21F637A44B106FE7115F64EC46F6E3794EB44B62F24013EFC0AE22D1DF7498858AA9

Function 00C930F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C9318D
_wcslen.LIBCMT ref: 00C931F8

Strings

CLASSNN, xrefs: 00C931F3, 00C93204
NAME, xrefs: 00C93335, 00C93346
TEXT, xrefs: 00C9347C
REGEXPCLASS, xrefs: 00C93255, 00C93266
INSTANCE, xrefs: 00C93453
CLASS, xrefs: 00C93188, 00C931A5

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: d8f735499af96bb13076370ffe81d2b8986626fb3c2415605498672b0e7bb044
Instruction ID: 8a29a8d34c8af82206c5af37a696e839060b87af08869c0b0c46b5082daac922
Opcode Fuzzy Hash: d8f735499af96bb13076370ffe81d2b8986626fb3c2415605498672b0e7bb044
Instruction Fuzzy Hash: ABE11532A00556ABCF189FB8C8497FEFBB0BF44710F558129E966B7250DB30AF859790

Function 00CA44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00CCCC08), ref: 00CA4527
_wcslen.LIBCMT ref: 00CA453B
_wcslen.LIBCMT ref: 00CA4599
_wcslen.LIBCMT ref: 00CA45F4
_wcslen.LIBCMT ref: 00CA463F
_wcslen.LIBCMT ref: 00CA46A7

Part of subcall function 00C4F9F2: _wcslen.LIBCMT ref: 00C4F9FD

GetDriveTypeW.KERNEL32(?,00CF6BF0,00000061), ref: 00CA4743

Strings

unknown, xrefs: 00CA4708
removable, xrefs: 00CA45EA, 00CA45EF
network, xrefs: 00CA469D, 00CA46A2
cdrom, xrefs: 00CA458F, 00CA4594
all, xrefs: 00CA4531, 00CA4536
ramdisk, xrefs: 00CA46F1
fixed, xrefs: 00CA4635, 00CA463A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 692e3f0ae7898b6c794ca578b6d2d42687f533bd562fdd449951804b8f0580d4
Instruction ID: 2d6a901c19548e8eb16380eea132014eb7ecdf774c494a155e1f8fddc7d7480b
Opcode Fuzzy Hash: 692e3f0ae7898b6c794ca578b6d2d42687f533bd562fdd449951804b8f0580d4
Instruction Fuzzy Hash: 6EB101716083029FC718DF28C890A6EB7E5AFE6728F10491DF4A6C7291D7B0DA44CB52

Function 00C3326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00D01990), ref: 00C72F8D
GetMenuItemCount.USER32(00D01990), ref: 00C7303D
GetCursorPos.USER32(?), ref: 00C73081
SetForegroundWindow.USER32(00000000), ref: 00C7308A
TrackPopupMenuEx.USER32(00D01990,00000000,?,00000000,00000000,00000000), ref: 00C7309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C730A9

Strings

0, xrefs: 00C3327D

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 86e1210e16a2be5542413234f31da9bfd8810f0fc3b377dd81d641aff786c6e3
Instruction ID: 7ac9067b95b6bc76d64000c9ebb7fc3ec99d50a7217f553951810b15d77947fb
Opcode Fuzzy Hash: 86e1210e16a2be5542413234f31da9bfd8810f0fc3b377dd81d641aff786c6e3
Instruction Fuzzy Hash: DC712A30644255BFEB219F65CC89F9ABF64FF04364F208216F52CAA1E1C7B1AE10E750

Function 00CC6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00CC6DEB

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CC6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CC6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CC6E94
DestroyWindow.USER32(?), ref: 00CC6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C30000,00000000), ref: 00CC6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CC6EFD
GetDesktopWindow.USER32 ref: 00CC6F16
GetWindowRect.USER32(00000000), ref: 00CC6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CC6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CC6F4D

Part of subcall function 00C49944: GetWindowLongW.USER32(?,000000EB), ref: 00C49952

Strings

tooltips_class32, xrefs: 00CC6E58, 00CC6EDD
0, xrefs: 00CC6D98

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: c99b5b4ac5dd3bee9d8219a25d8ab36bd76fe9c489a7d56a5970c0d58103aad6
Instruction ID: 76ee9ebe49d5602eaa908c164c00e03a62e4af4289d5797065fa148244d38cbd
Opcode Fuzzy Hash: c99b5b4ac5dd3bee9d8219a25d8ab36bd76fe9c489a7d56a5970c0d58103aad6
Instruction Fuzzy Hash: 42715674104344AFDB21CF58D988FAABBE9FF89304F04041EF9A987261C770AA46DF11

Function 00CC911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

DragQueryPoint.SHELL32(?,?), ref: 00CC9147

Part of subcall function 00CC7674: ClientToScreen.USER32(?,?), ref: 00CC769A
Part of subcall function 00CC7674: GetWindowRect.USER32(?,?), ref: 00CC7710
Part of subcall function 00CC7674: PtInRect.USER32(?,?,00CC8B89), ref: 00CC7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00CC91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CC91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CC91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CC9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00CC923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00CC9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00CC9277
DragFinish.SHELL32(?), ref: 00CC927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CC9371

Strings

@GUI_DRAGFILE, xrefs: 00CC9320
@GUI_DROPID, xrefs: 00CC929E
@GUI_DRAGID, xrefs: 00CC92E9

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 7c011850c6b0d6f1f58ee4c0b1f87c4eef0cf093adb5cffc5ef7bda533026bb0
Instruction ID: 020658d3686902dbb057d85b468db9b898940ee03f963e76476b107bc2069cb5
Opcode Fuzzy Hash: 7c011850c6b0d6f1f58ee4c0b1f87c4eef0cf093adb5cffc5ef7bda533026bb0
Instruction Fuzzy Hash: E6614B71108301AFD705DF64DC89EAFBBE8EF89750F00092EF595932A1DB709A49DB62

Function 00CAC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CAC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CAC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CAC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CAC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00CAC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00CAC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CAC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CAC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CAC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CAC5F0
InternetCloseHandle.WININET(00000000), ref: 00CAC5FB

Strings

, xrefs: 00CAC575

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 6bc194396b1d907f85e3dac418b55320342b7ef98b0fb36b07d7345bf54ba828
Instruction ID: e89be8476363def0bf6cc2548e9988027c9a9a1bcc68e3ecbe9994ad5bf2dc87
Opcode Fuzzy Hash: 6bc194396b1d907f85e3dac418b55320342b7ef98b0fb36b07d7345bf54ba828
Instruction Fuzzy Hash: E9513BB1500606BFDB219F65C9C8BAA7BFCEF09758F004419F95AD6610DB34EA44AB60

Function 00CC856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00CC8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CC85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CC85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CC85BA
GlobalLock.KERNEL32(00000000), ref: 00CC85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CC85D7
GlobalUnlock.KERNEL32(00000000), ref: 00CC85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CC85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CC85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00CCFC38,?), ref: 00CC8611
GlobalFree.KERNEL32(00000000), ref: 00CC8621
GetObjectW.GDI32(?,00000018,?), ref: 00CC8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00CC8671
DeleteObject.GDI32(?), ref: 00CC8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CC86AF

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 0a385d8aac2545fda91704f6cbc65997a9e2a1d337947c049f7a70ac2631d049
Instruction ID: cf242096906c706a3e61995bfd5c5b7ecd9ae719addf02f72892983c59729dd8
Opcode Fuzzy Hash: 0a385d8aac2545fda91704f6cbc65997a9e2a1d337947c049f7a70ac2631d049
Instruction Fuzzy Hash: ED41F975600204AFDB119FA5DC88FAF7BB8FF89B11F144059F919E7260DB709A05DB60

Function 00CA14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00CA1502
VariantCopy.OLEAUT32(?,?), ref: 00CA150B
VariantClear.OLEAUT32(?), ref: 00CA1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00CA15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00CA1657
VariantInit.OLEAUT32(?), ref: 00CA1708
SysFreeString.OLEAUT32(?), ref: 00CA178C
VariantClear.OLEAUT32(?), ref: 00CA17D8
VariantClear.OLEAUT32(?), ref: 00CA17E7
VariantInit.OLEAUT32(00000000), ref: 00CA1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00CA1625
Default, xrefs: 00CA16AF

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: a0ab3e7948f61953ade3bdaf86f2c5551bd557791c4c7dafbcb33cf9ceaf6a53
Instruction ID: 7b9ced0b221c57a45316895c3523fbe373e255a57bbfd81c88b8adcc7e02c802
Opcode Fuzzy Hash: a0ab3e7948f61953ade3bdaf86f2c5551bd557791c4c7dafbcb33cf9ceaf6a53
Instruction Fuzzy Hash: 5CD10131E0051AEBDB00DFA6D895B7DB7B5BF46708F18805AF846AB190DB30DD41EB61

Function 00CBB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00CBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBB6AE,?,?), ref: 00CBC9B5
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBC9F1
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA68
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CBB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00CBB80A
RegCloseKey.ADVAPI32(?), ref: 00CBB87E
RegCloseKey.ADVAPI32(?), ref: 00CBB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00CBB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CBB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00CBB922
FreeLibrary.KERNEL32(00000000), ref: 00CBB983
RegCloseKey.ADVAPI32(00000000), ref: 00CBB994

Strings

RegDeleteKeyExW, xrefs: 00CBB8FE
advapi32.dll, xrefs: 00CBB8ED

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 318225d550eeb26c653eb313d1cd9f9bc2381ecac485b89361b1496e7e72a52f
Instruction ID: dea2e48b0fc18eff5d1116de37f29b419ae7b366078786e1134f2868f2b146ab
Opcode Fuzzy Hash: 318225d550eeb26c653eb313d1cd9f9bc2381ecac485b89361b1496e7e72a52f
Instruction Fuzzy Hash: F4C1AE34608201AFD714DF14C494F6ABBE5FF84318F14859CF4AA9B2A2CBB1ED45CB91

Function 00CB255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CB25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00CB25E8
CreateCompatibleDC.GDI32(?), ref: 00CB25F4
SelectObject.GDI32(00000000,?), ref: 00CB2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00CB266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00CB26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00CB26D0
SelectObject.GDI32(?,?), ref: 00CB26D8
DeleteObject.GDI32(?), ref: 00CB26E1
DeleteDC.GDI32(?), ref: 00CB26E8
ReleaseDC.USER32(00000000,?), ref: 00CB26F3

Strings

(, xrefs: 00CB268D

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a22f2e009edf016127c05a5fe7031b055ce365d5bff5ea21da4b03a5e3bc6737
Instruction ID: 13bb2c5c1c8ac15d1ae0df3bb9c554352918d6b23bee1783ee62439b74e455df
Opcode Fuzzy Hash: a22f2e009edf016127c05a5fe7031b055ce365d5bff5ea21da4b03a5e3bc6737
Instruction Fuzzy Hash: 6D61D1B5D00219EFCF14CFA8D984EAEBBB5FF48310F248529E959A7250D770A941DFA0

Function 00C6DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00C6DAA1

Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D659
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D66B
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D67D
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D68F
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6A1
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6B3
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6C5
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6D7
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6E9
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6FB
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D70D
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D71F
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D731

_free.LIBCMT ref: 00C6DA96

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C6DAB8
_free.LIBCMT ref: 00C6DACD
_free.LIBCMT ref: 00C6DAD8
_free.LIBCMT ref: 00C6DAFA
_free.LIBCMT ref: 00C6DB0D
_free.LIBCMT ref: 00C6DB1B
_free.LIBCMT ref: 00C6DB26
_free.LIBCMT ref: 00C6DB5E
_free.LIBCMT ref: 00C6DB65
_free.LIBCMT ref: 00C6DB82
_free.LIBCMT ref: 00C6DB9A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 69b0585546c20d49acd7797c7c64bea47a01e4082ea58973f12c7821f2699c85
Instruction ID: eee826972668ecf58427a70fe00f56ad8562f28018b539670f61034a27e73efc
Opcode Fuzzy Hash: 69b0585546c20d49acd7797c7c64bea47a01e4082ea58973f12c7821f2699c85
Instruction Fuzzy Hash: EC315A31B086049FEB35AA79E8C5B6A77E9FF80350F154419F46AD7192DA30AE80A720

Function 00C9365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C9369C
_wcslen.LIBCMT ref: 00C936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C93797
GetClassNameW.USER32(?,?,00000400), ref: 00C9380C
GetDlgCtrlID.USER32(?), ref: 00C9385D
GetWindowRect.USER32(?,?), ref: 00C93882
GetParent.USER32(?), ref: 00C938A0
ScreenToClient.USER32(00000000), ref: 00C938A7
GetClassNameW.USER32(?,?,00000100), ref: 00C93921
GetWindowTextW.USER32(?,?,00000400), ref: 00C9395D

Strings

%s%u, xrefs: 00C93734

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 5489698e083e11d5df696405c052089069ebe4c4657c4f65823a93b246f4d3d2
Instruction ID: 2c22fd02838c459ebb0cadc7b9b70d132df8d93048b011bce977b9986c14faf9
Opcode Fuzzy Hash: 5489698e083e11d5df696405c052089069ebe4c4657c4f65823a93b246f4d3d2
Instruction Fuzzy Hash: 3691D371204746AFDB19DF64C889FAAF7A8FF44350F008629F9A9C2190DB30EB55CB91

Function 00C94954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00C94994
GetWindowTextW.USER32(?,?,00000400), ref: 00C949DA
_wcslen.LIBCMT ref: 00C949EB
CharUpperBuffW.USER32(?,00000000), ref: 00C949F7
_wcsstr.LIBVCRUNTIME ref: 00C94A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00C94A64
GetWindowTextW.USER32(?,?,00000400), ref: 00C94A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00C94AE6
GetClassNameW.USER32(?,?,00000400), ref: 00C94B20
GetWindowRect.USER32(?,?), ref: 00C94B8B

Strings

ThumbnailClass, xrefs: 00C94A6F, 00C94AF1

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a827a6d108dca4ebeedd8323c92b8d5f57306076eeec27cff4b5111569f3e134
Instruction ID: d3ea08fc8d8905f28c6b9fdf1ce2bed39dcea3660af7ad3d028d49678c9ddc0c
Opcode Fuzzy Hash: a827a6d108dca4ebeedd8323c92b8d5f57306076eeec27cff4b5111569f3e134
Instruction Fuzzy Hash: A991C0711082059FDF08DF14C989FAA77E8FF84315F048469FD999A196EB30EE46CBA1

Function 00CC8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CC8D5A
GetFocus.USER32 ref: 00CC8D6A
GetDlgCtrlID.USER32(00000000), ref: 00CC8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00CC8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00CC8ECF
GetMenuItemCount.USER32(?), ref: 00CC8EEC
GetMenuItemID.USER32(?,00000000), ref: 00CC8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00CC8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00CC8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CC8FA1

Strings

0, xrefs: 00CC8E9F

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 6bad3c01ec962d83353215ad36d87a2aeff2b64bac349e7cad555eed07b4051a
Instruction ID: b2cdb8c0f1286a858e8b89a41300138d79fe507564bff311c24ed14c42b6c3d8
Opcode Fuzzy Hash: 6bad3c01ec962d83353215ad36d87a2aeff2b64bac349e7cad555eed07b4051a
Instruction Fuzzy Hash: A281AC71508301AFDB10CF24D884FABBBE9FB88354F04095DF9A997291DB30DA09DBA1

Function 00C9DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C9DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C9DC46
_wcslen.LIBCMT ref: 00C9DC50
_wcsstr.LIBVCRUNTIME ref: 00C9DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C9DCBC

Strings

%u.%u.%u.%u, xrefs: 00C9DD9A
\VarFileInfo\Translation, xrefs: 00C9DCB4
DefaultLangCodepage, xrefs: 00C9DD1F
StringFileInfo\, xrefs: 00C9DC8F
04090000, xrefs: 00C9DCF2

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 1fd6507987a88294d1244959b363f9cbc89f141b98d8418fc9e0d8b2f9777c16
Instruction ID: 0480883967c16d3d184e483d9286c8372bcf4aec0836862dd0ec5d9acac08235
Opcode Fuzzy Hash: 1fd6507987a88294d1244959b363f9cbc89f141b98d8418fc9e0d8b2f9777c16
Instruction Fuzzy Hash: 5D4122329402047ADB14AB74DC8BFBF37BCEF46751F100069F906B6182EB749A01A7B9

Function 00CBCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CBCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00CBCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CBCD48

Part of subcall function 00CBCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00CBCCAA
Part of subcall function 00CBCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00CBCCBD
Part of subcall function 00CBCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CBCCCF
Part of subcall function 00CBCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CBCD05
Part of subcall function 00CBCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CBCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00CBCCF3

Strings

RegDeleteKeyExW, xrefs: 00CBCCC9
advapi32.dll, xrefs: 00CBCCB8

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 0a27f74ed5ca1acf784a192a1f7f61246ce1243d7057fd34cd188f1d91985056
Instruction ID: fa53cd59e5fe6d5e09fdb61b7fa5e5f35d0438a2175404b85d78debcab95fb4e
Opcode Fuzzy Hash: 0a27f74ed5ca1acf784a192a1f7f61246ce1243d7057fd34cd188f1d91985056
Instruction Fuzzy Hash: 9E316C75901129BBDB208B65DCC8FFFBB7CEF55750F000169E91AE3240DB349B45AAA0

Function 00CA3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CA3D40
_wcslen.LIBCMT ref: 00CA3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CA3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CA3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00CA3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CA3E55
CloseHandle.KERNEL32(00000000), ref: 00CA3E60
CloseHandle.KERNEL32(00000000), ref: 00CA3E6B

Strings

\, xrefs: 00CA3D77
:, xrefs: 00CA3D82
\??\%s, xrefs: 00CA3D5B

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b7cb6275d13ac094cd05c5886aa317f173aef6f78bbb8084d52b48f6b9f8af06
Instruction ID: 191030bef1034a2b00bca88ae3a3e879205918733d48a1de4849519280b12f78
Opcode Fuzzy Hash: b7cb6275d13ac094cd05c5886aa317f173aef6f78bbb8084d52b48f6b9f8af06
Instruction Fuzzy Hash: E731D27291024AABDB219FA0DC89FEF37BCEF89754F1040B5F919D2060E77497848B24

Function 00C9E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C9E6B4

Part of subcall function 00C4E551: timeGetTime.WINMM(?,?,00C9E6D4), ref: 00C4E555

Sleep.KERNEL32(0000000A), ref: 00C9E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00C9E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C9E727
SetActiveWindow.USER32 ref: 00C9E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C9E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C9E773
Sleep.KERNEL32(000000FA), ref: 00C9E77E
IsWindow.USER32 ref: 00C9E78A
EndDialog.USER32(00000000), ref: 00C9E79B

Strings

BUTTON, xrefs: 00C9E719

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: bda0b6f8ea20c0f329bf1c20de3bd84b8f56ace7ad2b28b33bc27b1c9626d15b
Instruction ID: cd45e4e5db4f20501300cf2bd5c0f00cf099a4ee16faca958c57f6017ba471b9
Opcode Fuzzy Hash: bda0b6f8ea20c0f329bf1c20de3bd84b8f56ace7ad2b28b33bc27b1c9626d15b
Instruction Fuzzy Hash: D7215EB0200345AFEF00AFA1EDCEF3A3B69F764749B540425F519C26A1DB72AD50EB25

Function 00C9E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C9EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C9EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C9EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C9EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C9EAA7

Strings

status PlayMe mode, xrefs: 00C9EA58
open , xrefs: 00C9EA0C
alias PlayMe, xrefs: 00C9EA36
close PlayMe, xrefs: 00C9EA6E, 00C9EA9B
play PlayMe, xrefs: 00C9EAA2
play PlayMe wait, xrefs: 00C9EA91

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: b0420acd62008288cd3a8114bdadffc6833249f7c288e4369043f81bbc57c348
Instruction ID: b2ad9aa8846fdd925e87f0fb17bae494919ba5015bcf1951e1d8e3d5fa05e3b5
Opcode Fuzzy Hash: b0420acd62008288cd3a8114bdadffc6833249f7c288e4369043f81bbc57c348
Instruction Fuzzy Hash: BE117731AA026D79DB50E762DC4AEFF6A7CEBD1B00F400439B511A20E1DEB05E05D6B1

Function 00C95CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C95CE2
GetWindowRect.USER32(00000000,?), ref: 00C95CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C95D59
GetDlgItem.USER32(?,00000002), ref: 00C95D69
GetWindowRect.USER32(00000000,?), ref: 00C95D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C95DCF
GetDlgItem.USER32(?,000003E9), ref: 00C95DDD
GetWindowRect.USER32(00000000,?), ref: 00C95DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C95E31
GetDlgItem.USER32(?,000003EA), ref: 00C95E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C95E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00C95E67

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: a23af6f11acb98a5cb3107af1085130223c962fe5c48dcbea3d05fdc62233a81
Instruction ID: a23b49855374f0905aaa96abb56373b5d90a5e6a033e6d938e86348b6a4df9eb
Opcode Fuzzy Hash: a23af6f11acb98a5cb3107af1085130223c962fe5c48dcbea3d05fdc62233a81
Instruction Fuzzy Hash: B351FDB1A00605AFDF19CF68DE89FAEBBB5FB48300F148129F519E6690D7709E04CB50

Function 00C48BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C48BE8,?,00000000,?,?,?,?,00C48BBA,00000000,?), ref: 00C48FC5

DestroyWindow.USER32(?), ref: 00C48C81
KillTimer.USER32(00000000,?,?,?,?,00C48BBA,00000000,?), ref: 00C48D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00C86973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C48BBA,00000000,?), ref: 00C869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C48BBA,00000000,?), ref: 00C869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C48BBA,00000000), ref: 00C869D4
DeleteObject.GDI32(00000000), ref: 00C869E6

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: a8a17af914abd0d5fb7a0cdd059017995ac58551be6789ea833d69045c0d250d
Instruction ID: 197ab7981988fb35f231a276bf5f0e51a5e27fa3eb40c9d25cca7fc4bd757ba5
Opcode Fuzzy Hash: a8a17af914abd0d5fb7a0cdd059017995ac58551be6789ea833d69045c0d250d
Instruction Fuzzy Hash: AC618C34902710DFDB25EF15D988B2D77F1FB44316F144518E0669BAA0CB35AE88DFA4

Function 00C49838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00C49944: GetWindowLongW.USER32(?,000000EB), ref: 00C49952

GetSysColor.USER32(0000000F), ref: 00C49862

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 4b4fc46e203b179a77553062c7493be83bcbc1587173817401f89a0215a93042
Instruction ID: 13fd49a9aabe7521d9e8e1066f1cdb4b776158fa37e8f11ffe84157187769deb
Opcode Fuzzy Hash: 4b4fc46e203b179a77553062c7493be83bcbc1587173817401f89a0215a93042
Instruction Fuzzy Hash: 91417C31504660AFDB209B3DDC88BBA3BA5FB56334F284615FAB6872E1D7319942DB10

Function 00C996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00C7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C99717
LoadStringW.USER32(00000000,?,00C7F7F8,00000001), ref: 00C99720

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00C7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C99742
LoadStringW.USER32(00000000,?,00C7F7F8,00000001), ref: 00C99745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00C99866

Strings

Error: , xrefs: 00C9981D
^ ERROR, xrefs: 00C997FB
Line %d (File "%s"):, xrefs: 00C9978F
%s (%d) : ==> %s: %s %s, xrefs: 00C9984A
Line %d:, xrefs: 00C997A0

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 23c023c50eb66bef9d46d1a1da17cb0e511615602d56a40368edea724616a990
Instruction ID: 2c87e68857936f1da04da4370a909305c679038d0069cbe799e4a015b0a1a53b
Opcode Fuzzy Hash: 23c023c50eb66bef9d46d1a1da17cb0e511615602d56a40368edea724616a990
Instruction Fuzzy Hash: D5414D72800209AACF04FBE4DD86EEEB778EF55340F104069F605720A2EA756F49EB61

Function 00C906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C90804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C9082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C90837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C9083C

Strings

SOFTWARE\Classes\, xrefs: 00C9070E
\CLSID, xrefs: 00C90724
\IPC$, xrefs: 00C90784

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4bcb7dd266ccbb47a800759242efbc356388b1cc36e988fd23d35f601107329e
Instruction ID: 7dedc0959c869c83bd11def9ffcc31dc4da1d9d5cf92b4523f1aafcb38fa028c
Opcode Fuzzy Hash: 4bcb7dd266ccbb47a800759242efbc356388b1cc36e988fd23d35f601107329e
Instruction Fuzzy Hash: 1B411572C10229AFCF15EBA4DC89DEDB7B8FF44350F144129E915A31A0EB709E05DBA0

Function 00CB3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CB3C5C
CoInitialize.OLE32(00000000), ref: 00CB3C8A
CoUninitialize.OLE32 ref: 00CB3C94
_wcslen.LIBCMT ref: 00CB3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00CB3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00CB3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00CB3F0E
CoGetObject.OLE32(?,00000000,00CCFB98,?), ref: 00CB3F2D
SetErrorMode.KERNEL32(00000000), ref: 00CB3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CB3FC4
VariantClear.OLEAUT32(?), ref: 00CB3FD8

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: f1a7e4330351e7c5705c123fb1cfe3e17fbb1d9379a5d12bf4d77846513c18be
Instruction ID: 7082f2b46015d4fd7cf0acfeaf525fbc880c67e9030293b1d5b7908681b7e5f9
Opcode Fuzzy Hash: f1a7e4330351e7c5705c123fb1cfe3e17fbb1d9379a5d12bf4d77846513c18be
Instruction Fuzzy Hash: EEC15571608341AFC700DF69C884A6BBBE9FF89748F10495DF98A9B250DB30EE45CB52

Function 00CA7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CA7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CA7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00CA7BA3
CoCreateInstance.OLE32(00CCFD08,00000000,00000001,00CF6E6C,?), ref: 00CA7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CA7C74
CoTaskMemFree.OLE32(?,?), ref: 00CA7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00CA7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CA7D7A
CoTaskMemFree.OLE32(00000000), ref: 00CA7D81
CoTaskMemFree.OLE32(00000000), ref: 00CA7DD6
CoUninitialize.OLE32 ref: 00CA7DDC

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: f814fb2903d149294c0fe3381f33ccad978225903b864736e9e799e503f0bd10
Instruction ID: be05cf0ff53d5009b44717256cfc1eef7ce8effdd2602c997b484ce3e306c38e
Opcode Fuzzy Hash: f814fb2903d149294c0fe3381f33ccad978225903b864736e9e799e503f0bd10
Instruction Fuzzy Hash: C1C11C75A04109AFCB14DF64C888DAEBBF9FF49318F148599F81A9B261D730EE45CB90

Function 00CC541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CC5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CC5515
CharNextW.USER32(00000158), ref: 00CC5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CC5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CC559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CC55AC

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 370f9ace6715d5b4ba07ea41870ef632ceed845b31aa95bb6915256223218a05
Instruction ID: 791242672ea3dd2d79083ade72438c1886f6ad25b1d93a92edfdfec76b46ebb3
Opcode Fuzzy Hash: 370f9ace6715d5b4ba07ea41870ef632ceed845b31aa95bb6915256223218a05
Instruction Fuzzy Hash: 96616C75904608AFDF10DF95CC84FFE7BB9EB09720F108189F925AA291D774AAC1DB60

Function 00C8FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C8FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00C8FB08
VariantInit.OLEAUT32(?), ref: 00C8FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C8FB3A
VariantCopy.OLEAUT32(?,?), ref: 00C8FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C8FBA1
VariantClear.OLEAUT32(?), ref: 00C8FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00C8FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C8FBCC
VariantClear.OLEAUT32(?), ref: 00C8FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C8FBE9

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 4f6d7a007e31443de754eb99929acc1709b308507a85de97343dac3f75e906f7
Instruction ID: 2d3dd3619af9f18c677900395bd8292e46f6b251ed13a8b97f3cc6642f441600
Opcode Fuzzy Hash: 4f6d7a007e31443de754eb99929acc1709b308507a85de97343dac3f75e906f7
Instruction Fuzzy Hash: 50414235A002199FCB04EF64D898EFEBBB9FF48354F008069E955A7261D730AA46DF94

Function 00C99C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C99CA1
GetAsyncKeyState.USER32(000000A0), ref: 00C99D22
GetKeyState.USER32(000000A0), ref: 00C99D3D
GetAsyncKeyState.USER32(000000A1), ref: 00C99D57
GetKeyState.USER32(000000A1), ref: 00C99D6C
GetAsyncKeyState.USER32(00000011), ref: 00C99D84
GetKeyState.USER32(00000011), ref: 00C99D96
GetAsyncKeyState.USER32(00000012), ref: 00C99DAE
GetKeyState.USER32(00000012), ref: 00C99DC0
GetAsyncKeyState.USER32(0000005B), ref: 00C99DD8
GetKeyState.USER32(0000005B), ref: 00C99DEA

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1c74b527f0d64dcb9cb84e5920d708db85869799362a3462838b7aa914086f2c
Instruction ID: 634897ceb85ba9b3a9bbaf558ab7f8a794f2690b2476d20536f68626460cf8cf
Opcode Fuzzy Hash: 1c74b527f0d64dcb9cb84e5920d708db85869799362a3462838b7aa914086f2c
Instruction Fuzzy Hash: 6941A6345047C969FF319668C88C7B5BEA0EF12344F08805EDAD6565C2EBB59BC8C7A2

Function 00CB055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CB05BC
inet_addr.WSOCK32(?), ref: 00CB061C
gethostbyname.WSOCK32(?), ref: 00CB0628
IcmpCreateFile.IPHLPAPI ref: 00CB0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CB06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CB06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00CB07B9
WSACleanup.WSOCK32 ref: 00CB07BF

Strings

Ping, xrefs: 00CB0676

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 0dcca650624b996a76a80be7a68ad92175190b12c5f38f5e33bf4db854ec28c6
Instruction ID: ea73bba154a684358a0c7821facedc9d554d8750ce115a07785215523e52cd48
Opcode Fuzzy Hash: 0dcca650624b996a76a80be7a68ad92175190b12c5f38f5e33bf4db854ec28c6
Instruction Fuzzy Hash: 25916B756082019FD720DF15C888F5BBBE4BF48318F2485A9F46A9B6A2CB30ED45CF91

Function 00CB8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00CB8CF3

Part of subcall function 00C98E54: _wcslen.LIBCMT ref: 00C98E77

_wcslen.LIBCMT ref: 00CB8D4E
_wcslen.LIBCMT ref: 00CB8D9C
_wcslen.LIBCMT ref: 00CB8DDC
_wcslen.LIBCMT ref: 00CB8E6E

Strings

winapi, xrefs: 00CB8D96, 00CB8D9B
stdcall, xrefs: 00CB8DD6, 00CB8DDB
none, xrefs: 00CB8E65, 00CB8E6A
cdecl, xrefs: 00CB8D48, 00CB8D4D

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: e53d062c54ed02d39b28b2ce7daee1ad639489be196a9b5e339a62368e197141
Instruction ID: ec01d7a3cd890be0ceef6f94f7070bce1e275f99bce6a199d0b1eceede1035fd
Opcode Fuzzy Hash: e53d062c54ed02d39b28b2ce7daee1ad639489be196a9b5e339a62368e197141
Instruction Fuzzy Hash: 0851AE35A041179BCF24DF68C9419FEB7A9BF65724F20422AE826E72C4DB30DE48D790

Function 00CB372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00CB3774
CoUninitialize.OLE32 ref: 00CB377F
CoCreateInstance.OLE32(?,00000000,00000017,00CCFB78,?), ref: 00CB37D9
IIDFromString.OLE32(?,?), ref: 00CB384C
VariantInit.OLEAUT32(?), ref: 00CB38E4
VariantClear.OLEAUT32(?), ref: 00CB3936

Strings

Invalid parameter, xrefs: 00CB3865
NULL Pointer assignment, xrefs: 00CB381E
Failed to create object, xrefs: 00CB37E4, 00CB389A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 87d65121f2f7b4ff9620a7325283c245f3054923388903bc1b65997013c0358d
Instruction ID: 97a6344da60d176cca4b5b50050bafdf9f5eb1540332937f411beb00b3b5b348
Opcode Fuzzy Hash: 87d65121f2f7b4ff9620a7325283c245f3054923388903bc1b65997013c0358d
Instruction Fuzzy Hash: 1461CF70608351AFD710DF55C888FAABBE8EF48714F10491EF9959B291DB70EE48CB92

Function 00CA8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CA8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CA8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CA8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CA838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8395

Strings

*.*, xrefs: 00CA839B

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: a04ef559797f03ccfec54563893c4a66c821198c4cf9ae21547b17da956a1920
Instruction ID: c0867a33f70080b35fa71ccff9f8df3143e80f74185ddfc9317465c78b705fa6
Opcode Fuzzy Hash: a04ef559797f03ccfec54563893c4a66c821198c4cf9ae21547b17da956a1920
Instruction Fuzzy Hash: 06617D725043469FCB10EF64C884AAEB3E8FF89314F04491EF999D7251DB35EA49CB92

Function 00CA3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00CA33CF

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00CA33F0

Strings

Error: , xrefs: 00CA34D1
Line %d (File "%s"):, xrefs: 00CA3443, 00CA345C
Incorrect parameters to object property !, xrefs: 00CA34AB
^ ERROR , xrefs: 00CA349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00CA3504
"%s" (%d) : ==> %s:, xrefs: 00CA3522

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 442f52b83d57a283845c124303d6faf8170c369a0c3dbe683fcb5ffd50a2c934
Instruction ID: 3d073f2e510d12db7d98bfcb40ea612764e75f56e83c53f0275d3d3639323d2f
Opcode Fuzzy Hash: 442f52b83d57a283845c124303d6faf8170c369a0c3dbe683fcb5ffd50a2c934
Instruction Fuzzy Hash: FB518B7190024AAADF15EBE0CD56EEEB778EF05340F104065F509B21A2EB712F58EB61

Function 00C9B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C9B5FC
_wcslen.LIBCMT ref: 00C9B608
_wcslen.LIBCMT ref: 00C9B64D
_wcslen.LIBCMT ref: 00C9B68C
_wcslen.LIBCMT ref: 00C9B6C7

Strings

REMOVE, xrefs: 00C9B602, 00C9B607
KEYS, xrefs: 00C9B647, 00C9B64C
EXISTS, xrefs: 00C9B686, 00C9B68B
APPEND, xrefs: 00C9B6C1, 00C9B6C6

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 52d64da1318188823130da9290ccdf7878160d2eb55dfdf8530628708b423e35
Instruction ID: 57f28d40c7966128c90c2e92c8754c11667e633b54f50be273618750fd6b6036
Opcode Fuzzy Hash: 52d64da1318188823130da9290ccdf7878160d2eb55dfdf8530628708b423e35
Instruction Fuzzy Hash: BA41E632A00026AACF146F7DDA955BEB7B5AFA0754B244229F435D7284E731EE81C790

Function 00CA5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CA53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00CA5416
GetLastError.KERNEL32 ref: 00CA5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00CA54A7

Strings

INVALID, xrefs: 00CA5459
READY, xrefs: 00CA5460, 00CA5468
UNKNOWN, xrefs: 00CA5444
NOTREADY, xrefs: 00CA544B
READONLY, xrefs: 00CA5452

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4aa4d0da5c2feb1ed8adeef05baa8c87cdda347e6ebdd5f26311daea850380d7
Instruction ID: 2484d8b41de93cde7e0d3760b48d266e907f163913f96ed06dcdbafd7f634a81
Opcode Fuzzy Hash: 4aa4d0da5c2feb1ed8adeef05baa8c87cdda347e6ebdd5f26311daea850380d7
Instruction Fuzzy Hash: FD31D275A0060A9FCB10DF69C484FAE7BB4EF1A309F18C065E515DB292D770DE82CB91

Function 00CC3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00CC3C79
SetMenu.USER32(?,00000000), ref: 00CC3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CC3D10
IsMenu.USER32(?), ref: 00CC3D24
CreatePopupMenu.USER32 ref: 00CC3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CC3D5B
DrawMenuBar.USER32 ref: 00CC3D63

Strings

F, xrefs: 00CC3D4E
0, xrefs: 00CC3C54

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b0e2b1b99f2dda3268184ab3cada5d7abee60550113e3c187200b861f607123e
Instruction ID: 7a7539688dc4c70ee8a78f37cc5ed0e22eb297ae08912d25ca9309f1287f6995
Opcode Fuzzy Hash: b0e2b1b99f2dda3268184ab3cada5d7abee60550113e3c187200b861f607123e
Instruction Fuzzy Hash: 63414879A11209AFDB14CF64E888FAA7BB5FF49350F14402DF95AA7360D730AA10DF94

Function 00C91EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00C91F64
GetDlgCtrlID.USER32 ref: 00C91F6F
GetParent.USER32 ref: 00C91F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C91F8E
GetDlgCtrlID.USER32(?), ref: 00C91F97
GetParent.USER32(?), ref: 00C91FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C91FAE

Strings

ComboBox, xrefs: 00C91EEC
ListBox, xrefs: 00C91F21

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: ef22336fff6a66b70e9404ce9c7c6b1a0b9125cf989537849a84ef898694d849
Instruction ID: c40358af39ccde74ba1cb4fc16fd58bf777901f439eda89ff8f1c6a13e5c92bf
Opcode Fuzzy Hash: ef22336fff6a66b70e9404ce9c7c6b1a0b9125cf989537849a84ef898694d849
Instruction Fuzzy Hash: 8521D470A00218BBCF05AFA0DC89EFEBBB8EF05350F000115FA65A72D1CB755905DB60

Function 00CC3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CC3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CC3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00CC3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CC3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CC3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00CC3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00CC3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00CC3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00CC3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00CC3C13

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 10bf6cbdf3c068b93cae9f7ebf836893b92a69afa1e6e6ba18e204a49a3d4f1b
Instruction ID: fa824d12b5febc66e699ecbbcb44c0d832a19d401e37f7db7aa60d7f6d01bbca
Opcode Fuzzy Hash: 10bf6cbdf3c068b93cae9f7ebf836893b92a69afa1e6e6ba18e204a49a3d4f1b
Instruction Fuzzy Hash: B2615775A00248AFDB10DFA8DC81FEE77B8EB09700F104199FA15E72A1D770AE45DB60

Function 00C9B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C9B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C9A1E1,?,00000001), ref: 00C9B165
GetWindowThreadProcessId.USER32(00000000), ref: 00C9B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C9A1E1,?,00000001), ref: 00C9B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C9B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C9A1E1,?,00000001), ref: 00C9B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C9A1E1,?,00000001), ref: 00C9B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C9A1E1,?,00000001), ref: 00C9B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C9A1E1,?,00000001), ref: 00C9B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C9A1E1,?,00000001), ref: 00C9B21D

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b3a4dd43a52d46bb76e62919c4411b21a85d760171994f292e9e037945cdd049
Instruction ID: 5e0ce3b3499f82bca377b419b48e44db29d2ca85bf97c65e1731eb1d18f47f26
Opcode Fuzzy Hash: b3a4dd43a52d46bb76e62919c4411b21a85d760171994f292e9e037945cdd049
Instruction Fuzzy Hash: C2316571500604BFDF109F25EE88FAE7BA9EB51311F104009FA29D62A0D7B4AF418B60

Function 00C62C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C62C94

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C62CA0
_free.LIBCMT ref: 00C62CAB
_free.LIBCMT ref: 00C62CB6
_free.LIBCMT ref: 00C62CC1
_free.LIBCMT ref: 00C62CCC
_free.LIBCMT ref: 00C62CD7
_free.LIBCMT ref: 00C62CE2
_free.LIBCMT ref: 00C62CED
_free.LIBCMT ref: 00C62CFB

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3b5824a33d81623762a14f5b6c6095dfd869ea30d0406d34fa10bc82d04fc148
Instruction ID: 19a5b3c5bf18948c0f89bb6d76a124afb027e18e9d058c24dc2c44a4402b58a0
Opcode Fuzzy Hash: 3b5824a33d81623762a14f5b6c6095dfd869ea30d0406d34fa10bc82d04fc148
Instruction Fuzzy Hash: A411C876600508BFCB16EF54D882CDD3BA5FF45390F4144A5FA489F232DA31EE50AB90

Function 00CA7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CA7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA7FC1
GetFileAttributesW.KERNEL32(?), ref: 00CA7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00CA8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CA80B0

Strings

*.*, xrefs: 00CA8066

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: cb1c2bdc66b7512ca3ddf45a2f58c1fbeea41d39f3adca5797b8594c3cc922f2
Instruction ID: 739ebc4d9b67878f2bc7896a7fe67a25a66b7ad8f8a2b0f9e56af53c740b71ac
Opcode Fuzzy Hash: cb1c2bdc66b7512ca3ddf45a2f58c1fbeea41d39f3adca5797b8594c3cc922f2
Instruction Fuzzy Hash: B481C1725082429FCB20DF15C884AAEB3E8BF8A318F144D5EF895D7250EB34DE498B52

Function 00C35BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C35C7A

Part of subcall function 00C35D0A: GetClientRect.USER32(?,?), ref: 00C35D30
Part of subcall function 00C35D0A: GetWindowRect.USER32(?,?), ref: 00C35D71
Part of subcall function 00C35D0A: ScreenToClient.USER32(?,?), ref: 00C35D99

GetDC.USER32 ref: 00C746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C74708
SelectObject.GDI32(00000000,00000000), ref: 00C74716
SelectObject.GDI32(00000000,00000000), ref: 00C7472B
ReleaseDC.USER32(?,00000000), ref: 00C74733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C747C4

Strings

U, xrefs: 00C74693

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 6af13b0a18038bf0e68e34f325aa0321de0c5f5709fe3e2f35d3036aee2a6676
Instruction ID: fb01aa279bc40e079f04e6260b744d9f757800b2ede3c68f386a5192dc9a66fd
Opcode Fuzzy Hash: 6af13b0a18038bf0e68e34f325aa0321de0c5f5709fe3e2f35d3036aee2a6676
Instruction Fuzzy Hash: 5F71D135400205DFCF298F64C984EBA7BB5FF4A354F148269FD699A2A6C3319E41DF60

Function 00CA359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00CA35E4

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

LoadStringW.USER32(00D02390,?,00000FFF,?), ref: 00CA360A

Strings

Error: , xrefs: 00CA36EF
^ ERROR, xrefs: 00CA36C9
Line %d (File "%s"):, xrefs: 00CA366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00CA3724
"%s" (%d) : ==> %s:, xrefs: 00CA3742

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 0c009c2fe95bfb557fff55415f2c2df1363cd661d7a48cb80c61a1ea4d2a821e
Instruction ID: a3aedb8e3ccf35b47e553cd97afdd2d4b9976e96a5f3d77ca9fdb0c836629680
Opcode Fuzzy Hash: 0c009c2fe95bfb557fff55415f2c2df1363cd661d7a48cb80c61a1ea4d2a821e
Instruction Fuzzy Hash: 22518F7190024ABBCF14EBA0CD56EEDBB38EF05304F144125F105B21A1EB711B99EF61

Function 00CC8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

Part of subcall function 00C4912D: GetCursorPos.USER32(?), ref: 00C49141
Part of subcall function 00C4912D: ScreenToClient.USER32(00000000,?), ref: 00C4915E
Part of subcall function 00C4912D: GetAsyncKeyState.USER32(00000001), ref: 00C49183
Part of subcall function 00C4912D: GetAsyncKeyState.USER32(00000002), ref: 00C4919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00CC8B6B
ImageList_EndDrag.COMCTL32 ref: 00CC8B71
ReleaseCapture.USER32 ref: 00CC8B77
SetWindowTextW.USER32(?,00000000), ref: 00CC8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CC8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00CC8CFF

Strings

@GUI_DRAGFILE, xrefs: 00CC8C9A
@GUI_DROPID, xrefs: 00CC8C51

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 293b2bb21dd502e1d9e71c58c7358dba23f6daeb90553ad9112bdf2dd8917e1c
Instruction ID: 95aaf25f8ad3d618acaf518ca97476ef1ddbe269235248b21f4e67edb718b1ba
Opcode Fuzzy Hash: 293b2bb21dd502e1d9e71c58c7358dba23f6daeb90553ad9112bdf2dd8917e1c
Instruction Fuzzy Hash: CB514975104304AFD704DF24D896FAA77E4FB88714F40062DF9AAA72E1DB709A48DB62

Function 00CAC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CAC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CAC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CAC2CA
GetLastError.KERNEL32 ref: 00CAC322
SetEvent.KERNEL32(?), ref: 00CAC336
InternetCloseHandle.WININET(00000000), ref: 00CAC341

Strings

, xrefs: 00CAC2BB

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: dfc70eefbde7f983da328b653fa2bf12ab546d3cc9fa7e97b3e2d1df6a770b12
Instruction ID: 0e0acfbe63e2b9c6c7ea69539c6ab7db945dcdd4a332cc93f4227f6f9a8384c6
Opcode Fuzzy Hash: dfc70eefbde7f983da328b653fa2bf12ab546d3cc9fa7e97b3e2d1df6a770b12
Instruction Fuzzy Hash: 6F318DB1501205AFDB219F65CCC8BAB7AFCEB4A748F14851EF45AD2210DB34DE459B60

Function 00C9989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C73AAF,?,?,Bad directive syntax error,00CCCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C998BC
LoadStringW.USER32(00000000,?,00C73AAF,?), ref: 00C998C3

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C99987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00C998F1
Line %d (File "%s"):, xrefs: 00C9992D
Error: , xrefs: 00C99955
., xrefs: 00C9996D
Line %d:, xrefs: 00C99912

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b3a459d137120f5138f1a16c69a1dfe6e9c88d4d271fae5c1a13a8bee22385f0
Instruction ID: b831a317822eb54da77459f7d4925c2c6fad4f4985a6e031821f12ccc69391e6
Opcode Fuzzy Hash: b3a459d137120f5138f1a16c69a1dfe6e9c88d4d271fae5c1a13a8bee22385f0
Instruction Fuzzy Hash: 5A217C3295021EABCF15EF90CC4AEEE7779FF18300F044469F619660A2EB719A18EB51

Function 00C9209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00C920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C9214D

Strings

list, xrefs: 00C9212F
smallicons, xrefs: 00C92115
largeicons, xrefs: 00C920E1
details, xrefs: 00C920FB
SHELLDLL_DefView, xrefs: 00C920CC

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 49b8ee0119ca6dbd753dbfda5924474fe902b13995090c38d368d66e58e5edcd
Instruction ID: 7822dcddb52bd253cb452f1599a9ef8174f66b58bc9591fd050a6e99f26e1964
Opcode Fuzzy Hash: 49b8ee0119ca6dbd753dbfda5924474fe902b13995090c38d368d66e58e5edcd
Instruction Fuzzy Hash: 67112C7A688706BAFE052220DC0FDFE379CCB04325F201026FB45A50D1FE619D956618

Function 00C68D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b93fcb73c07b1e4d906699e3df26494c4330d966db708230e4a75a6670ddf05
Instruction ID: b0cc3335abb296b2843dc711ad484b46156377a714f1b8340a3794825246207c
Opcode Fuzzy Hash: 2b93fcb73c07b1e4d906699e3df26494c4330d966db708230e4a75a6670ddf05
Instruction Fuzzy Hash: 2AC1E378904249AFCF21DFA8D881BADBFB4EF0D310F044159E925A7392CB349A46DB61

Function 00C6CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C6CEB7
_free.LIBCMT ref: 00C6CF22
_free.LIBCMT ref: 00C6CF48
_free.LIBCMT ref: 00C6CF71
_free.LIBCMT ref: 00C6CFA9
_free.LIBCMT ref: 00C6CFDA
_free.LIBCMT ref: 00C6D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00C6D09C
_free.LIBCMT ref: 00C6D0B5

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b8e07a71f9f2ed679717b4ea29be7b23210c8f6e4d980d7cf2d8769fd73d93c6
Instruction ID: f7c2941e7035b1e8e7d540fb1f8769c955e8ecc9f18e4ed022b54bb17cd3c45c
Opcode Fuzzy Hash: b8e07a71f9f2ed679717b4ea29be7b23210c8f6e4d980d7cf2d8769fd73d93c6
Instruction Fuzzy Hash: B7612471A04301AFDB35AFF498C1B7A7BA5EF05360F08416DF995D7282DA329A0197B2

Function 00C48B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00C86890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00C868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00C868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C48874,00000000,00000000,00000000,000000FF,00000000), ref: 00C86901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C8691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C48874,00000000,00000000,00000000,000000FF,00000000), ref: 00C8692D

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 4dc371066f7f3be7b99d0bc1e731d7ba40d7f7082103860ed31dd5653fb77fef
Instruction ID: 34da6a89a5124219a16fbc3c576f8681dd7dcf6de42207e1bb8c60efb2cbc443
Opcode Fuzzy Hash: 4dc371066f7f3be7b99d0bc1e731d7ba40d7f7082103860ed31dd5653fb77fef
Instruction Fuzzy Hash: 25514570A00209AFDB20DF25CC95FAE7BB6FB58754F104518F96A972E0DB70AA90DB50

Function 00CAC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CAC182
GetLastError.KERNEL32 ref: 00CAC195
SetEvent.KERNEL32(?), ref: 00CAC1A9

Part of subcall function 00CAC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CAC272
Part of subcall function 00CAC253: GetLastError.KERNEL32 ref: 00CAC322
Part of subcall function 00CAC253: SetEvent.KERNEL32(?), ref: 00CAC336
Part of subcall function 00CAC253: InternetCloseHandle.WININET(00000000), ref: 00CAC341

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: fa6d8246b56fa1d35527906a573df8b6eac7a92c286b5426202518df57e16044
Instruction ID: 4ceab9a97dc417c0065d889e10c9bca4950dfb6be2b11290a73c0e5e69e446dc
Opcode Fuzzy Hash: fa6d8246b56fa1d35527906a573df8b6eac7a92c286b5426202518df57e16044
Instruction Fuzzy Hash: 40319071200606AFDB219FA5DD84B6ABBF8FF1A304B04451DF96A82610D735E914EBA0

Function 00C925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C93A57
Part of subcall function 00C93A3D: GetCurrentThreadId.KERNEL32 ref: 00C93A5E
Part of subcall function 00C93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C925B3), ref: 00C93A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C92601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C92605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C9260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C92623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C92627

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e839c8557cfc65523c4c1fba5b647fbd4e466591ad250cdd0a926b347d16cfb9
Instruction ID: 62a9f704e459f6071e138aaf5f99a35c5603e4799d7e0e25f948423d147b3bbf
Opcode Fuzzy Hash: e839c8557cfc65523c4c1fba5b647fbd4e466591ad250cdd0a926b347d16cfb9
Instruction Fuzzy Hash: 1F01DF30790610BBFB206769DCCEF5D3F59DB4EB12F110001F358AE1E1C9E224549AAA

Function 00C91803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C91449,?,?,00000000), ref: 00C9180C
HeapAlloc.KERNEL32(00000000,?,00C91449,?,?,00000000), ref: 00C91813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C91449,?,?,00000000), ref: 00C91828
GetCurrentProcess.KERNEL32(?,00000000,?,00C91449,?,?,00000000), ref: 00C91830
DuplicateHandle.KERNEL32(00000000,?,00C91449,?,?,00000000), ref: 00C91833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C91449,?,?,00000000), ref: 00C91843
GetCurrentProcess.KERNEL32(00C91449,00000000,?,00C91449,?,?,00000000), ref: 00C9184B
DuplicateHandle.KERNEL32(00000000,?,00C91449,?,?,00000000), ref: 00C9184E
CreateThread.KERNEL32(00000000,00000000,00C91874,00000000,00000000,00000000), ref: 00C91868

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8ea98b84eac71af9aa10a0365c3d8882bc2e9f6c63bdb5aa1ad46298ab83cb3a
Instruction ID: 4cc800479394be671c6f26c7db283c61982da70bd8b40e04fc29cf1160818493
Opcode Fuzzy Hash: 8ea98b84eac71af9aa10a0365c3d8882bc2e9f6c63bdb5aa1ad46298ab83cb3a
Instruction Fuzzy Hash: F901BFB5240344BFE710AB66DC8DF5F3B6CEB89B11F054411FA05DB1A1C674D810CB20

Function 00CBA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00C9D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00C9D501
Part of subcall function 00C9D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00C9D50F
Part of subcall function 00C9D4DC: CloseHandle.KERNEL32(00000000), ref: 00C9D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CBA16D
GetLastError.KERNEL32 ref: 00CBA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CBA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CBA268
GetLastError.KERNEL32(00000000), ref: 00CBA273
CloseHandle.KERNEL32(00000000), ref: 00CBA2C4

Strings

SeDebugPrivilege, xrefs: 00CBA18F

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1007a146c250d43938d9718f9635fc9da5796373056a9b424492afdb59c82f22
Instruction ID: e34fdf879a09884743685ace708a8732bbca8014e7b9ca95b36301af1ee9e2a4
Opcode Fuzzy Hash: 1007a146c250d43938d9718f9635fc9da5796373056a9b424492afdb59c82f22
Instruction Fuzzy Hash: 8161A170204242AFD720DF19C4D4F59BBE1AF44318F18849CE4AA8BBA3C772ED45CB92

Function 00CC3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CC3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00CC393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CC3954
_wcslen.LIBCMT ref: 00CC3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00CC39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CC39F4

Strings

SysListView32, xrefs: 00CC38F7

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 26173699170afc64ae0d2091c92976150c329ab56a0b2a98b9619ebc26c9cac6
Instruction ID: aa22bc1aa69e10ce97a4ba0dee18609cff3bd93929d706304c1a74e0853c3911
Opcode Fuzzy Hash: 26173699170afc64ae0d2091c92976150c329ab56a0b2a98b9619ebc26c9cac6
Instruction Fuzzy Hash: 1A41A371A00219ABDF219F64DC45FEE77A9EF08354F10452AF958E72C1D7719A84CB90

Function 00C9BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C9BCFD
IsMenu.USER32(00000000), ref: 00C9BD1D
CreatePopupMenu.USER32 ref: 00C9BD53
GetMenuItemCount.USER32(01736618), ref: 00C9BDA4
InsertMenuItemW.USER32(01736618,?,00000001,00000030), ref: 00C9BDCC

Strings

0, xrefs: 00C9BCA8
2, xrefs: 00C9BD37

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 131fca6b991917928e453e8c989fc582b4863177c3e8e34545fac42e09b53603
Instruction ID: 9b655219a787ceac8efb51de5072ae7f7ca13b5cd09b5bd226ae483b1b9f22cb
Opcode Fuzzy Hash: 131fca6b991917928e453e8c989fc582b4863177c3e8e34545fac42e09b53603
Instruction Fuzzy Hash: F851AF72A00209ABDF10CFA9EACCBAEBBF4AF45314F144159F425D7298D770AE41CB51

Function 00C9C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C9C913

Strings

blank, xrefs: 00C9C895
info, xrefs: 00C9C8B4
question, xrefs: 00C9C8CC
warning, xrefs: 00C9C8FC
stop, xrefs: 00C9C8E4

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 8e631b5b7a4f3222ade7915ef4a8f2ab25604e6ebd38d3530c5d1663b9fabb8d
Instruction ID: 4d2f8b7b2893eaaa2cd2b36906eec083deab31e3599ff9cf5f255d252c4d6c49
Opcode Fuzzy Hash: 8e631b5b7a4f3222ade7915ef4a8f2ab25604e6ebd38d3530c5d1663b9fabb8d
Instruction Fuzzy Hash: 3D112B3668930ABAAB04AB15DCC6DAE779CDF15319B21003BF900A61C2D7605F806369

Function 00C9ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C9ED2A
_wcslen.LIBCMT ref: 00C9ED3B
_wcslen.LIBCMT ref: 00C9ED79
_wcslen.LIBCMT ref: 00C9EDAF
_wcslen.LIBCMT ref: 00C9EDDF
_wcslen.LIBCMT ref: 00C9EDEF
_wcslen.LIBCMT ref: 00C9EE2B
_wcslen.LIBCMT ref: 00C9EE5A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 793adb262f3a4090cdd251939dbac3414f4749b8537df4d14e6930e637716786
Instruction ID: 26ccc5bddb32c7179f1b8ff8bdd34c35e17c62314bfeb9a2ac3588262ba430d3
Opcode Fuzzy Hash: 793adb262f3a4090cdd251939dbac3414f4749b8537df4d14e6930e637716786
Instruction Fuzzy Hash: F941A469C1021875CB11EBF4CC8A9CFB7BCAF45311F508466E914E3121FB34D689C3A9

Function 00C4F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C8682C,00000004,00000000,00000000), ref: 00C4F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00C8682C,00000004,00000000,00000000), ref: 00C8F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C8682C,00000004,00000000,00000000), ref: 00C8F454

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 241aefd858d5e02f1d506053074c4a7843443ccf8bb93aea7e1b3bd4df37bfde
Instruction ID: b70429c082014242762177395a719fa72ce6e2c47cf4b287f9c909dcf2cec8d4
Opcode Fuzzy Hash: 241aefd858d5e02f1d506053074c4a7843443ccf8bb93aea7e1b3bd4df37bfde
Instruction Fuzzy Hash: BF410A31608680FAD7399F29D9C8B2E7B91BFA6314F14443DE0AB57660C771AA83DB11

Function 00CC2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CC2D1B
GetDC.USER32(00000000), ref: 00CC2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CC2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00CC2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CC2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CC2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CC5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00CC2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CC2DE1

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: aac2d1b9c21fefcfb07bfa6087d61855b4fd5749e6bbd76851bb540c71cf35bb
Instruction ID: c877ab8a0c88270b3a2c38bf107f5b99f7e94e624c05f3972ec28bc4188eed95
Opcode Fuzzy Hash: aac2d1b9c21fefcfb07bfa6087d61855b4fd5749e6bbd76851bb540c71cf35bb
Instruction Fuzzy Hash: 80318972201614BFEB218F54CC8AFEB3FADEF19715F084069FE099A291C6759C51CBA4

Function 00C95622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C95637
_memcmp.LIBVCRUNTIME ref: 00C95659
_memcmp.LIBVCRUNTIME ref: 00C95671
_memcmp.LIBVCRUNTIME ref: 00C95684
_memcmp.LIBVCRUNTIME ref: 00C9569E
_memcmp.LIBVCRUNTIME ref: 00C956B1
_memcmp.LIBVCRUNTIME ref: 00C956C9
_memcmp.LIBVCRUNTIME ref: 00C956E4

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e139b586c7d31098b3076fad34d2a65a9ffa13ac121be37ae486334cc6ef7817
Instruction ID: 0ce3bf81c29a46a96dd766501167fdecdd47c113aac9d96c932e39d5474b7570
Opcode Fuzzy Hash: e139b586c7d31098b3076fad34d2a65a9ffa13ac121be37ae486334cc6ef7817
Instruction Fuzzy Hash: 9B21F965741A09B7DA165E21DD9AFFA335DAF20385F480038FD049A781F720EF1593A9

Function 00CB4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00CB5007
NULL Pointer assignment, xrefs: 00CB502E, 00CB5383

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 2e736bc29052b3b862248f5af93ecdc6408d652d9c3a342f6f1abde92b2ee12d
Instruction ID: 6c32751428fde7134f91ee556d084f65ae3f76b18b0127bfac90df9ca55fb27f
Opcode Fuzzy Hash: 2e736bc29052b3b862248f5af93ecdc6408d652d9c3a342f6f1abde92b2ee12d
Instruction Fuzzy Hash: A2D1BF71A0060A9FDF14DFA8D881FEEB7B5BF48344F148069E925AB291E771DE41CB90

Function 00C71522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00C717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00C715CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C71651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00C717FB,?,00C717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C716E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C716FB

Part of subcall function 00C63820: RtlAllocateHeap.NTDLL(00000000,?,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6,?,00C31129), ref: 00C63852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00C717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C71777
__freea.LIBCMT ref: 00C717A2
__freea.LIBCMT ref: 00C717AE

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: b193bda199e66be3aa097c1dda90f4443abda9cb7dfa96c5c1ac4e7fe6766ecb
Instruction ID: 0f6e990703c1e5f1b12e3dd35d17ca9f1b0f8320f3e7e5888dde07f8a91d0de6
Opcode Fuzzy Hash: b193bda199e66be3aa097c1dda90f4443abda9cb7dfa96c5c1ac4e7fe6766ecb
Instruction Fuzzy Hash: F3919371E002169ADB288E7DC881AEE7BF5EF49710F1C8659ED19E7181D735DE40CBA0

Function 00CB4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CB4648
VariantInit.OLEAUT32(?), ref: 00CB4749
VariantClear.OLEAUT32(?), ref: 00CB4753
VariantClear.OLEAUT32(?), ref: 00CB47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00CB45D8, 00CB4706, 00CB47BE
Incorrect Object type in FOR..IN loop, xrefs: 00CB472C

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 4e70b23e02bdb2ae8f96bb4bab4552d96bf1418ace72dcbda56b8384b7ec9cac
Instruction ID: 492a1c98a5b038184de15d2d6a7aa9a3f51b0b5a6b98268b2c11b7b13703ad70
Opcode Fuzzy Hash: 4e70b23e02bdb2ae8f96bb4bab4552d96bf1418ace72dcbda56b8384b7ec9cac
Instruction Fuzzy Hash: 6291B470A04219AFDF28CFA5C884FEE7BB8EF46714F108559F515AB282DB709945CFA0

Function 00CA1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00CA125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00CA1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00CA12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CA12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CA135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CA13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CA1430

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: a3f0fb39d3526ae35429eb71d4d9bf4cbdd09df5deccff9ae5804a49e090c285
Instruction ID: a56d0c57284eba2ca348de43fb0cbb102e80537ae2eb6f2e144d104ee84ccd1a
Opcode Fuzzy Hash: a3f0fb39d3526ae35429eb71d4d9bf4cbdd09df5deccff9ae5804a49e090c285
Instruction Fuzzy Hash: 21911571A0021AAFDB00DF98C884BBEB7B5FF46329F194029ED51EB291D774E941DB90

Function 00C4948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 43ae2e8a7ea0bc66b84873dfbf69ddf87e97fa8f795e2291ee6028d1bdb74123
Instruction ID: 96249ac001a33ca38a0c0445f482a65a9bdb3c99c4163b132d18507e9f75fa10
Opcode Fuzzy Hash: 43ae2e8a7ea0bc66b84873dfbf69ddf87e97fa8f795e2291ee6028d1bdb74123
Instruction Fuzzy Hash: D7912871D00219EFCB10CFA9CC88AEEBBB8FF49320F248559E515B7251D774AA42DB60

Function 00CB3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CB396B
CharUpperBuffW.USER32(?,?), ref: 00CB3A7A
_wcslen.LIBCMT ref: 00CB3A8A
VariantClear.OLEAUT32(?), ref: 00CB3C1F

Part of subcall function 00CA0CDF: VariantInit.OLEAUT32(00000000), ref: 00CA0D1F
Part of subcall function 00CA0CDF: VariantCopy.OLEAUT32(?,?), ref: 00CA0D28
Part of subcall function 00CA0CDF: VariantClear.OLEAUT32(?), ref: 00CA0D34

Strings

Incorrect Parameter format, xrefs: 00CB39A6, 00CB3BA1
AUTOIT.ERROR, xrefs: 00CB3A80, 00CB3A85

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 7db106eb7176281ea3258ecd3649ea50be0ddf614a76e8517fc3dbd0c80b7234
Instruction ID: 0e835d264982d0ce0c88879b50867cafd3a3df3a1a621b4c40452ebdd0393552
Opcode Fuzzy Hash: 7db106eb7176281ea3258ecd3649ea50be0ddf614a76e8517fc3dbd0c80b7234
Instruction Fuzzy Hash: AB918C756083459FCB04DF68C48096AB7E4FF88714F14892DF89A9B351DB30EE45DB92

Function 00CB4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00C9000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?,?,00C9035E), ref: 00C9002B
Part of subcall function 00C9000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?), ref: 00C90046
Part of subcall function 00C9000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?), ref: 00C90054
Part of subcall function 00C9000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?), ref: 00C90064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00CB4C51
_wcslen.LIBCMT ref: 00CB4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00CB4DCF
CoTaskMemFree.OLE32(?), ref: 00CB4DDA

Strings

NULL Pointer assignment, xrefs: 00CB4E23, 00CB4E52

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 9f542e9fe810675cf1b07d46b1a1924e680c28edd4153e40a7557dc98f3ac55c
Instruction ID: 46d9c1ac6ac1675cccc34fa79f6c989acb35b44f3f46d73a9a71126b944415f9
Opcode Fuzzy Hash: 9f542e9fe810675cf1b07d46b1a1924e680c28edd4153e40a7557dc98f3ac55c
Instruction Fuzzy Hash: 0E911571D0421DEFDF14DFA4C891AEEBBB9BF08314F108169E915A7291EB709A44DFA0

Function 00CC20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00CC2183
GetMenuItemCount.USER32(00000000), ref: 00CC21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CC21DD
_wcslen.LIBCMT ref: 00CC2213
GetMenuItemID.USER32(?,?), ref: 00CC224D
GetSubMenu.USER32(?,?), ref: 00CC225B

Part of subcall function 00C93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C93A57
Part of subcall function 00C93A3D: GetCurrentThreadId.KERNEL32 ref: 00C93A5E
Part of subcall function 00C93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C925B3), ref: 00C93A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CC22E3

Part of subcall function 00C9E97B: Sleep.KERNEL32 ref: 00C9E9F3

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 8d497db0077bdac9c2e35dd93028b205a74d6ed78b40a010de6ed515154d9ea9
Instruction ID: 67cffa5b33bb4d670db8cb5574ac71260d375755d3d3d03fba1e8fa9b9dbf830
Opcode Fuzzy Hash: 8d497db0077bdac9c2e35dd93028b205a74d6ed78b40a010de6ed515154d9ea9
Instruction Fuzzy Hash: F7715E75A00205AFCB14EFA5C885FAEB7B5EF48320F14845DE916EB351D734AE419B90

Function 00C9AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C9AEF9
GetKeyboardState.USER32(?), ref: 00C9AF0E
SetKeyboardState.USER32(?), ref: 00C9AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C9AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C9AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C9AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C9B020

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 155ef03426c384b61fea1cfb2d6dd5d5a1beab40142ec756eed6b64b2fb642e8
Instruction ID: 60d3eaa37baa0016693db8744c947aa21cb740df4d517a0c78dfcef5f0de866b
Opcode Fuzzy Hash: 155ef03426c384b61fea1cfb2d6dd5d5a1beab40142ec756eed6b64b2fb642e8
Instruction Fuzzy Hash: 7C51C2E06047D53DFF368274CD4DBBA7EA95B06304F088589E1E9458C2C398AED4D791

Function 00C9ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C9AD19
GetKeyboardState.USER32(?), ref: 00C9AD2E
SetKeyboardState.USER32(?), ref: 00C9AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C9ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C9ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C9AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C9AE38

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6306c56eded3ce44bdee259c2d6551e6f3b4a3dc2348e1d183a48893cf352205
Instruction ID: 551e9ea9e3e6e1267e2f3c1b4d70c09e75ce702e8c66799b2c92ce965541274e
Opcode Fuzzy Hash: 6306c56eded3ce44bdee259c2d6551e6f3b4a3dc2348e1d183a48893cf352205
Instruction Fuzzy Hash: 4C51E7A15047D53DFF378334CC99B7A7EA85B46300F088488E1E5468C2D394EE94E792

Function 00C6542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00C73CD6,?,?,?,?,?,?,?,?,00C65BA3,?,?,00C73CD6,?,?), ref: 00C65470
__fassign.LIBCMT ref: 00C654EB
__fassign.LIBCMT ref: 00C65506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00C73CD6,00000005,00000000,00000000), ref: 00C6552C
WriteFile.KERNEL32(?,00C73CD6,00000000,00C65BA3,00000000,?,?,?,?,?,?,?,?,?,00C65BA3,?), ref: 00C6554B
WriteFile.KERNEL32(?,?,00000001,00C65BA3,00000000,?,?,?,?,?,?,?,?,?,00C65BA3,?), ref: 00C65584

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7173984d73b866e9b6c8c0f3d24fa3fdef2c641cc768297702d50a5506428aae
Instruction ID: cc3101e8493f277a012217dca332614440bf6a8bb737db603e9e29bcd1b7da05
Opcode Fuzzy Hash: 7173984d73b866e9b6c8c0f3d24fa3fdef2c641cc768297702d50a5506428aae
Instruction Fuzzy Hash: 03519671900649AFDB21CFA8D885BEEBBF9EF09300F24455EF556E7291D7309A41CB60

Function 00C52D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C52D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00C52D53
_ValidateLocalCookies.LIBCMT ref: 00C52DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00C52E0C
_ValidateLocalCookies.LIBCMT ref: 00C52E61

Strings

csm, xrefs: 00C52DF6

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9c2be39763740ca817ae01518e0248fb5078d963672240feb65afbda13f9a310
Instruction ID: d361477581fd0bc6e05aecb2bae057828415b6ce3c799279ea852de5f4cf39eb
Opcode Fuzzy Hash: 9c2be39763740ca817ae01518e0248fb5078d963672240feb65afbda13f9a310
Instruction Fuzzy Hash: 6341D638A00208DBCF14DF68C885A9EBBF4BF46366F148155EC146B392D731AA89CBD4

Function 00CB10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CB307A
Part of subcall function 00CB304E: _wcslen.LIBCMT ref: 00CB309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CB1112
WSAGetLastError.WSOCK32 ref: 00CB1121
WSAGetLastError.WSOCK32 ref: 00CB11C9
closesocket.WSOCK32(00000000), ref: 00CB11F9

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 145ed8a7a93bf94de9f4a39cda5cd15df0bca4697ae232d9c7c6819d4f4a77a6
Instruction ID: fe87b39096ce670a5246fb1c7e449af0b02603d589ddb29a4b840c00a2608cf3
Opcode Fuzzy Hash: 145ed8a7a93bf94de9f4a39cda5cd15df0bca4697ae232d9c7c6819d4f4a77a6
Instruction Fuzzy Hash: 1041E535600204AFDB109F58C894BEEB7E9EF45364F588059FD19AB292C770EE41CBE1

Function 00C9CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C9CF22,?), ref: 00C9DDFD

Part of subcall function 00C9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C9CF22,?), ref: 00C9DE16

lstrcmpiW.KERNEL32(?,?), ref: 00C9CF45
MoveFileW.KERNEL32(?,?), ref: 00C9CF7F
_wcslen.LIBCMT ref: 00C9D005
_wcslen.LIBCMT ref: 00C9D01B
SHFileOperationW.SHELL32(?), ref: 00C9D061

Strings

\*.*, xrefs: 00C9CFF3

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: b04e8f0e845a80878c4e2e4e0155554bc3069d766f1061bde3c25ba6f31d8b23
Instruction ID: 9e9e141e35814c0103f49bb3a4b74da0c1c3ad4035e154954f2bac1f785090f4
Opcode Fuzzy Hash: b04e8f0e845a80878c4e2e4e0155554bc3069d766f1061bde3c25ba6f31d8b23
Instruction Fuzzy Hash: 304154719052189FDF12EFE4D9C5EDEB7B8AF18380F0000E6E509EB142EA34A788DB50

Function 00CC2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00CC2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00CC2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00CC2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00CC2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00CC2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00CC2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CC2F0B

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 109664d367ce1c6fd3535f5522f90be7ab2048878ceb73db65f993dc2c87b218
Instruction ID: 733f5f469fd09dacc16548601d285a209e9b41ac2aa399b65d1a8be597177b08
Opcode Fuzzy Hash: 109664d367ce1c6fd3535f5522f90be7ab2048878ceb73db65f993dc2c87b218
Instruction Fuzzy Hash: F6311334604254AFDB20DF58EC84FA937E0EB8A711F140168F928EB2B1CB71ED40DB10

Function 00C97726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C97769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C9778F
SysAllocString.OLEAUT32(00000000), ref: 00C97792
SysAllocString.OLEAUT32(?), ref: 00C977B0
SysFreeString.OLEAUT32(?), ref: 00C977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00C977DE
SysAllocString.OLEAUT32(?), ref: 00C977EC

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 69de20b8651f08af82259397069a329cf9f3e3e29692c459ce1c5867aa159b08
Instruction ID: 5fbeb223ca602ec111faf27cd97e0eeb8cd8a334bc506c35cdfc90ca13b5259d
Opcode Fuzzy Hash: 69de20b8651f08af82259397069a329cf9f3e3e29692c459ce1c5867aa159b08
Instruction Fuzzy Hash: 7421B076605219AFDF11DFA9CC88EBF73ACEB093647048125FA18DB2A0D670DD41C760

Function 00C977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C97842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C97868
SysAllocString.OLEAUT32(00000000), ref: 00C9786B
SysAllocString.OLEAUT32 ref: 00C9788C
SysFreeString.OLEAUT32 ref: 00C97895
StringFromGUID2.OLE32(?,?,00000028), ref: 00C978AF
SysAllocString.OLEAUT32(?), ref: 00C978BD

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: de51c7c9c4164ae18071b4d59e5aeaf4282add8b9816a4661b4ebb97e42059c7
Instruction ID: dbbe10a204f33595719186b9c5649093a2caef09bef67106868eab8fc3502e23
Opcode Fuzzy Hash: de51c7c9c4164ae18071b4d59e5aeaf4282add8b9816a4661b4ebb97e42059c7
Instruction Fuzzy Hash: 50219D31609204AFDF10AFA9DC8CEBA77ACFB087607148225F915DB2A1DA74DD41CB68

Function 00CA04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00CA04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CA052E

Strings

nul, xrefs: 00CA0567

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 95f1af0de67db6e0f990bf0d8262361b0b9afebcb7934a59b432f605d2540485
Instruction ID: d5a86422a4c6e58ebc69a45a0fdbe7e373a9962217dd8dca25700747250dda90
Opcode Fuzzy Hash: 95f1af0de67db6e0f990bf0d8262361b0b9afebcb7934a59b432f605d2540485
Instruction Fuzzy Hash: F7217E71900306ABDF209F69DC44B9A7BB4AF467A8F304A19E8B1D62E0D770DA50CF24

Function 00CA05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00CA05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CA0601

Strings

nul, xrefs: 00CA0639

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 11edb952d8dc87781814c55215717197e5c7a16ddf57b6414c6dec1063783e85
Instruction ID: f99e83b9c722983a25e486d41b7284f7be33ee887695f869ad9018fff2b1d6a7
Opcode Fuzzy Hash: 11edb952d8dc87781814c55215717197e5c7a16ddf57b6414c6dec1063783e85
Instruction Fuzzy Hash: F9214F755003069BDB209F69DC44B9A77A4AF967A9F300A19FDB1E72E0E7709960CB10

Function 00CC40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C3604C
Part of subcall function 00C3600E: GetStockObject.GDI32(00000011), ref: 00C36060
Part of subcall function 00C3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C3606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CC4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CC411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CC412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CC4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CC4145

Strings

Msctls_Progress32, xrefs: 00CC40E3

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 786d27e49af99d8c5193a1d9d6e2bb142650fb906374ae83f37e78a62d7c446f
Instruction ID: 35bb10f8a01db39807c5a18946da924dd4533d710d44a8ea618a9a4683104e03
Opcode Fuzzy Hash: 786d27e49af99d8c5193a1d9d6e2bb142650fb906374ae83f37e78a62d7c446f
Instruction Fuzzy Hash: DE1190B2150219BEEF118F64CC86EEB7FADEF08798F008111FA58A2150C6729C219BA4

Function 00C6D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C6D7A3: _free.LIBCMT ref: 00C6D7CC

_free.LIBCMT ref: 00C6D82D

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C6D838
_free.LIBCMT ref: 00C6D843
_free.LIBCMT ref: 00C6D897
_free.LIBCMT ref: 00C6D8A2
_free.LIBCMT ref: 00C6D8AD
_free.LIBCMT ref: 00C6D8B8

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 9ac63cfe9ab8302a4d09b88cff2714998a0e03bb3ca402b4c8970c141bf23066
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D7115B71B40B04AADA31BFB0CC87FCB7BDCAF44700F440825B29AE6092DA65B505A662

Function 00C9DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C9DA74
LoadStringW.USER32(00000000), ref: 00C9DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C9DA91
LoadStringW.USER32(00000000), ref: 00C9DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C9DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C9DAB9

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 5cd2fddd132f95d71b02e7c44e190eff9032f4bcdcbc449a64cf0814fae3a4a1
Instruction ID: 39b395a5670787c9579a2a90d0d35db1ad1d1a419bdad7a9d44e9cf1cb62a420
Opcode Fuzzy Hash: 5cd2fddd132f95d71b02e7c44e190eff9032f4bcdcbc449a64cf0814fae3a4a1
Instruction Fuzzy Hash: 2C0162F25002087FEB10ABA4DDC9FEB366CE708701F400495F74AE2041EA749E854F74

Function 00CA096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0172F108,0172F108), ref: 00CA097B
EnterCriticalSection.KERNEL32(0172F0E8,00000000), ref: 00CA098D
TerminateThread.KERNEL32(?,000001F6), ref: 00CA099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00CA09A9
CloseHandle.KERNEL32(?), ref: 00CA09B8
InterlockedExchange.KERNEL32(0172F108,000001F6), ref: 00CA09C8
LeaveCriticalSection.KERNEL32(0172F0E8), ref: 00CA09CF

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: fe733dfc93fdef0f2ad0bd8e573f06e06312ad15b994403d3e9abc21a58cdd2b
Instruction ID: 378ae11c8e7a82eb560df4d455fa27db790f3a0fd6d5dbb4bd2399d8c365a6f8
Opcode Fuzzy Hash: fe733dfc93fdef0f2ad0bd8e573f06e06312ad15b994403d3e9abc21a58cdd2b
Instruction Fuzzy Hash: CBF01932442A02ABD7415BA4EEC8FDABA29FF01742F542025F206908A1C7749575CF90

Function 00CB1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00CB1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00CB1DE1
WSAGetLastError.WSOCK32 ref: 00CB1DF2
htons.WSOCK32(?,?,?,?,?), ref: 00CB1EDB
inet_ntoa.WSOCK32(?), ref: 00CB1E8C

Part of subcall function 00C939E8: _strlen.LIBCMT ref: 00C939F2

Part of subcall function 00CB3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00CAEC0C), ref: 00CB3240

_strlen.LIBCMT ref: 00CB1F35

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 2199f6b1e14cde62fc6f8bf050d6dc2ae9451818c17751ad51de47f27dc51f93
Instruction ID: 1df8fd0db4513797a183ca7bbaea27216da268024c43809e7478e9f50cf36b18
Opcode Fuzzy Hash: 2199f6b1e14cde62fc6f8bf050d6dc2ae9451818c17751ad51de47f27dc51f93
Instruction Fuzzy Hash: 7BB1D331204340AFC724DF64C895F6A7BE5AF84318F98854CF9665B2E2CB71EE46CB91

Function 00C35D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C35D30
GetWindowRect.USER32(?,?), ref: 00C35D71
ScreenToClient.USER32(?,?), ref: 00C35D99
GetClientRect.USER32(?,?), ref: 00C35ED7
GetWindowRect.USER32(?,?), ref: 00C35EF8

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: c895bbcc17e87effcf568d3dcdfe2a208c82774718a697dcd32467396d984c7b
Instruction ID: b16f8876ca7e4bb504764d51e8f62640a6d859135b2ddcb040aca5f6556c0269
Opcode Fuzzy Hash: c895bbcc17e87effcf568d3dcdfe2a208c82774718a697dcd32467396d984c7b
Instruction Fuzzy Hash: B8B18875A10B4ADBDB14CFA9C4807EEB7F1FF48310F14841AE8AAD7290DB34AA51DB50

Function 00C601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00C600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C600D6
__allrem.LIBCMT ref: 00C600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C6010B
__allrem.LIBCMT ref: 00C60122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C60140

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: d7c99cd08b02066c53556db17ddc80a799f0857d7582af902cd410b8bea49f0f
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: A38127766007069BE7349E69CC82B6F73E8AF41320F24463EF861E6681E770DE419754

Function 00C661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C582D9,00C582D9,?,?,?,00C6644F,00000001,00000001,8BE85006), ref: 00C66258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C6644F,00000001,00000001,8BE85006,?,?,?), ref: 00C662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C663D8
__freea.LIBCMT ref: 00C663E5

Part of subcall function 00C63820: RtlAllocateHeap.NTDLL(00000000,?,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6,?,00C31129), ref: 00C63852

__freea.LIBCMT ref: 00C663EE
__freea.LIBCMT ref: 00C66413

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 85ff18ebbf68e30bdfb13af12c323147b6bf4c4d586fbddaf90c76626300096a
Instruction ID: b294b4f09bafa164aa5e814a349719f60f35f6e5462b7a5d91261590099edb0c
Opcode Fuzzy Hash: 85ff18ebbf68e30bdfb13af12c323147b6bf4c4d586fbddaf90c76626300096a
Instruction Fuzzy Hash: 4251DF72A00216ABEB358F64CCC1EBF7BA9EF44710F19462AFD15DA250EB34DD41D6A0

Function 00CBBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00CBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBB6AE,?,?), ref: 00CBC9B5
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBC9F1
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA68
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CBBD25
RegCloseKey.ADVAPI32(00000000), ref: 00CBBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CBBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CBBDF3
RegCloseKey.ADVAPI32(?), ref: 00CBBDFF

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 720b66f47da3e0b5e2b7a92d6b7bbb5c1411adff425888d90296e84a948459bc
Instruction ID: 7da2dc46f7f10352bfc3a28dc0b45e1f381cb70ee43facf84dcd7d35e08048ce
Opcode Fuzzy Hash: 720b66f47da3e0b5e2b7a92d6b7bbb5c1411adff425888d90296e84a948459bc
Instruction Fuzzy Hash: 7681B230218241EFD714DF24C895E6ABBE5FF84308F14855CF4998B2A2DB71ED45DB92

Function 00C8F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00C8F7B9
SysAllocString.OLEAUT32(00000001), ref: 00C8F860
VariantCopy.OLEAUT32(00C8FA64,00000000), ref: 00C8F889
VariantClear.OLEAUT32(00C8FA64), ref: 00C8F8AD
VariantCopy.OLEAUT32(00C8FA64,00000000), ref: 00C8F8B1
VariantClear.OLEAUT32(?), ref: 00C8F8BB

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: b60d4831f96cd4b729b611fc119bb8a0d46c49b52b8aeba4af30b69822e161d8
Instruction ID: db34acecac33435f835468c365c5aea43a9bb590375def318d170320dd4cd664
Opcode Fuzzy Hash: b60d4831f96cd4b729b611fc119bb8a0d46c49b52b8aeba4af30b69822e161d8
Instruction Fuzzy Hash: A651B731610310BBCF24BF66D895B29B3A4EF45318F24947EE905DF291DB708C42D7AA

Function 00CA910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00C37620: _wcslen.LIBCMT ref: 00C37625

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00CA94E5
_wcslen.LIBCMT ref: 00CA9506
_wcslen.LIBCMT ref: 00CA952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00CA9585

Strings

X, xrefs: 00CA9412

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 37983a0ea290886958efa47a99feaea49934104e336ecc5501ede9d7f47ca8a2
Instruction ID: 822043365a9c287fca6ac8956dc05c2cdf9b0a2f4cd794d966729e8ac3e858f8
Opcode Fuzzy Hash: 37983a0ea290886958efa47a99feaea49934104e336ecc5501ede9d7f47ca8a2
Instruction Fuzzy Hash: 50E19F719183419FCB24DF24C882B6AB7E4FF85314F04896DF8999B2A2DB31DD05CB92

Function 00C4920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

BeginPaint.USER32(?,?,?), ref: 00C49241
GetWindowRect.USER32(?,?), ref: 00C492A5
ScreenToClient.USER32(?,?), ref: 00C492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C492D3
EndPaint.USER32(?,?,?,?,?), ref: 00C49321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00C871EA

Part of subcall function 00C49339: BeginPath.GDI32(00000000), ref: 00C49357

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: c246c71f93bfdbe114f37742b81f46304bdec25046fb5948c755cbfac466723f
Instruction ID: ef664a2c05760cdfd398ddde6d857bac0f8c149a598caa84b0082349639a9083
Opcode Fuzzy Hash: c246c71f93bfdbe114f37742b81f46304bdec25046fb5948c755cbfac466723f
Instruction Fuzzy Hash: C741AB70104310AFD720DF25DC88FAB7BB8FB4A324F140229F9A8C72A1C7709945DB61

Function 00CA07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00CA080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00CA0847
EnterCriticalSection.KERNEL32(?), ref: 00CA0863
LeaveCriticalSection.KERNEL32(?), ref: 00CA08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00CA08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00CA0921

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 5417dba5186e965c08629dc0c7e6f1d817d136aba14e265ad6c1441c164472ed
Instruction ID: 49724ef1c66b838a2e01fd7986268d79cffb2ead2dc4bae40f7a33288ccdece8
Opcode Fuzzy Hash: 5417dba5186e965c08629dc0c7e6f1d817d136aba14e265ad6c1441c164472ed
Instruction Fuzzy Hash: 8D416A71900205EFDF149F64DC85AAAB7B8FF05304F2440A9ED049A297D730DE65DBA4

Function 00CC81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C8F3AB,00000000,?,?,00000000,?,00C8682C,00000004,00000000,00000000), ref: 00CC824C
EnableWindow.USER32(?,00000000), ref: 00CC8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00CC82D1
ShowWindow.USER32(?,00000004), ref: 00CC82E5
EnableWindow.USER32(?,00000001), ref: 00CC830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00CC832F

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f5b5a0b57026f1b45e7221ccabe5984fa13f51adc904e89e49dbdae7b1f6dbce
Instruction ID: e28c41fc9cddabab1fcf9d029e26b71629527508f34a9bfb4c4cfc2e2955d03a
Opcode Fuzzy Hash: f5b5a0b57026f1b45e7221ccabe5984fa13f51adc904e89e49dbdae7b1f6dbce
Instruction Fuzzy Hash: 88418174601644EFDF21CF15D899FA97BE0FB0A714F1851ADE5288B2B2CB31A949CF50

Function 00C94C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C94C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C94CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C94CEA
_wcslen.LIBCMT ref: 00C94D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C94D10
_wcsstr.LIBVCRUNTIME ref: 00C94D1A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 58f5cb8dc37f4c34e82e9a91ef568eb010c5db5104e35e0964e477a651241bb6
Instruction ID: 70b193561fc9ce008f9e76bd67d4fea3e998dd51dd2cd002c936a28ba8938863
Opcode Fuzzy Hash: 58f5cb8dc37f4c34e82e9a91ef568eb010c5db5104e35e0964e477a651241bb6
Instruction Fuzzy Hash: 8921F636604200BBEF195B39ED4DF7F7BACDF45750F10802DF809CA191EA61DD4296A0

Function 00CA581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C33A97,?,?,00C32E7F,?,?,?,00000000), ref: 00C33AC2

_wcslen.LIBCMT ref: 00CA587B
CoInitialize.OLE32(00000000), ref: 00CA5995
CoCreateInstance.OLE32(00CCFCF8,00000000,00000001,00CCFB68,?), ref: 00CA59AE
CoUninitialize.OLE32 ref: 00CA59CC

Strings

.lnk, xrefs: 00CA5876, 00CA58C1, 00CA5985

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 79ab2ec36ccfa3df14ca1fcf57f3193a67b2c1685591788e8fff1ca3b5c7efaf
Instruction ID: 989aff05c493a282b8d60fd45e67f35e61182015b3111d21d8e7b2fc000345e6
Opcode Fuzzy Hash: 79ab2ec36ccfa3df14ca1fcf57f3193a67b2c1685591788e8fff1ca3b5c7efaf
Instruction Fuzzy Hash: 37D174756087029FC714DF25C484A2ABBE1FF8A318F14895DF8999B361CB31ED46CB92

Function 00C9175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C90FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C90FCA
Part of subcall function 00C90FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C90FD6
Part of subcall function 00C90FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C90FE5
Part of subcall function 00C90FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C90FEC
Part of subcall function 00C90FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C91002

GetLengthSid.ADVAPI32(?,00000000,00C91335), ref: 00C917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C917BA
HeapAlloc.KERNEL32(00000000), ref: 00C917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C917DA
GetProcessHeap.KERNEL32(00000000,00000000,00C91335), ref: 00C917EE
HeapFree.KERNEL32(00000000), ref: 00C917F5

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 1924671b53d7b501aefa88a76fbe8744edd03eb5071a36f103519eed1ef79158
Instruction ID: 698dd7145b42cffb32330c766816b50518901544b4cd8f772c370219c47626cd
Opcode Fuzzy Hash: 1924671b53d7b501aefa88a76fbe8744edd03eb5071a36f103519eed1ef79158
Instruction Fuzzy Hash: 01117C32500606FFDF109FE5CC8AFAE7BA9EB45355F184018F85597220D735AA45CB60

Function 00C914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00C91506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C91515
CloseHandle.KERNEL32(00000004), ref: 00C91520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C9154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C91563

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 265b37b4f204994c1c8190bf8bfef3346a1d7bf28b55ffff52666ec29338e0c0
Instruction ID: b98f569a6fb8e6ece13962732299fa3c5b05f92f509640091e5168dab6982f52
Opcode Fuzzy Hash: 265b37b4f204994c1c8190bf8bfef3346a1d7bf28b55ffff52666ec29338e0c0
Instruction Fuzzy Hash: 9C11297250024AABDF118F98ED8AFDE7BA9FF48744F098015FE19A2060C375CE61DB60

Function 00C53382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C53379,00C52FE5), ref: 00C53390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C5339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C533B7
SetLastError.KERNEL32(00000000,?,00C53379,00C52FE5), ref: 00C53409

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 4af851cba284e0643e0f82cc452e1d4e36d62903be31450b2430fc41d22e21d1
Instruction ID: f5df01df1c35c43523948c4ae24abc1bf0152adcbb01e9fea0f80b041fa99c49
Opcode Fuzzy Hash: 4af851cba284e0643e0f82cc452e1d4e36d62903be31450b2430fc41d22e21d1
Instruction Fuzzy Hash: 8D01F53A709355AFE62527747DC5BAE2A54EB153FB320022DFC20851F0EF114E8BA54C

Function 00C62D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C65686,00C73CD6,?,00000000,?,00C65B6A,?,?,?,?,?,00C5E6D1,?,00CF8A48), ref: 00C62D78
_free.LIBCMT ref: 00C62DAB
_free.LIBCMT ref: 00C62DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00C5E6D1,?,00CF8A48,00000010,00C34F4A,?,?,00000000,00C73CD6), ref: 00C62DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00C5E6D1,?,00CF8A48,00000010,00C34F4A,?,?,00000000,00C73CD6), ref: 00C62DEC
_abort.LIBCMT ref: 00C62DF2

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 6804fcf0ab35ae6346cb468170f72296b730c5c44bb02ad8a23fc86d88220ed6
Instruction ID: bcc90bd086aa0b186d674df6017f5b2cea46b8733823c00756d35c581a37a4c6
Opcode Fuzzy Hash: 6804fcf0ab35ae6346cb468170f72296b730c5c44bb02ad8a23fc86d88220ed6
Instruction Fuzzy Hash: E9F0C832A04E0127C2322735BCD6F6E2659AFC27A1F254418F838921E2EF248902E271

Function 00CC8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C49693
Part of subcall function 00C49639: SelectObject.GDI32(?,00000000), ref: 00C496A2
Part of subcall function 00C49639: BeginPath.GDI32(?), ref: 00C496B9
Part of subcall function 00C49639: SelectObject.GDI32(?,00000000), ref: 00C496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00CC8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00CC8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00CC8A70
LineTo.GDI32(?,00000000,00000003), ref: 00CC8A80
EndPath.GDI32(?), ref: 00CC8A90
StrokePath.GDI32(?), ref: 00CC8AA0

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 913e04555cb23564d6194dd92f9515d21501ec0f3b57728f2ecc8c7c85f89a70
Instruction ID: b70bef24f8c6e575c903cedeba8a1d0096b7b8554c3af9bcc25f8ab97cf4b668
Opcode Fuzzy Hash: 913e04555cb23564d6194dd92f9515d21501ec0f3b57728f2ecc8c7c85f89a70
Instruction Fuzzy Hash: 0F110576400108FFEB129F90EC88FAA7F6CEB08350F048026FA599A1A1C7719E55DFA0

Function 00C951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C95218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C95229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C95230
ReleaseDC.USER32(00000000,00000000), ref: 00C95238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C9524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C95261

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c62bbe78c5cbbfd095d5817f5fdbc5eb85731ff8f02871f5a1452e1780de1d1d
Instruction ID: 9f17664071b623ce1e952d2de5406f3fdc371e2da19d5c66a6345db6b10011aa
Opcode Fuzzy Hash: c62bbe78c5cbbfd095d5817f5fdbc5eb85731ff8f02871f5a1452e1780de1d1d
Instruction Fuzzy Hash: D5014475A01B14BBEF105BA5DD89F5EBFB8EB44751F044065FA08A7281D6709901CB60

Function 00C31BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C31BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C31BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C31C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C31C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C31C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C31C22

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 413bbed8013195024636844e4c60438e6e22cc24d418be6df479e9d131634a18
Instruction ID: cd9ec7bd3a049804802bfd62530fd02057dccf4c5c45e1ec29ddb0ea3b3c3b21
Opcode Fuzzy Hash: 413bbed8013195024636844e4c60438e6e22cc24d418be6df479e9d131634a18
Instruction Fuzzy Hash: F40167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BE15C4BA42C7F5A864CBE5

Function 00C9EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C9EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C9EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00C9EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C9EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C9EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C9EB75

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 15a9b7e13d1947610ef882aa417f4aee87405a34c8c4f3ef0ed288f0db858d6a
Instruction ID: f8c6f6b0fed7612d23d57e9bde0bd6a374dc809bcdf3226d025cecdad43f041f
Opcode Fuzzy Hash: 15a9b7e13d1947610ef882aa417f4aee87405a34c8c4f3ef0ed288f0db858d6a
Instruction Fuzzy Hash: C5F03A72A40158BBE7215B63DD4EFEF3A7CEFCAB15F000158F615E1091D7A05A01C6B5

Function 00C87439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00C87452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00C87469
GetWindowDC.USER32(?), ref: 00C87475
GetPixel.GDI32(00000000,?,?), ref: 00C87484
ReleaseDC.USER32(?,00000000), ref: 00C87496
GetSysColor.USER32(00000005), ref: 00C874B0

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: b043206e713b46a6a2a0a65290c89f675c81780275c370a19b645ed991b8d120
Instruction ID: 44fa54e587b186ed66f1bccf728feedc2aa83771afd91f00d264f33c70732c05
Opcode Fuzzy Hash: b043206e713b46a6a2a0a65290c89f675c81780275c370a19b645ed991b8d120
Instruction Fuzzy Hash: DE014631400215FFEB51AFA4DD48FAE7BB5FB04321F650164FA2AA21A1CB311E52EF60

Function 00C91874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C9187F
UnloadUserProfile.USERENV(?,?), ref: 00C9188B
CloseHandle.KERNEL32(?), ref: 00C91894
CloseHandle.KERNEL32(?), ref: 00C9189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C918A5
HeapFree.KERNEL32(00000000), ref: 00C918AC

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 1a9e555ec20b55805698043df5eeda49b1303e5b9723a3d4e5107b943e6cd7d4
Instruction ID: 564601ed26d3b5f8ca394b2a834036e0cacdc73d3d422da3dbed05c7f74b17d7
Opcode Fuzzy Hash: 1a9e555ec20b55805698043df5eeda49b1303e5b9723a3d4e5107b943e6cd7d4
Instruction Fuzzy Hash: 2BE0C236404501BBDB015BA2ED4CF4EBB29FB49B22B148220F22981470CB329420DB50

Function 00C9C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C37620: _wcslen.LIBCMT ref: 00C37625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C9C6EE
_wcslen.LIBCMT ref: 00C9C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C9C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C9C7CA

Strings

0, xrefs: 00C9C6AF

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 53d7e0059f8c7579eb3cdbdea63a3a5a7301e76f7d50b7299ac46863eeffa0b3
Instruction ID: 08616583d18ad73fe2446a925a53fba77c6b207ed18225bdba80d0675939ed64
Opcode Fuzzy Hash: 53d7e0059f8c7579eb3cdbdea63a3a5a7301e76f7d50b7299ac46863eeffa0b3
Instruction Fuzzy Hash: 1551BE716143019BDB149F68C8C9B6BB7E8AF89314F040A2DF9A5D32E0DB70DA44DF62

Function 00CBAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00CBAEA3

Part of subcall function 00C37620: _wcslen.LIBCMT ref: 00C37625

GetProcessId.KERNEL32(00000000), ref: 00CBAF38
CloseHandle.KERNEL32(00000000), ref: 00CBAF67

Strings

@, xrefs: 00CBAE72
<, xrefs: 00CBAE6B

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 35b1601c5901d93328526f6f3703db829694c14e55db8486325439a56008f453
Instruction ID: f65a1834edd79e5c1846d977c8a9d0091023992578d0c2f52bcf9d718d3f7490
Opcode Fuzzy Hash: 35b1601c5901d93328526f6f3703db829694c14e55db8486325439a56008f453
Instruction Fuzzy Hash: AC715975A00619DFCB14DFA5C484A9EBBF0FF08314F048499E896AB3A2C774EE45DB91

Function 00C9719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C97206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C9723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C9724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C972CF

Strings

DllGetClassObject, xrefs: 00C97242

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: e38342f25bb3cbee2448e3beb655cdcfe3ab6107b1e4c3b4690574265f79a357
Instruction ID: c94af2e4c131182f2a3762feac2fabf67362df9834204e21cb4ff3cbe9314f72
Opcode Fuzzy Hash: e38342f25bb3cbee2448e3beb655cdcfe3ab6107b1e4c3b4690574265f79a357
Instruction Fuzzy Hash: A4418E71625604EFDF15CF55C888B9A7BA9EF44710F2581ADFD099F20AD7B0DA40CBA0

Function 00CC3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CC3E35
IsMenu.USER32(?), ref: 00CC3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CC3E92
DrawMenuBar.USER32 ref: 00CC3EA5

Strings

0, xrefs: 00CC3D89

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 37c7d76f29fe24a54f96367194bf450bb46aefbc49f986d0b66807661a46bc41
Instruction ID: 197cb634c908acf75219579f4c2d11b683e30326883f9c167aab2bf79d409997
Opcode Fuzzy Hash: 37c7d76f29fe24a54f96367194bf450bb46aefbc49f986d0b66807661a46bc41
Instruction Fuzzy Hash: E3414675A00249AFDB10DF50E884FAABBB9FF49354F04812DE925A7350D730AE85DFA0

Function 00C91DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C91E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C91E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C91EA9

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

Strings

ComboBox, xrefs: 00C91DF0
ListBox, xrefs: 00C91E25

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 2ca83ebc3c30465c02d42d07caa8b6b63472a769bb0e1e604e19854c026dee9b
Instruction ID: e6810aa35cc0b7628481310765fcc197df6856fc66cf271912a0487ab9b5e548
Opcode Fuzzy Hash: 2ca83ebc3c30465c02d42d07caa8b6b63472a769bb0e1e604e19854c026dee9b
Instruction Fuzzy Hash: D721F375A00104BBDF14AB64DC8EDFFB7B8EF45350F144129FD25A71E1DB744A0AA620

Function 00CC2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CC2F8D
LoadLibraryW.KERNEL32(?), ref: 00CC2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CC2FA9
DestroyWindow.USER32(?), ref: 00CC2FB1

Strings

SysAnimate32, xrefs: 00CC2F68

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 5745c1fb23d1c728b820a93630423e331855793af8e08bdf66d8c1e83fc1297a
Instruction ID: e0ab4f80ed7a7112965bd3215bed84a85248fccd720db3586187332052d84b7a
Opcode Fuzzy Hash: 5745c1fb23d1c728b820a93630423e331855793af8e08bdf66d8c1e83fc1297a
Instruction Fuzzy Hash: 2421CD71600229AFEB218FA4DC80FBB77BDEB59364F10422CFA64D2190D771DC51A760

Function 00C54D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C54D1E,00C628E9,?,00C54CBE,00C628E9,00CF88B8,0000000C,00C54E15,00C628E9,00000002), ref: 00C54D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C54DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00C54D1E,00C628E9,?,00C54CBE,00C628E9,00CF88B8,0000000C,00C54E15,00C628E9,00000002,00000000), ref: 00C54DC3

Strings

mscoree.dll, xrefs: 00C54D86
CorExitProcess, xrefs: 00C54D98

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 20e531e8b4a38674a46d969b008749eff97081a1880d04877313a8fb2dee8154
Instruction ID: a0f3e871e1c1e71c19ed9ccc0ade0286e017a9aaf424186608b7b911e0e3adb0
Opcode Fuzzy Hash: 20e531e8b4a38674a46d969b008749eff97081a1880d04877313a8fb2dee8154
Instruction Fuzzy Hash: E7F0AF34A00208BBDB149F94DC89FEEBFF4EF04712F0400A4FD09A2260CB305A84DA94

Function 00C34E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C34EDD,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C34EAE
FreeLibrary.KERNEL32(00000000,?,?,00C34EDD,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34EC0

Strings

kernel32.dll, xrefs: 00C34E94
Wow64DisableWow64FsRedirection, xrefs: 00C34EA8

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 013d85ec19c4e6e4a3a25e80dfb7a06a14bd8f73b735e240de7e0330fceb10a4
Instruction ID: 2230722403cb74e1c9c8f910f45e66a5402d8ef5cf33af1e4fbf79d46bf95cd3
Opcode Fuzzy Hash: 013d85ec19c4e6e4a3a25e80dfb7a06a14bd8f73b735e240de7e0330fceb10a4
Instruction Fuzzy Hash: 98E0CD36E115225BD2311726EC58F6FA554AFC1F62F090125FD08D2150DB60DE0240A1

Function 00C34E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C73CDE,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C34E74
FreeLibrary.KERNEL32(00000000,?,?,00C73CDE,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E87

Strings

kernel32.dll, xrefs: 00C34E5B
Wow64RevertWow64FsRedirection, xrefs: 00C34E6E

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 19a05df5d95f7e3181a265b87ad88e79f545d8a0667cd592c38273fb6398ce43
Instruction ID: d77244a13622a7278372d9f0474ee81c4ad6e73069f98e9894c7e04bcf7f6f79
Opcode Fuzzy Hash: 19a05df5d95f7e3181a265b87ad88e79f545d8a0667cd592c38273fb6398ce43
Instruction Fuzzy Hash: 4AD05B379126316756361B66FC5CF9FAA18AF85F517090525F919E2114CF60DF02C5D0

Function 00CA2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CA2C05
DeleteFileW.KERNEL32(?), ref: 00CA2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CA2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CA2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CA2CC0

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 775673b502155bf667c326551bcfc15ceb4d40a0b62e83d6dba800eac720a528
Instruction ID: a1348f93f34bec373b09833f29133a77fd68a50e5048e1a766e4c7385ecdd3f9
Opcode Fuzzy Hash: 775673b502155bf667c326551bcfc15ceb4d40a0b62e83d6dba800eac720a528
Instruction Fuzzy Hash: 7CB16E72D0012AABDF25DFA8CC85EDEB77DEF49314F1040A6FA09E6141EA319E449F61

Function 00CBA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00CBA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CBA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CBA468
CloseHandle.KERNEL32(?), ref: 00CBA63D

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 852b64321e427ef3cbe11d8fac4b667a2872fd30bb17e11e01886def7128aa72
Instruction ID: b6c3130789f53a5619f68c6bc33c205eca4be233cee6d74012a787131799cbf2
Opcode Fuzzy Hash: 852b64321e427ef3cbe11d8fac4b667a2872fd30bb17e11e01886def7128aa72
Instruction Fuzzy Hash: 5EA1A371604301AFD720DF28C886F6AB7E5AF88714F14885DF69A9B292D770ED41CB92

Function 00C6BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CD3700), ref: 00C6BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D0121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C6BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D01270,000000FF,?,0000003F,00000000,?), ref: 00C6BC36
_free.LIBCMT ref: 00C6BB7F

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C6BD4B

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 175076604f42216f6b73d78f7c71971516e1a225be15e4a9d3196efab1075e00
Instruction ID: fc5d9fa502b77ccb7b6652e64f803c89e0bef43c06e08dbec32b203fad23bcb8
Opcode Fuzzy Hash: 175076604f42216f6b73d78f7c71971516e1a225be15e4a9d3196efab1075e00
Instruction Fuzzy Hash: C451B775900209AFCB30DF75DDC1AAEB7B8EF40350B10426AE564D72A1EB309F819B64

Function 00C9E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C9CF22,?), ref: 00C9DDFD

Part of subcall function 00C9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C9CF22,?), ref: 00C9DE16

Part of subcall function 00C9E199: GetFileAttributesW.KERNEL32(?,00C9CF95), ref: 00C9E19A

lstrcmpiW.KERNEL32(?,?), ref: 00C9E473
MoveFileW.KERNEL32(?,?), ref: 00C9E4AC
_wcslen.LIBCMT ref: 00C9E5EB
_wcslen.LIBCMT ref: 00C9E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C9E650

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f0a1e56b008663d0e2aac35998b12d444444886b6d810f8c22de06d4a44c7deb
Instruction ID: 24edc0ceaa930685724101d4355b36567c6e35a4cef2328b866029c57e8153e3
Opcode Fuzzy Hash: f0a1e56b008663d0e2aac35998b12d444444886b6d810f8c22de06d4a44c7deb
Instruction Fuzzy Hash: F15172B24083859BCB24EB90DC859DFB3ECAF95340F00491EF599D3191EF74A688D76A

Function 00CBB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00CBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBB6AE,?,?), ref: 00CBC9B5
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBC9F1
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA68
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CBBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CBBB63
RegCloseKey.ADVAPI32(?,?), ref: 00CBBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00CBBBB3

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: e3f7d7085079496f35565a1a533b180a7f3c553c8e70f243602c56b1e7a4611f
Instruction ID: 0df58c10b1fce9c61eff87069ca39fb0e307e9befd26839c67c25b417fd48006
Opcode Fuzzy Hash: e3f7d7085079496f35565a1a533b180a7f3c553c8e70f243602c56b1e7a4611f
Instruction Fuzzy Hash: 1D619F31218241AFD714DF24C890F6ABBE5FF84308F14895CF49A8B2A2DB71ED45DB92

Function 00C98BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C98BCD
VariantClear.OLEAUT32 ref: 00C98C3E
VariantClear.OLEAUT32 ref: 00C98C9D
VariantClear.OLEAUT32(?), ref: 00C98D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C98D3B

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c48b9a4aa1a6beb5cc96559c519c2a3f6e5fe570457f4dd566d3c699f51843c4
Instruction ID: 1e1e3f0a0959502abee9eb98d0b1e81a9b67c6b3b03a7ba47bc5a835ba0151d0
Opcode Fuzzy Hash: c48b9a4aa1a6beb5cc96559c519c2a3f6e5fe570457f4dd566d3c699f51843c4
Instruction Fuzzy Hash: E55159B5A0021AEFCB14CF68C894EAAB7F8FF89310B158559E919DB350E730E911CF90

Function 00CA8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CA8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00CA8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CA8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CA8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CA8C5F

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 086a8c5b3d89376224472702ada029079a1fd3c4889058660577d89a571b3092
Instruction ID: 8812142bae495b67768074fa59e336deba0e47c6c83c5e3b375ae1cfa43befa0
Opcode Fuzzy Hash: 086a8c5b3d89376224472702ada029079a1fd3c4889058660577d89a571b3092
Instruction Fuzzy Hash: E7513875A00219AFCB14DF65C880A6EBBF5FF49318F088058E849AB362CB31ED51DF90

Function 00CB8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00CB8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00CB8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00CB8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00CB9032
FreeLibrary.KERNEL32(00000000), ref: 00CB9052

Part of subcall function 00C4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00CA1043,?,7529E610), ref: 00C4F6E6
Part of subcall function 00C4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00C8FA64,00000000,00000000,?,?,00CA1043,?,7529E610,?,00C8FA64), ref: 00C4F70D

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 949b566d5e2d09f2fc08d080d788bfc8301b970745cae647260b59beaebcdf64
Instruction ID: e4296553283010fb5294a9131c3c8d953bed3c83b41bccb8093d004f03ff9f5b
Opcode Fuzzy Hash: 949b566d5e2d09f2fc08d080d788bfc8301b970745cae647260b59beaebcdf64
Instruction Fuzzy Hash: FE513735604205DFCB15EF58C4949EDBBB1FF49314F0880A8E91A9B362DB31EE86CB91

Function 00CC6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00CC6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00CC6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00CC6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00CAAB79,00000000,00000000), ref: 00CC6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00CC6CC7

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 7ff7d59b7c01b703bb24cfb4d3ec6e7b55bea524aaca8c4b0df5bb633d173a1a
Instruction ID: d8e3aa2ffee4f69217ff175e18781dccbd69c4a3bc906454edae5d6ea2d6a630
Opcode Fuzzy Hash: 7ff7d59b7c01b703bb24cfb4d3ec6e7b55bea524aaca8c4b0df5bb633d173a1a
Instruction Fuzzy Hash: 1441C535A04104AFD724CF29CE98FA97BA5EB09350F15026CF9A9E73E1C771EE41DA50

Function 00C62051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C620C3
_free.LIBCMT ref: 00C620E3

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3c99bab2d829d991c12d7363aa506eca89447b59b917057da368d53add887b96
Instruction ID: 0b45cfedf8bdef17851273e0d9c075bc36c69aa5973b36ddb1e820d528b205a8
Opcode Fuzzy Hash: 3c99bab2d829d991c12d7363aa506eca89447b59b917057da368d53add887b96
Instruction Fuzzy Hash: C741B232A006049FCB34DF78C9C1A6DB7E5EF89314F154569E916EB392DA31AE01DB81

Function 00C4912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C49141
ScreenToClient.USER32(00000000,?), ref: 00C4915E
GetAsyncKeyState.USER32(00000001), ref: 00C49183
GetAsyncKeyState.USER32(00000002), ref: 00C4919D

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d7fc327c22661e6a20fabe9a26759984c31db5cc2110875095b6606022a23f89
Instruction ID: 26c2f5afdc02bd5e1ee43f1f6f35938ea7a162d955f5e0f51c59c7f1e9b30fff
Opcode Fuzzy Hash: d7fc327c22661e6a20fabe9a26759984c31db5cc2110875095b6606022a23f89
Instruction Fuzzy Hash: 1141403190851AFBDF15AF64C848BEEB774FB05324F204319E439A72D0D734AA50DB51

Function 00CA3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00CA38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00CA3922
TranslateMessage.USER32(?), ref: 00CA394B
DispatchMessageW.USER32(?), ref: 00CA3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CA3966

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: eb55ccee983e85a92219e5c3c91cefaddac09ccfa7071f6f8c4bae77d620048b
Instruction ID: b8e5da05062753c603d3be1800a8c734406b83d8364946134f57ccfeb6f7f04a
Opcode Fuzzy Hash: eb55ccee983e85a92219e5c3c91cefaddac09ccfa7071f6f8c4bae77d620048b
Instruction Fuzzy Hash: E63185749043C39EEB25CB75D868BB737A8AB06308F04456DF47AC61E0E7B49785DB21

Function 00CACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00CAC21E,00000000), ref: 00CACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00CACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00CAC21E,00000000), ref: 00CACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CAC21E,00000000), ref: 00CACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CAC21E,00000000), ref: 00CACFF2

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 9e3b464e7b7ebf4f653c9a27247580683cc6385b5efa7ba4e0a98f42b2e2c6ad
Instruction ID: 56883393f384b5514a094ab1567b609f193c736c0d86003c25f071c499595995
Opcode Fuzzy Hash: 9e3b464e7b7ebf4f653c9a27247580683cc6385b5efa7ba4e0a98f42b2e2c6ad
Instruction Fuzzy Hash: 7B314B71904206AFDB20DFE5CCC4AAEBBF9EB15359B10442EF51AD2150DB30AE41DB60

Function 00C91901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C91915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00C919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00C919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00C919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C919E2

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2e044a2cfe9e5b640970413cf2ab21beb15abbe51d7ad71a5094ddf957e9f6e9
Instruction ID: 6a96ed865d19a1192dc4d156b9e9f0f0d783a4bf95e03f22f6529f731b5c07a4
Opcode Fuzzy Hash: 2e044a2cfe9e5b640970413cf2ab21beb15abbe51d7ad71a5094ddf957e9f6e9
Instruction Fuzzy Hash: 8A319C71A0021AEFDB00CFA8C99EB9E3BB5EB04315F154229FD25A72D1C7709A54CB90

Function 00CC5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CC5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00CC579D
_wcslen.LIBCMT ref: 00CC57AF
_wcslen.LIBCMT ref: 00CC57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CC5816

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 9b9d3c9032c7fb313b86ddbb526e098689559e6d40e964c04a445dac07c52032
Instruction ID: 2ce8063b1c317b2f2de324dbaa907975eeb5bec223498e023514dc5b43223898
Opcode Fuzzy Hash: 9b9d3c9032c7fb313b86ddbb526e098689559e6d40e964c04a445dac07c52032
Instruction Fuzzy Hash: 8E216F75904618AADB209FA1CC85FEE77BCFF04724F10825AF929EA180D770AAC5CF54

Function 00CB0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CB0951
GetForegroundWindow.USER32 ref: 00CB0968
GetDC.USER32(00000000), ref: 00CB09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00CB09B0
ReleaseDC.USER32(00000000,00000003), ref: 00CB09E8

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 277239350bd44a39832c5ad2bf025e2df17b44b1bf87329b505fa803ed1d1b7e
Instruction ID: 4227abba0c38bdbd7ed2fa88f04fc0b58952f15b7b27182ef079fb19324b1f16
Opcode Fuzzy Hash: 277239350bd44a39832c5ad2bf025e2df17b44b1bf87329b505fa803ed1d1b7e
Instruction Fuzzy Hash: E7218135A00204AFD704EF65C988FAEBBF9EF49740F148068F85A97752CB30AD04DB50

Function 00C6CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C6CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C6CDE9

Part of subcall function 00C63820: RtlAllocateHeap.NTDLL(00000000,?,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6,?,00C31129), ref: 00C63852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C6CE0F
_free.LIBCMT ref: 00C6CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C6CE31

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 518ccf1167f5e0f110377b46e7bd4b81caf7af680443a7d5748e994343065e8a
Instruction ID: 520e5d7497bed13481133e2bd4dfc8a40a67dafed8a73d980125cfd5e437bf1d
Opcode Fuzzy Hash: 518ccf1167f5e0f110377b46e7bd4b81caf7af680443a7d5748e994343065e8a
Instruction Fuzzy Hash: D301D472A062157F233116B7ACC8E7F797DDEC6BA13190129F909C7201EA668E0191B0

Function 00C49639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C49693
SelectObject.GDI32(?,00000000), ref: 00C496A2
BeginPath.GDI32(?), ref: 00C496B9
SelectObject.GDI32(?,00000000), ref: 00C496E2

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7db561ce5a0cbb3b53164e08d96303524b9792648b557b037410be707195e395
Instruction ID: 7b2a34df3ef234e19b49f9a2b8cb72140a24f3ad77560a69252e470619fbb6e1
Opcode Fuzzy Hash: 7db561ce5a0cbb3b53164e08d96303524b9792648b557b037410be707195e395
Instruction Fuzzy Hash: E9213934802315EBDB119F65EC58BEE3BA9FB50365F15021AF428A62A0D3709992DFA4

Function 00C95711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C95726
_memcmp.LIBVCRUNTIME ref: 00C95744
_memcmp.LIBVCRUNTIME ref: 00C95757
_memcmp.LIBVCRUNTIME ref: 00C9576F
_memcmp.LIBVCRUNTIME ref: 00C95787

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9e718d3c7bcd77f49c31ce5d394ac2a0bbeae16c63fc471ccc3f4e915c6e6042
Instruction ID: 0b26477cae86cf08df936a467a3a4ab51a3653dd54907bcfa8f52653a18d158c
Opcode Fuzzy Hash: 9e718d3c7bcd77f49c31ce5d394ac2a0bbeae16c63fc471ccc3f4e915c6e6042
Instruction Fuzzy Hash: 730145A5341608BBDA095651ED9AFBB334D9B20395F040038FD049A640F730EF5183A4

Function 00C62DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00C5F2DE,00C63863,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6), ref: 00C62DFD
_free.LIBCMT ref: 00C62E32
_free.LIBCMT ref: 00C62E59
SetLastError.KERNEL32(00000000,00C31129), ref: 00C62E66
SetLastError.KERNEL32(00000000,00C31129), ref: 00C62E6F

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6e8fb9ae6dc39ec7039461db8fad08e64158ecc29afd682ab0c9da07991e62f5
Instruction ID: 30fce1f55e9eb4f57f32697549e009b9219967923249df592822675ac97cb537
Opcode Fuzzy Hash: 6e8fb9ae6dc39ec7039461db8fad08e64158ecc29afd682ab0c9da07991e62f5
Instruction Fuzzy Hash: B801F436645E006BC73227356CC5F6F265DABD13A2B254038F435A22E3EB268D015120

Function 00C9000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?,?,00C9035E), ref: 00C9002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?), ref: 00C90046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?), ref: 00C90054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?), ref: 00C90064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?), ref: 00C90070

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 166fd4f53e66b26697edb8d864bd6b4a198247ce425d35b5763db28fa115e5bb
Instruction ID: ec55ff35b4a0b7f0d49321ad77de1af904a1a372fbee323594b2943ebb8ce6be
Opcode Fuzzy Hash: 166fd4f53e66b26697edb8d864bd6b4a198247ce425d35b5763db28fa115e5bb
Instruction Fuzzy Hash: E3018B72600204BFDF108F69DC88FAE7BEDEB44792F245124F909D2210E775DE408BA0

Function 00C9E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00C9E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00C9E9A5
Sleep.KERNEL32(00000000), ref: 00C9E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00C9E9B7
Sleep.KERNEL32 ref: 00C9E9F3

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6806ac6c49335c9cd6249a2a583330c6e902b0f139060c4891d61dbdefc05438
Instruction ID: 7e650eb67f08105a2604ac07e1a5008ec795fd0854d4d6f178bcbf4bf239c1bc
Opcode Fuzzy Hash: 6806ac6c49335c9cd6249a2a583330c6e902b0f139060c4891d61dbdefc05438
Instruction Fuzzy Hash: A0011B31C01529DBCF00EBE5DC9DBDDBB78FB19701F060556E516B2151CB309A6587A1

Function 00C910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C91114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C9112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C9114D

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 51a606f756e26903688a9b39e70d1ef07c9edae9782f4b974f8f7dc9423ff424
Instruction ID: a12901f5b3a2fd9cea489fc2cfd959c69c8acd8a4fd1bab12fffd8b0b51cecc4
Opcode Fuzzy Hash: 51a606f756e26903688a9b39e70d1ef07c9edae9782f4b974f8f7dc9423ff424
Instruction Fuzzy Hash: 1C01F675200205BFDB114FA5DC8DF6E3B6EEF892A0B284419FA49D6260DB31DD119B60

Function 00C90FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C90FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C90FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C90FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C90FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C91002

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9d996641d884b34500798d9a6552fefb450580f75ae716e0687d44884a2c5445
Instruction ID: 5aec05b60f408a881dbd5bda9915e64aa4cc75b0bf10ec12926145070bcbae9f
Opcode Fuzzy Hash: 9d996641d884b34500798d9a6552fefb450580f75ae716e0687d44884a2c5445
Instruction Fuzzy Hash: 34F03735200302EFDB214FA5EC8EF5A3BA9EF89762F184414FE5986251CA71D8508A60

Function 00C91014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C9102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C91036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C91045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C9104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C91062

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c03a1c6b25e023b6a9ba50ed474343f117fa8f32b75d345974f63f0271333c1f
Instruction ID: 2096eff65c76a88b5d559761f38e6cdc1b1c8691a58e10929df077afbaee4337
Opcode Fuzzy Hash: c03a1c6b25e023b6a9ba50ed474343f117fa8f32b75d345974f63f0271333c1f
Instruction Fuzzy Hash: 7BF06D35200302EBDB215FA5EC8DF5A3BADFF897A1F180414FE59C7250CA71D9508A60

Function 00CA030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA0324
CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA0331
CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA033E
CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA034B
CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA0358
CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA0365

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8c23446e86373e27b75551ea40867caddd50d74ef94d1e46a31339cc2a71c9f5
Instruction ID: b55387ca4953e58ac621422dc86c8ebb9b99c9e428943070025b1a28e6f98aac
Opcode Fuzzy Hash: 8c23446e86373e27b75551ea40867caddd50d74ef94d1e46a31339cc2a71c9f5
Instruction Fuzzy Hash: 3601A272801B169FCB309F66D880816F7F5BF613593258A3FD1A652931C371AA54DF80

Function 00C6D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C6D752

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C6D764
_free.LIBCMT ref: 00C6D776
_free.LIBCMT ref: 00C6D788
_free.LIBCMT ref: 00C6D79A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8c070427638ae1afd4f02595af738164ccf61723c879832032a397fd6d678e6c
Instruction ID: 11e1d4673e47b3ec5c00d1d865601c391c9908df6634cec7fe33d250efef2cd6
Opcode Fuzzy Hash: 8c070427638ae1afd4f02595af738164ccf61723c879832032a397fd6d678e6c
Instruction Fuzzy Hash: FAF03632B44608AB8635EB64FAC5E2A77DDBB44750B940C05F059D7545CB30FD80D666

Function 00C95C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C95C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C95C6F
MessageBeep.USER32(00000000), ref: 00C95C87
KillTimer.USER32(?,0000040A), ref: 00C95CA3
EndDialog.USER32(?,00000001), ref: 00C95CBD

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 2ba5e4b91791abadb475487d633fd4e93a9cf1a4aa0421a738001d03d946c1b4
Instruction ID: 9257a76e6cc7fe96fa8fca62a221ce8d8021b4ab66b2bebf1588d3b113714bf7
Opcode Fuzzy Hash: 2ba5e4b91791abadb475487d633fd4e93a9cf1a4aa0421a738001d03d946c1b4
Instruction Fuzzy Hash: 7E018130500B04ABEF215B10DE8EFEA77B8BB04B05F000559F697A15E1DBF0AA848B90

Function 00C622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C622BE

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C622D0
_free.LIBCMT ref: 00C622E3
_free.LIBCMT ref: 00C622F4
_free.LIBCMT ref: 00C62305

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9b0528dea1c1aa2a9c3760d7c08ced89968f16a131cb65462f75733daf3a5e80
Instruction ID: ace9e2f7105591842ce2a267224b4b38fae66df16f3a3070db84eda6d7016f92
Opcode Fuzzy Hash: 9b0528dea1c1aa2a9c3760d7c08ced89968f16a131cb65462f75733daf3a5e80
Instruction Fuzzy Hash: 06F03074600B159BC726AF64BC82B5C3FA4BB187A1B00050AF418D63B1C7300511BBB9

Function 00C495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C495D4
StrokeAndFillPath.GDI32(?,?,00C871F7,00000000,?,?,?), ref: 00C495F0
SelectObject.GDI32(?,00000000), ref: 00C49603
DeleteObject.GDI32 ref: 00C49616
StrokePath.GDI32(?), ref: 00C49631

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 75bfaa51788037d2469a2fecd701c4d68752d09c0554f8b5a75cd1f33a375793
Instruction ID: d789674bc78da7c305e5c217b2d11296c2737295910c6a72572f79a69608a7e3
Opcode Fuzzy Hash: 75bfaa51788037d2469a2fecd701c4d68752d09c0554f8b5a75cd1f33a375793
Instruction Fuzzy Hash: 67F0C439406308EBDB269F69ED5CBA93B65FB05322F148218F47E952F0C7348A95DF21

Function 00C60F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00C610F9
__freea.LIBCMT ref: 00C61117

Part of subcall function 00C61537: _free.LIBCMT ref: 00C6154F

Strings

a/p, xrefs: 00C611DE
am/pm, xrefs: 00C6117A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: cbb427ce8cc57e884b8159d1ebdb11bbedca9757d063f56e0493bcb83479d97d
Instruction ID: 20e0097986e4e7330544d680253aa87985fc2a0ecc73897bceb1be608a978a1c
Opcode Fuzzy Hash: cbb427ce8cc57e884b8159d1ebdb11bbedca9757d063f56e0493bcb83479d97d
Instruction Fuzzy Hash: 14D1E131900246DADB349F69C8D57BEB7B1EF06302F2C4169ED26AB761D3359E80CB91

Function 00CB7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00C50242: EnterCriticalSection.KERNEL32(00D0070C,00D01884,?,?,00C4198B,00D02518,?,?,?,00C312F9,00000000), ref: 00C5024D
Part of subcall function 00C50242: LeaveCriticalSection.KERNEL32(00D0070C,?,00C4198B,00D02518,?,?,?,00C312F9,00000000), ref: 00C5028A

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C500A3: __onexit.LIBCMT ref: 00C500A9

__Init_thread_footer.LIBCMT ref: 00CB7BFB

Part of subcall function 00C501F8: EnterCriticalSection.KERNEL32(00D0070C,?,?,00C48747,00D02514), ref: 00C50202
Part of subcall function 00C501F8: LeaveCriticalSection.KERNEL32(00D0070C,?,00C48747,00D02514), ref: 00C50235

Strings

G, xrefs: 00CB7C7F
Variable must be of type 'Object'., xrefs: 00CB7C3A
5, xrefs: 00CB7C78

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 797d42c07ea65bdd78890e5394f58261e7bcc67026de214c42873c9efb9d467b
Instruction ID: f1b049db6835b94c8651afd2c432c79406bb50b0670ba123dd406fdbd6a89b95
Opcode Fuzzy Hash: 797d42c07ea65bdd78890e5394f58261e7bcc67026de214c42873c9efb9d467b
Instruction Fuzzy Hash: BA91AC70A04209AFCF14EF64D895DEDBBB1FF84300F108159F8169B292DB71AE45DB51

Function 00C92716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C921D0,?,?,00000034,00000800,?,00000034), ref: 00C9B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C92760

Part of subcall function 00C9B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C9B3F8

Part of subcall function 00C9B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C9B355
Part of subcall function 00C9B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C92194,00000034,?,?,00001004,00000000,00000000), ref: 00C9B365
Part of subcall function 00C9B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C92194,00000034,?,?,00001004,00000000,00000000), ref: 00C9B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C9281A

Strings

@, xrefs: 00C92832

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 36202684350bd372df99ee0791b4731bbfc50bdd4727617ecd3115dccf1e80ac
Instruction ID: 1bd1f3fa693d0337665e4423c3fdf301601af7dda207a1a9defad1b88b266bd6
Opcode Fuzzy Hash: 36202684350bd372df99ee0791b4731bbfc50bdd4727617ecd3115dccf1e80ac
Instruction Fuzzy Hash: 97410972900218BFDF10DBA4D985FEEBBB8AF09700F104095FA95B7191DA706E45DBA1

Function 00C6172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00C61769
_free.LIBCMT ref: 00C61834
_free.LIBCMT ref: 00C6183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00C61760, 00C61767, 00C61796, 00C617CE

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: edb4bedccc5ff8f1ba92d1dbf30bb3c4626bd1c931d52b657bd1b72483f963db
Instruction ID: 198e8ea7c9d3ecd962c8319f16e11a470ec99600c01c645ac733599fa0e3edb7
Opcode Fuzzy Hash: edb4bedccc5ff8f1ba92d1dbf30bb3c4626bd1c931d52b657bd1b72483f963db
Instruction Fuzzy Hash: 95317E75A00218EBDB31DF9A98C5E9EBBFCEB89311B18416AF814D7251D6708A41DBA0

Function 00C9C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C9C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00C9C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D01990,01736618), ref: 00C9C395

Strings

0, xrefs: 00C9C2DF

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: eb5f2937f63a31392ace18222f87427af98d6e1e4f806c669d28ab0af9fc6b50
Instruction ID: e9aeb6cad25199ca9322eaa7fec9cc5d53e22351a3c4c1de0370df328183788d
Opcode Fuzzy Hash: eb5f2937f63a31392ace18222f87427af98d6e1e4f806c669d28ab0af9fc6b50
Instruction Fuzzy Hash: 3141BF712443019FDB20DF29D8C8B9ABBE8BF85320F008A5DF8A5972E1D770E904DB52

Function 00CC4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CCCC08,00000000,?,?,?,?), ref: 00CC44AA
GetWindowLongW.USER32 ref: 00CC44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CC44D7

Strings

SysTreeView32, xrefs: 00CC447C

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: efd30859a244153a7f44b296760d990e6e17070effd2ea9059e99f8771df6610
Instruction ID: 253494e1b93a039b6187cc0266705200565c960ae6555fd9b94cd063ba61b760
Opcode Fuzzy Hash: efd30859a244153a7f44b296760d990e6e17070effd2ea9059e99f8771df6610
Instruction Fuzzy Hash: 93319C31210605AFDB288F38DC95FEA7BA9EB08334F208729F979921E0D770ED519B50

Function 00CB304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00CB3077,?,?), ref: 00CB3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CB307A
_wcslen.LIBCMT ref: 00CB309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00CB3106

Strings

255.255.255.255, xrefs: 00CB3095, 00CB309A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: ff8f41cbc1beadd93694649c1a99bfa1d0eabb49fda64a33dee5569410bab7d5
Instruction ID: 9ed496df6e18e632ded9c0e08c5ed83564bdf273f9e03e646bb5206f2f1df04d
Opcode Fuzzy Hash: ff8f41cbc1beadd93694649c1a99bfa1d0eabb49fda64a33dee5569410bab7d5
Instruction Fuzzy Hash: 6331E1396002819FCB10DF68D885EAA77E4EF54318F248059E8258B3A2DB72EF45CB60

Function 00CC4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CC4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CC4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CC471A

Strings

msctls_updown32, xrefs: 00CC4684

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5105a0d916c44058516ab0f221be4e9a5ff67aa4aafaf01160305cc95b252e7c
Instruction ID: 24f99df6ccbf2c6ded382081880749807d4a528ff35cc5018bf430d0cf7fc625
Opcode Fuzzy Hash: 5105a0d916c44058516ab0f221be4e9a5ff67aa4aafaf01160305cc95b252e7c
Instruction Fuzzy Hash: 87215CB5600208AFDB14DF64DCD1EAB37ADEB4A3A4B044059FA14DB351CB30ED51DB60

Function 00C995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C9961D

Strings

#requireadmin, xrefs: 00C995D9
#OnAutoItStartRegister, xrefs: 00C995F3
#notrayicon, xrefs: 00C995B7

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 64345b8f264f0b1b92bba896a5fca1a7b38bd5b6befe443003869f24eae03af8
Instruction ID: 7d4f6ad599985fc03118a6fe757838d29c2b5726e5102a109b3d920b7fd6d5a1
Opcode Fuzzy Hash: 64345b8f264f0b1b92bba896a5fca1a7b38bd5b6befe443003869f24eae03af8
Instruction Fuzzy Hash: 15213872104510A6DB31AB2DDC1AFB773A8DF51310F10402EF95997041EBB1EE86D2D5

Function 00CC37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CC3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CC3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CC3876

Strings

Listbox, xrefs: 00CC380F

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8202aed76fe7bb7c2e43ef5e825292366287ffad08f94f6ba78909b1ba808130
Instruction ID: 6d2a718a3ea56d4afb1a4a24450338be5da37aafab9bfa894d2212bb0657e451
Opcode Fuzzy Hash: 8202aed76fe7bb7c2e43ef5e825292366287ffad08f94f6ba78909b1ba808130
Instruction Fuzzy Hash: 3E21BE72610218BBEB219F54EC85FBB376EEF89750F118129F9149B190C671DD528BA0

Function 00CA49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CA4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00CA4A5C
SetErrorMode.KERNEL32(00000000,?,?,00CCCC08), ref: 00CA4AD0

Strings

%lu, xrefs: 00CA4A6F

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: a9ee310a4edb3b921443049864cbd6d3561cfa90c9d61698489fb8038de37a54
Instruction ID: bf6b4b7f83e0fa76febc2376d90e31f91ef5b070be9edd19c77ee74782443f6e
Opcode Fuzzy Hash: a9ee310a4edb3b921443049864cbd6d3561cfa90c9d61698489fb8038de37a54
Instruction Fuzzy Hash: DA317171A00109AFDB10DF54C885EAE7BF8EF49308F1480A9F909DB252D771EE46DB61

Function 00CC41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CC424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CC4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CC4271

Strings

msctls_trackbar32, xrefs: 00CC4226

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 9d081a1ad0f4a25b998c0cb5e89fa050377d21fb2a128f2ed09a74d367530c53
Instruction ID: c0be4c41a019a79f4f143f94d32eb74c01fda5eac1dd828fbfb876eab3f8acb1
Opcode Fuzzy Hash: 9d081a1ad0f4a25b998c0cb5e89fa050377d21fb2a128f2ed09a74d367530c53
Instruction Fuzzy Hash: 1D110232240208BEEF205F29CC46FAB3BACEF85B64F014128FA55E20A0D271DC619B20

Function 00C92F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

Part of subcall function 00C92DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C92DC5
Part of subcall function 00C92DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C92DD6
Part of subcall function 00C92DA7: GetCurrentThreadId.KERNEL32 ref: 00C92DDD
Part of subcall function 00C92DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C92DE4

GetFocus.USER32 ref: 00C92F78

Part of subcall function 00C92DEE: GetParent.USER32(00000000), ref: 00C92DF9

GetClassNameW.USER32(?,?,00000100), ref: 00C92FC3
EnumChildWindows.USER32(?,00C9303B), ref: 00C92FEB

Strings

%s%d, xrefs: 00C92FFF

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 8e6c9eb609b38340e9670271d469c02bb59f6c79a47ed558bb0924682afd183a
Instruction ID: 59d947b1ec7317a189784d33b45e7b7b5bb5672e27b958e00940aa0a7c742d95
Opcode Fuzzy Hash: 8e6c9eb609b38340e9670271d469c02bb59f6c79a47ed558bb0924682afd183a
Instruction Fuzzy Hash: 3F11AF716002456BCF147F60CCC9FEE776AAF84304F048079FA099B292DF309A4AEB60

Function 00CC5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CC58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CC58EE
DrawMenuBar.USER32(?), ref: 00CC58FD

Strings

0, xrefs: 00CC588F

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: ec45b1dc48f995f207a5d2fbab5f3fb953eb9e4005d7d5b8c932962d40ca9f7a
Instruction ID: e1d744c47e9d74e15f269c5202e06163c8276b9fcbcf3a65c23054da346e7dbe
Opcode Fuzzy Hash: ec45b1dc48f995f207a5d2fbab5f3fb953eb9e4005d7d5b8c932962d40ca9f7a
Instruction Fuzzy Hash: EF011771500218EEDB219F11DC44FAEBBB8FB85361F1080ADE849D6251DB319A96EF21

Function 00C9007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8579415b3985e3c28030e7e900ad01684dbdc9ebbf9d9e57542da4e5fedff527
Instruction ID: ab210d7ed624c178e5d052448a251ca557eada402a2d3573f19f1a4858a16d10
Opcode Fuzzy Hash: 8579415b3985e3c28030e7e900ad01684dbdc9ebbf9d9e57542da4e5fedff527
Instruction Fuzzy Hash: CBC12B75A00216EFDB14CFA4C898BAEB7B5FF48704F208598E915EB261D731DE81DB90

Function 00C63E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C63F0B
__alldvrm.LIBCMT ref: 00C6410C
__alldvrm.LIBCMT ref: 00C6412E

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 74dd1a6d1f4c88daba86cb50b780720eaaf84e5f66765901e2a165da7037f557
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 3DA17971E003969FDB3ACF58C8C17AEBBE4EF62350F1841ADE5959B281C2348E81C751

Function 00CB342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CB3459
CoUninitialize.OLE32 ref: 00CB3463
VariantInit.OLEAUT32(?), ref: 00CB346E
VariantClear.OLEAUT32(?), ref: 00CB371B

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 0ecfb8620d260c82517142f0baaf00e6c099d2905956bb4385fc3d9a991ec3e3
Instruction ID: 57012c5b9e42c1c4468febca0c5186d999b2a3fe36afd3b4c37dfe4b144c03f5
Opcode Fuzzy Hash: 0ecfb8620d260c82517142f0baaf00e6c099d2905956bb4385fc3d9a991ec3e3
Instruction Fuzzy Hash: 3CA188756143009FCB14DF29C485A6AB7E4FF88314F04895DF98AAB362DB30EE05DB92

Function 00C90436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CCFC08,?), ref: 00C905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CCFC08,?), ref: 00C90608
CLSIDFromProgID.OLE32(?,?,00000000,00CCCC40,000000FF,?,00000000,00000800,00000000,?,00CCFC08,?), ref: 00C9062D
_memcmp.LIBVCRUNTIME ref: 00C9064E

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: a5a24ec1ca5c99f23a153071bbab85e6240882d745db27877064982544b49cfb
Instruction ID: e7f8b2844b528f5b02ede13289d0bb70d7948ec82ac9ab015f070df90430099b
Opcode Fuzzy Hash: a5a24ec1ca5c99f23a153071bbab85e6240882d745db27877064982544b49cfb
Instruction Fuzzy Hash: 9F81B475A00109AFCF04DF94C988EAEB7B9FF89315F204598F516AB250DB71AE46CB60

Function 00CBA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CBA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00CBA6BA

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Process32NextW.KERNEL32(00000000,?), ref: 00CBA79C
CloseHandle.KERNEL32(00000000), ref: 00CBA7AB

Part of subcall function 00C4CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00C73303,?), ref: 00C4CE8A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: ed6e3816ad2e8a2411c2babd60e660667956a9532133122bb372711c98617798
Instruction ID: 9ad51539b33a7f3c611a5cff5dc4c0754e4c6333f9c09d796db1214be31260f0
Opcode Fuzzy Hash: ed6e3816ad2e8a2411c2babd60e660667956a9532133122bb372711c98617798
Instruction Fuzzy Hash: 91513AB1508300AFD710EF25C886A6FBBE8FF89754F00891DF599972A1EB71D904DB92

Function 00C71391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C714C0

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 613627b2e6db41811dec47086e5658226fabb56f8724d7e70dd8918a8db4f64f
Instruction ID: eb7a96c11009e716454cbbf47ed880375512e184108f4fe7a524eeeec498ffaf
Opcode Fuzzy Hash: 613627b2e6db41811dec47086e5658226fabb56f8724d7e70dd8918a8db4f64f
Instruction Fuzzy Hash: 77415F756005006BDB356BFD8C86ABE3AA5EF41770F2CC625FC2DD7191E6348A427272

Function 00CC6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CC62E2
ScreenToClient.USER32(?,?), ref: 00CC6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00CC6382

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 82d39dacfa54be5194551c17898c9c4e29ff3b54473030ef8ca237af92fa149e
Instruction ID: 05cd4f169e47fe2323f7c252066a1b049e6570c4ebb9d70f12b7df7376d9d735
Opcode Fuzzy Hash: 82d39dacfa54be5194551c17898c9c4e29ff3b54473030ef8ca237af92fa149e
Instruction Fuzzy Hash: 33510A74A00249EFDB10DF68DA80EAE7BB5EF45360F14816DF9659B2A0D730EE81CB50

Function 00CB1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00CB1AFD
WSAGetLastError.WSOCK32 ref: 00CB1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CB1B8A
WSAGetLastError.WSOCK32 ref: 00CB1B94

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 6925a7f7de2e10ead3e92ef1e9b3df1320226147c7b96eb1774bbd63aac307a0
Instruction ID: 1d34c62d13e3490934d58b8550b57138d18f2a41a8d64c43758e7b205a4d7949
Opcode Fuzzy Hash: 6925a7f7de2e10ead3e92ef1e9b3df1320226147c7b96eb1774bbd63aac307a0
Instruction Fuzzy Hash: 8341D074640200AFE720AF24C886F6A77E5AB44718F58C44CFA2A9F3D3D772ED419B90

Function 00C6B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d059b0dca9e5eefdb9e358d47f21e81204254b56331e85d08dfa44b5ca0d9a
Instruction ID: 242fdd91a851fc517375f8edccb7809b7aad17c993a32df740e3191036d5d1e4
Opcode Fuzzy Hash: d5d059b0dca9e5eefdb9e358d47f21e81204254b56331e85d08dfa44b5ca0d9a
Instruction Fuzzy Hash: F3413871A00314AFD734AF38CC81BBABBE9EB84710F10852EF556DB281D7719D818790

Function 00CA56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CA5783
GetLastError.KERNEL32(?,00000000), ref: 00CA57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CA57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CA57FA

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 4968716e6bd8a19b12b974850041adacb4dcf3de453e42a83628af19d6bfbe78
Instruction ID: f3c93116c56df0b1292719617f0a30c4cb4dca18090b00023ff05dd77d1d3220
Opcode Fuzzy Hash: 4968716e6bd8a19b12b974850041adacb4dcf3de453e42a83628af19d6bfbe78
Instruction Fuzzy Hash: 21413E39610611DFCB25DF15C484A5DBBE1EF49324F18C488E85AAB362CB34FD00DB91

Function 00C6D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C56D71,00000000,00000000,00C582D9,?,00C582D9,?,00000001,00C56D71,8BE85006,00000001,00C582D9,00C582D9), ref: 00C6D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C6D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C6D9AB
__freea.LIBCMT ref: 00C6D9B4

Part of subcall function 00C63820: RtlAllocateHeap.NTDLL(00000000,?,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6,?,00C31129), ref: 00C63852

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 52f2bb7d4744849122251456e54c61058422e85a2fe07fe976c2791a7bdbeb96
Instruction ID: da0e26a0042c6b59f55d420ab6fa07edd6f92e725fd62458a37764d1d553c2bc
Opcode Fuzzy Hash: 52f2bb7d4744849122251456e54c61058422e85a2fe07fe976c2791a7bdbeb96
Instruction Fuzzy Hash: 5631D072A1020AABDF249F65DC85EAF7BA5EB40310B054168FC15D7150EB35CE54DB90

Function 00CC52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00CC5352
GetWindowLongW.USER32(?,000000F0), ref: 00CC5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CC5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CC53A8

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 995147ffcebcc0dbeef3cd292a9962913d3b117009e6cd5667ce6508e819089f
Instruction ID: e16e33f28c18d0ce9f0479dfdd5ac617d53fce54df41cf73636e253f65bb03ec
Opcode Fuzzy Hash: 995147ffcebcc0dbeef3cd292a9962913d3b117009e6cd5667ce6508e819089f
Instruction Fuzzy Hash: CF31C234B55A88EFEB309F14CC45FE87765AB04390F5C410AFA25962F1C7B0BAC0AB51

Function 00C9AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00C9ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C9AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C9AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00C9ACC6

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 53c5f3d72d75b7bdeeccc60faeb698289c5d038a8363d740a72bf7f15051e4f2
Instruction ID: a40d70bf28f78054702df0dea4cdffe0386ffee576b9b486bdca9c5fe32ca850
Opcode Fuzzy Hash: 53c5f3d72d75b7bdeeccc60faeb698289c5d038a8363d740a72bf7f15051e4f2
Instruction Fuzzy Hash: 82310730A007186FEF35CB69CC0CBFE7BA5AB89311F04471AE4A59A1D1C3768A8597D2

Function 00CC7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00CC769A
GetWindowRect.USER32(?,?), ref: 00CC7710
PtInRect.USER32(?,?,00CC8B89), ref: 00CC7720
MessageBeep.USER32(00000000), ref: 00CC778C

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 8a2dd30742a4cca754f144abd2130697c26e51f9e5907b1515686c9604262967
Instruction ID: 6f104d155bb542ab8f5c4dc202c79a205c7201e7e2ed4e54f300db2a29f31301
Opcode Fuzzy Hash: 8a2dd30742a4cca754f144abd2130697c26e51f9e5907b1515686c9604262967
Instruction Fuzzy Hash: 22415B38A052189FCB12CF68D894FA977F5FB49314F1542ADE428DB261C730EA41CF90

Function 00CC16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CC16EB

Part of subcall function 00C93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C93A57
Part of subcall function 00C93A3D: GetCurrentThreadId.KERNEL32 ref: 00C93A5E
Part of subcall function 00C93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C925B3), ref: 00C93A65

GetCaretPos.USER32(?), ref: 00CC16FF
ClientToScreen.USER32(00000000,?), ref: 00CC174C
GetForegroundWindow.USER32 ref: 00CC1752

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f920892dd94352dd4080fbf10a8308293e71f06a4974a42c0351b73f5a344c7f
Instruction ID: 575bcfbda4dbb4dc14a448b5a5a2b6a378fbb6838ff3fa0c27a80ebb654641bf
Opcode Fuzzy Hash: f920892dd94352dd4080fbf10a8308293e71f06a4974a42c0351b73f5a344c7f
Instruction Fuzzy Hash: B9315075D10149AFCB04EFAAC8C1DAEB7F9EF49304B5480A9E415E7212DB319E45DFA0

Function 00CC8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

GetCursorPos.USER32(?), ref: 00CC9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C87711,?,?,?,?,?), ref: 00CC9016
GetCursorPos.USER32(?), ref: 00CC905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C87711,?,?,?), ref: 00CC9094

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e50552c74fee8a88b02070bec5e1874550844f23bd628c673b77456fd14782d3
Instruction ID: 038777007b108485128f51c0c3cbc68315fe3b3edd7e10a83ecd23074e06a723
Opcode Fuzzy Hash: e50552c74fee8a88b02070bec5e1874550844f23bd628c673b77456fd14782d3
Instruction Fuzzy Hash: 56217C35600118EFDB258F94D898FEA7BB9EB8D350F144069F9198B2A1C7319A90EB60

Function 00C9D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00CCCB68), ref: 00C9D2FB
GetLastError.KERNEL32 ref: 00C9D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C9D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00CCCB68), ref: 00C9D376

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 52dee55598d629c2a8cc03cf6d5a74aa313ac19e48a463f49fd1e122219a2e84
Instruction ID: 7f905be847fee09507ea24f2ba22cb3dd78e36704bd0f9366be9ca9b45a8f970
Opcode Fuzzy Hash: 52dee55598d629c2a8cc03cf6d5a74aa313ac19e48a463f49fd1e122219a2e84
Instruction Fuzzy Hash: 2F218D705082019F8B00DF28C88596EB7F4FF56365F104A1DF4AAE32A1D730DA46CB93

Function 00C91571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C9102A
Part of subcall function 00C91014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C91036
Part of subcall function 00C91014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C91045
Part of subcall function 00C91014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C9104C
Part of subcall function 00C91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C91062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C915BE
_memcmp.LIBVCRUNTIME ref: 00C915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C91617
HeapFree.KERNEL32(00000000), ref: 00C9161E

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 13703f153b899b8eedf4ad04cd445457f518c4d6dc906506d47f24ef250642c2
Instruction ID: debbf63a68ead846fcac61f539add0e718f257ab83ee1d6fb666542ce4410a37
Opcode Fuzzy Hash: 13703f153b899b8eedf4ad04cd445457f518c4d6dc906506d47f24ef250642c2
Instruction Fuzzy Hash: AD217A31E4010AAFDF00DFA4C94ABEEB7B8EF44354F094459E855AB241E730AB05DBA0

Function 00CC2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00CC280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CC2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CC2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CC2840

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 1e50bc3adf6bde1f69dbf7be0c982b2fbba510bc1c6ae79e7a06680e4503f275
Instruction ID: 5f80873af8ffd701f5d6257b12025decfc194377e55663372acd5bf0bbca0da5
Opcode Fuzzy Hash: 1e50bc3adf6bde1f69dbf7be0c982b2fbba510bc1c6ae79e7a06680e4503f275
Instruction Fuzzy Hash: 9521B035204511AFD714DB24C895FAA7BA5EF85324F14815CF42ACB6E2CB71FD82CB90

Function 00C978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C98D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C9790A,?,000000FF,?,00C98754,00000000,?,0000001C,?,?), ref: 00C98D8C
Part of subcall function 00C98D7D: lstrcpyW.KERNEL32(00000000,?,?,00C9790A,?,000000FF,?,00C98754,00000000,?,0000001C,?,?,00000000), ref: 00C98DB2
Part of subcall function 00C98D7D: lstrcmpiW.KERNEL32(00000000,?,00C9790A,?,000000FF,?,00C98754,00000000,?,0000001C,?,?), ref: 00C98DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C98754,00000000,?,0000001C,?,?,00000000), ref: 00C97923
lstrcpyW.KERNEL32(00000000,?,?,00C98754,00000000,?,0000001C,?,?,00000000), ref: 00C97949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C98754,00000000,?,0000001C,?,?,00000000), ref: 00C97984

Strings

cdecl, xrefs: 00C9797B

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 74e4742e424df6a0ab5d406bfb36919a95e8c98e4383537b24f2eb4c9fbbdb50
Instruction ID: 13f433af09cc8294011cac38e70865225bca86a4023854371fedade771986d52
Opcode Fuzzy Hash: 74e4742e424df6a0ab5d406bfb36919a95e8c98e4383537b24f2eb4c9fbbdb50
Instruction Fuzzy Hash: 1711263A201302AFCF15AF35D848E7B77A9FF85750B10412AF906CB2A4EF319901D7A1

Function 00CC7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00CC7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00CC7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CC7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CAB7AD,00000000), ref: 00CC7D6B

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 9c045e9ef20e1fd912425aeee36b36b37f7e537e42ef4077e448e25ae44dfaf9
Instruction ID: 256e5b19cfe5aa10f1b66f65ca7aeb7578040d0c6c614477809e3b411021af6c
Opcode Fuzzy Hash: 9c045e9ef20e1fd912425aeee36b36b37f7e537e42ef4077e448e25ae44dfaf9
Instruction Fuzzy Hash: 58115C36605615AFCB109F28DC44FAA3BA5EF45360F258728F83AD72E0D7309A51DF90

Function 00CC5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00CC56BB
_wcslen.LIBCMT ref: 00CC56CD
_wcslen.LIBCMT ref: 00CC56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CC5816

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: feeaa1b9e53d9ec9da69101d1774e3590c58ec26f255f8c896dde853b13279b3
Instruction ID: afaec9130d98ff7382f9d77ff4a79dab6c7950e060ab58a7bbfa046ce39ff4eb
Opcode Fuzzy Hash: feeaa1b9e53d9ec9da69101d1774e3590c58ec26f255f8c896dde853b13279b3
Instruction Fuzzy Hash: D611D375A00608A6DF20DF65CC85FEE77ACEF11764B10416EF925D6181E770EAC4CB64

Function 00C61D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73dfa6236b6647dea1f255d3ee5340b0016608447b9c4b9b2758ec18c6157751
Instruction ID: 5077cb2bd06ec382f9cd1906900ad6eca93097aa33ab2f291b86636ff7e43c4e
Opcode Fuzzy Hash: 73dfa6236b6647dea1f255d3ee5340b0016608447b9c4b9b2758ec18c6157751
Instruction Fuzzy Hash: 8001D1B2609A163EFA322A796CC1F2B661CDF817B9F3C0325F931A12D2DB608D406170

Function 00C91A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C91A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C91A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C91A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C91A8A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 400b5feab5103df4dfc93fc1b9e72ca6e3d6b4778da65e4e1191c0c3258d92fc
Instruction ID: 35793562e6b7ff33a07fbdcd17bbc9d3b12ef654ca2f11f340397b1c93e73f2e
Opcode Fuzzy Hash: 400b5feab5103df4dfc93fc1b9e72ca6e3d6b4778da65e4e1191c0c3258d92fc
Instruction Fuzzy Hash: 0F11F73AD01219FFEF119BA5C985FADBB78EB08750F240091EA14B7290DA716E50EB94

Function 00C9E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C9E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00C9E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C9E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C9E24D

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: fcbdc133beec82da6ff7cc3e8265815b4b2b75c540b3a3c902966c6f5daa6c4c
Instruction ID: e2ae8dc95244783b38f786ca216041c805aa695ccafc381b7bbceabe67e9b63c
Opcode Fuzzy Hash: fcbdc133beec82da6ff7cc3e8265815b4b2b75c540b3a3c902966c6f5daa6c4c
Instruction Fuzzy Hash: 2011A176904258BBCB01DBA8EC49B9E7BACAB45720F144265F929E3391D6B0CA0487A0

Function 00C5D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00C5CFF9,00000000,00000004,00000000), ref: 00C5D218
GetLastError.KERNEL32 ref: 00C5D224
__dosmaperr.LIBCMT ref: 00C5D22B
ResumeThread.KERNEL32(00000000), ref: 00C5D249

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: fa697764b90894e4584070dbc9067ec4d6c3822602bc722ce82aed3bc66637b0
Instruction ID: 97ef18a95fb2ff94235b1752317ac3ef33dd1763e3773295e2b56a223b8a7db7
Opcode Fuzzy Hash: fa697764b90894e4584070dbc9067ec4d6c3822602bc722ce82aed3bc66637b0
Instruction Fuzzy Hash: D501D67A4053047BC7315BA6DC45BAF7A69DF81333F140219FD26921D0DB70CD8AD6A4

Function 00CC9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

GetClientRect.USER32(?,?), ref: 00CC9F31
GetCursorPos.USER32(?), ref: 00CC9F3B
ScreenToClient.USER32(?,?), ref: 00CC9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00CC9F7A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f5645cf8ab6500bc6e75ecac6f22d4305558b5ed8dbb610850bac928f5444d8d
Instruction ID: f3043a2843e9e962fe50c3eda824a805e3cb2b68c2915ad7c395d50d5753ab4f
Opcode Fuzzy Hash: f5645cf8ab6500bc6e75ecac6f22d4305558b5ed8dbb610850bac928f5444d8d
Instruction Fuzzy Hash: 4911153690021AEBDB10DFA8D889FEE77B9FB45311F000459F911E3150D730BA92DBA1

Function 00C3600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C3604C
GetStockObject.GDI32(00000011), ref: 00C36060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C3606A

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 823bb90a730aceae243310f73d50048abb2cadc8ea5512b82c33d9f45d163178
Instruction ID: d78d44e4792580d4151fcd0acbb8cb1dec2101a5590c1fd7fd269794397018e3
Opcode Fuzzy Hash: 823bb90a730aceae243310f73d50048abb2cadc8ea5512b82c33d9f45d163178
Instruction Fuzzy Hash: 44115B72511509BFEF164FA4DC85FEEBF69EF093A4F044215FA2892110DB32DD60ABA4

Function 00C53B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00C53B56

Part of subcall function 00C53AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00C53AD2
Part of subcall function 00C53AA3: ___AdjustPointer.LIBCMT ref: 00C53AED

_UnwindNestedFrames.LIBCMT ref: 00C53B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00C53B7C
CallCatchBlock.LIBVCRUNTIME ref: 00C53BA4

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: d910e29e8ea132157d5c74ffd3aa5886169b47873306381bcb278e6d3e459757
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 76014C36100188BBDF125E95CC42EEB3F6EEF88799F044014FE5896121C732E9A5EBA4

Function 00C63073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C313C6,00000000,00000000,?,00C6301A,00C313C6,00000000,00000000,00000000,?,00C6328B,00000006,FlsSetValue), ref: 00C630A5
GetLastError.KERNEL32(?,00C6301A,00C313C6,00000000,00000000,00000000,?,00C6328B,00000006,FlsSetValue,00CD2290,FlsSetValue,00000000,00000364,?,00C62E46), ref: 00C630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C6301A,00C313C6,00000000,00000000,00000000,?,00C6328B,00000006,FlsSetValue,00CD2290,FlsSetValue,00000000), ref: 00C630BF

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 8a7b1f73d673fe37de4ad697da77f9882ce14713afde59a9334cd63394529629
Instruction ID: 5f3e3869453636294de3c1d20d151a1e6b57e0a84a514f47c123de8fa8036065
Opcode Fuzzy Hash: 8a7b1f73d673fe37de4ad697da77f9882ce14713afde59a9334cd63394529629
Instruction Fuzzy Hash: 0601F732301262ABCB314B79ECC4F5B7B98EF45BA1B140620F929E3180C721DA0AC7E0

Function 00C97464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C9747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C97497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C974CA

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 69fe6135a163bac38071e5037b9945b8b82368af5ff1a406cc59e59167008669
Instruction ID: 488b5e183bbab7b37841fb289aa221399bfcf3b45fb18ba3f8f24424732e86f1
Opcode Fuzzy Hash: 69fe6135a163bac38071e5037b9945b8b82368af5ff1a406cc59e59167008669
Instruction Fuzzy Hash: B7118EB12163109BEB20CF15DC4CFA67BFCEB00B00F108669E62AD6152D770E944DF90

Function 00C9B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C9ACD3,?,00008000), ref: 00C9B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C9ACD3,?,00008000), ref: 00C9B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C9ACD3,?,00008000), ref: 00C9B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C9ACD3,?,00008000), ref: 00C9B126

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: df25b6a31f77c47dc56574c3db8eddf731be18666602d2483071e43cb77474d9
Instruction ID: 1208956aa9af2cdcafc73c82a0c1c40beb81715f5f289ba78e008f5d6782ce98
Opcode Fuzzy Hash: df25b6a31f77c47dc56574c3db8eddf731be18666602d2483071e43cb77474d9
Instruction Fuzzy Hash: 30115B71C01A2CE7CF00AFE5EAACBEEBB78FF49711F114095D951B2181CB305A508B91

Function 00C92DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C92DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C92DD6
GetCurrentThreadId.KERNEL32 ref: 00C92DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C92DE4

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 725f3748408bf7ef6fa271f1e4ee6969eda777afcc71d3dd894559b83075ab96
Instruction ID: ed0e519ce739e8319a1a86139f87005dac7e0ce0867b7482366e7c74c0bd9125
Opcode Fuzzy Hash: 725f3748408bf7ef6fa271f1e4ee6969eda777afcc71d3dd894559b83075ab96
Instruction Fuzzy Hash: 17E01272501224BBDB201B73DD8DFEF7E6CEF56BA5F450115F50AD10909AA5C941C6B0

Function 00CC8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C49693
Part of subcall function 00C49639: SelectObject.GDI32(?,00000000), ref: 00C496A2
Part of subcall function 00C49639: BeginPath.GDI32(?), ref: 00C496B9
Part of subcall function 00C49639: SelectObject.GDI32(?,00000000), ref: 00C496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00CC8887
LineTo.GDI32(?,?,?), ref: 00CC8894
EndPath.GDI32(?), ref: 00CC88A4
StrokePath.GDI32(?), ref: 00CC88B2

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 39fc6902f88679c7e899c97ac86daac7880f416cecb8438bc4f3e64b52288ca8
Instruction ID: d21caaa4036f4b54312444ef5d140bc51d8a8ce1478e7ffef1af63480003b1c3
Opcode Fuzzy Hash: 39fc6902f88679c7e899c97ac86daac7880f416cecb8438bc4f3e64b52288ca8
Instruction Fuzzy Hash: 6AF05E36041258FADB125F94EC09FDE3F59AF06710F048004FA65655E1C7755611DFE5

Function 00C498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C498CC
SetTextColor.GDI32(?,?), ref: 00C498D6
SetBkMode.GDI32(?,00000001), ref: 00C498E9
GetStockObject.GDI32(00000005), ref: 00C498F1

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 95cd2c782d7569e09f337f745de2d6cd10758a0acea180ec9c6677fe69dce527
Instruction ID: 26d9d8f2bb20daa6e2612d922e01c39b8cba2f5a8dc0c21557d63a19b1d89f9a
Opcode Fuzzy Hash: 95cd2c782d7569e09f337f745de2d6cd10758a0acea180ec9c6677fe69dce527
Instruction Fuzzy Hash: A6E03931644280AADB215B75EC49BED3B20AB52336F188219F6BE980E1C37286409B10

Function 00C9162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C91634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C911D9), ref: 00C9163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C911D9), ref: 00C91648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C911D9), ref: 00C9164F

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 65a54fc3f4ed23bd3e33fb43e4e4f566a032cade09bd17f2bab0c179fd5e9287
Instruction ID: 41aceaa9b3775fab5abb1196cfd9964758b70b3bbace6a278b9d42ec109ea27e
Opcode Fuzzy Hash: 65a54fc3f4ed23bd3e33fb43e4e4f566a032cade09bd17f2bab0c179fd5e9287
Instruction Fuzzy Hash: 99E08671A01211DBDB201FA0ED4DF8A3B7CFF44791F1C4808F659C9090D634C541C750

Function 00C8D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C8D858
GetDC.USER32(00000000), ref: 00C8D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C8D882
ReleaseDC.USER32(?), ref: 00C8D8A3

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7c81b774073f072a492682d729cd9c25bf5ee51c2df7edd5cd709eb1cd0999a0
Instruction ID: 6886d425e40ad54f40b5abbd3eea32afe52202a541da1d3ee23ff84e0b350cde
Opcode Fuzzy Hash: 7c81b774073f072a492682d729cd9c25bf5ee51c2df7edd5cd709eb1cd0999a0
Instruction Fuzzy Hash: E6E0BFB5800205DFCF41AFA5D98CB6DBBB5FB08311F148459F85BE7250C7399942AF50

Function 00C8D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C8D86C
GetDC.USER32(00000000), ref: 00C8D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C8D882
ReleaseDC.USER32(?), ref: 00C8D8A3

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ebb2e1ea9bc7a8e0dadb15458329f2ed162a35c629c18b7d71de53152e7421f8
Instruction ID: b6e28d021bed072ee2a4a20b8031e96b4221a5833d7512a2307dcea63ad09873
Opcode Fuzzy Hash: ebb2e1ea9bc7a8e0dadb15458329f2ed162a35c629c18b7d71de53152e7421f8
Instruction Fuzzy Hash: 4DE0B6B5C00204EFCF51AFA5D98CB6DBBB5FB08311F148449F95AE7250CB399902AF50

Function 00CA4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C37620: _wcslen.LIBCMT ref: 00C37625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00CA4ED4

Strings

LPT, xrefs: 00CA4DFB
*, xrefs: 00CA4E10

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 8bf7485f65a6396acbf6494f2696a952028817bcdeb444febea769211415293f
Instruction ID: dc6c6f2879f080911fe12c29f74736a496dd06d02ec01e9e1549b67d070b37d9
Opcode Fuzzy Hash: 8bf7485f65a6396acbf6494f2696a952028817bcdeb444febea769211415293f
Instruction Fuzzy Hash: BC917575900205DFCB18DF98C884EA9BBF1BF85308F158099E41A9F362D775EE85CB91

Function 00C5E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C5E30D

Strings

pow, xrefs: 00C5E2E5, 00C5E302

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: a2cc0a43f281913c08e5a2c61bedc9da324ee767a74469c975d2ef48446ea737
Instruction ID: 83a3443747db9555ceabe7349bd99ae048eed82487fb44fe2fcde9c75792bc20
Opcode Fuzzy Hash: a2cc0a43f281913c08e5a2c61bedc9da324ee767a74469c975d2ef48446ea737
Instruction Fuzzy Hash: 72519E65A0C20196CB297714CD8137D3B949B10746F304E99E8F5822F9EB358FCD9A4A

Function 00C4E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00C4E1B1

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 073654feeccb1abb01e66767bf204597a7371b4e76ff7fee05e60d9bba78b006
Instruction ID: f6633faa6a17392ba16adfe8bc4c9f5ff9ecb5cab7c71d15b03146fd11e6b3ed
Opcode Fuzzy Hash: 073654feeccb1abb01e66767bf204597a7371b4e76ff7fee05e60d9bba78b006
Instruction Fuzzy Hash: E8514475A04246DFDB24EF68C481ABE7BA4FF16314F248059ECA19B2C0D7349E42DBA4

Function 00C4F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C4F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C4F2BB

Strings

@, xrefs: 00C4F2AF

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 796343c14b22863f321a8ec6d2ff9ce2536451b728364fbaa508964531fc86e5
Instruction ID: 8baca83c2fcd67e6e6ddb4188e82f8e08b208dccb46520268a7e030a3a2163a8
Opcode Fuzzy Hash: 796343c14b22863f321a8ec6d2ff9ce2536451b728364fbaa508964531fc86e5
Instruction Fuzzy Hash: E25135724187489BD320AF54DC86BAFBBF8FB88300F81895DF1D9511A5EB708529CB67

Function 00CB5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00CB57E0
_wcslen.LIBCMT ref: 00CB57EC

Strings

CALLARGARRAY, xrefs: 00CB57E6, 00CB57EB

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 1adddeef041bbbb0f38b4054225602f57cc1829379d04d80f185d9c7d1f460d4
Instruction ID: e38856eff3498c1c172a58c0ffd5eff98e3c551c3c29afb26d744d10b4223b91
Opcode Fuzzy Hash: 1adddeef041bbbb0f38b4054225602f57cc1829379d04d80f185d9c7d1f460d4
Instruction Fuzzy Hash: 4F41BE71E402099FCF14DFA9C885AFEBBB5FF59324F144029E515A7291E7319E81CB90

Function 00CAD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CAD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00CAD13A

Strings

|, xrefs: 00CAD10B

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 8297a45091f97f4128c155ae53eb5fb97f8a5b0779d7c7e13b192904535ab4bc
Instruction ID: bb7a821fad97a03bb62f5fd3bf769d023b6f3853e634362278d645a83ac15c9e
Opcode Fuzzy Hash: 8297a45091f97f4128c155ae53eb5fb97f8a5b0779d7c7e13b192904535ab4bc
Instruction Fuzzy Hash: A5315D71D10209ABCF15EFA5CC85AEEBFB9FF09314F004019F916A6161D735AA46DF50

Function 00CC356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00CC3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CC365C

Strings

static, xrefs: 00CC35BC

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 01a32af2205a66aaaec7d9ab336bd836f5ccae7ace091bd72570bce6a99633bc
Instruction ID: 8ae7b7ced2bf437cb9407cea8e8f59a5e19c7328adaeaa6625b2187f2040a29f
Opcode Fuzzy Hash: 01a32af2205a66aaaec7d9ab336bd836f5ccae7ace091bd72570bce6a99633bc
Instruction Fuzzy Hash: 71318B71110244AADB10DF68DC81FFB73A9FF88720F10961DF9A997290DA31AE81DB64

Function 00CC4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00CC461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CC4634

Strings

', xrefs: 00CC458E

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: a9527d28e96873a9051226c3edce3588a07bf0477deabd02e311d8d39a7b3979
Instruction ID: c97a6520ad11441923009acc73ed3caf68827c5b8ab0c6f13ff54059c6fc3109
Opcode Fuzzy Hash: a9527d28e96873a9051226c3edce3588a07bf0477deabd02e311d8d39a7b3979
Instruction Fuzzy Hash: F1311974A013099FDB18CF69C990FDA7BB5FF49300F14806AE915AB355D770A941CF90

Function 00CC31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CC327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CC3287

Strings

Combobox, xrefs: 00CC3249

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9cd29d2b6ce7b6d24dad316003ee0d43b081c6894e4556de18f8e7db0134ad9a
Instruction ID: 4d4199173554edb6db60fd6ddada85022e242dbb1fc6a6b58e63a303b5630426
Opcode Fuzzy Hash: 9cd29d2b6ce7b6d24dad316003ee0d43b081c6894e4556de18f8e7db0134ad9a
Instruction Fuzzy Hash: 6311B2713002487FEF259F54EC81FBB376AEB94364F108129F92897292D6719E519760

Function 00CC3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C3604C
Part of subcall function 00C3600E: GetStockObject.GDI32(00000011), ref: 00C36060
Part of subcall function 00C3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C3606A

GetWindowRect.USER32(00000000,?), ref: 00CC377A
GetSysColor.USER32(00000012), ref: 00CC3794

Strings

static, xrefs: 00CC3757

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5209a3e7aec421c0123befcd078facb4beced625f1661a2c33b10f52de3d27a6
Instruction ID: 0d27198dbd48e86b7c48a907f673df6fe31210481ed9a2445a08285038a9abf3
Opcode Fuzzy Hash: 5209a3e7aec421c0123befcd078facb4beced625f1661a2c33b10f52de3d27a6
Instruction Fuzzy Hash: 1F1129B2610209AFDB01DFA8DD4AFEE7BB8EB08314F004518F965E2250D735E9519B60

Function 00CACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CACDA6

Strings

<local>, xrefs: 00CACD66

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 33231eb21645471f9f73e307760adecc7bc92061a3082867b51d4bc50bd56d71
Instruction ID: c4d0354118e98ba0c5fe02aeed72135b9d26eefcbf01a310bbcc5108a41b406b
Opcode Fuzzy Hash: 33231eb21645471f9f73e307760adecc7bc92061a3082867b51d4bc50bd56d71
Instruction Fuzzy Hash: E211A371A056367AD7244B668CC9FE7BE68EB137A8F004226F12982180D7609950D6F0

Function 00CC3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00CC34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CC34BA

Strings

edit, xrefs: 00CC348F

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 11986289e7f5c0970f88111b226d58da578ee080003a00e52c631caf1b809c60
Instruction ID: 727fc1e320b2a0d17a6d67d9d458a16208f12f5ec42c5e5c79c6052ff044d39a
Opcode Fuzzy Hash: 11986289e7f5c0970f88111b226d58da578ee080003a00e52c631caf1b809c60
Instruction Fuzzy Hash: 4A118F71100248ABEB169F64EC84FEB3B6AEB05374F508728F975971D0C771DE919B60

Function 00C96C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

CharUpperBuffW.USER32(?,?,?), ref: 00C96CB6
_wcslen.LIBCMT ref: 00C96CC2

Strings

STOP, xrefs: 00C96CBC, 00C96CC1

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 930fbe9ec4f26fdb6e1c171431063dd129bf0f6a28c714b84d7f3ea5c38db9ca
Instruction ID: 06217d16fd5b8704edba60e89b581106e6ba67950b0bbe5e46ae28727ed1d597
Opcode Fuzzy Hash: 930fbe9ec4f26fdb6e1c171431063dd129bf0f6a28c714b84d7f3ea5c38db9ca
Instruction Fuzzy Hash: 4601C033A145268ACF21AFFDDC899BF77B5EB61710B110528F8B2961D0EA31EA50C650

Function 00C91CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C91D4C

Strings

ComboBox, xrefs: 00C91CEB
ListBox, xrefs: 00C91D16

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0827bbadd2d3d51ab3a1e799b52dfb41447ea75ff6f89f7ab70904dfb4d02114
Instruction ID: 9d70982ab0c8ae4792f1a5284105179b997c6d918211722784ca269448775ef5
Opcode Fuzzy Hash: 0827bbadd2d3d51ab3a1e799b52dfb41447ea75ff6f89f7ab70904dfb4d02114
Instruction Fuzzy Hash: 2101D872611219AB8F09EBA4CD5ADFE7768EF47390F040619FD32572C1EA705908D661

Function 00C91BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C91C46

Strings

ComboBox, xrefs: 00C91BE5
ListBox, xrefs: 00C91C10

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9b1e244c76a59813b38b2ad3d3b10531d8cda3e43b9ae890383dbe36f17483a1
Instruction ID: 8b9e8d37f4407eafb66cbd651d73ee695b015edffefac8cd52856119fe1ad67f
Opcode Fuzzy Hash: 9b1e244c76a59813b38b2ad3d3b10531d8cda3e43b9ae890383dbe36f17483a1
Instruction Fuzzy Hash: 1B01A77578510967CF05EB90CA5AEFF77A8DF52340F140019F916672C1EA709F08D6B2

Function 00C91C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C91CC8

Strings

ComboBox, xrefs: 00C91C69
ListBox, xrefs: 00C91C94

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bb86ff9d76aa6efdf6e277e755a6086ae3d324171497db553e5474a4bbfa6b4c
Instruction ID: 0d6902df4e528881dc9483aa7b3b7e4f586b4d79e0b8d7da774d89888502cad6
Opcode Fuzzy Hash: bb86ff9d76aa6efdf6e277e755a6086ae3d324171497db553e5474a4bbfa6b4c
Instruction Fuzzy Hash: 7A01D67579011967CF04EBA4CA0AEFE77A89B12380F580015BD02B3281EAB09F08D672

Function 00C91D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00C91DD3

Strings

ComboBox, xrefs: 00C91D75
ListBox, xrefs: 00C91DA0

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ea64ff8c8af6abbd1b266f7ec87dd40718fdb82399f64573defdb52b082e725f
Instruction ID: fd20075754dfc7b45027f29b0abac559cf082906986651939693699d5fb7d696
Opcode Fuzzy Hash: ea64ff8c8af6abbd1b266f7ec87dd40718fdb82399f64573defdb52b082e725f
Instruction Fuzzy Hash: 0AF0A476B5121967DF05E7A4CD5AFFE77A8EB02350F080915F922A72C1DAB05A089261

Function 00CB747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CB7493
_wcslen.LIBCMT ref: 00CB74B9

Strings

3, 3, 16, 1, xrefs: 00CB7483

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 289a786c04611e3ab0c6c6eb9a23d83eb40fd3c13aea68d22e18bd6390f0b6e8
Instruction ID: f8dd9f2dd81fb0910451d5155542169ba444234cc197804d3aa7c80e3ea73a21
Opcode Fuzzy Hash: 289a786c04611e3ab0c6c6eb9a23d83eb40fd3c13aea68d22e18bd6390f0b6e8
Instruction Fuzzy Hash: DBE0610670432020933513B9DCC29FF568DCFC5753B10192BFD81C2366EA94CED1A7A5

Function 00C90B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C90B23

Strings

AutoIt, xrefs: 00C90B17
Error allocating memory., xrefs: 00C90B1C

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: e2ada41fae4464405445ba8f99bc47a74f8b694df0e10481554a1a79b698260b
Instruction ID: 48adef3ea633ceacf4463cc5cedfffa08c928ddec06a1046fbd0741f52ea67bd
Opcode Fuzzy Hash: e2ada41fae4464405445ba8f99bc47a74f8b694df0e10481554a1a79b698260b
Instruction Fuzzy Hash: B4E048312443183AD6143654BC47FC97A849F05B65F10442EFB9C555C38AE1659166A9

Function 00C50D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C4F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C50D71,?,?,?,00C3100A), ref: 00C4F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00C3100A), ref: 00C50D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C3100A), ref: 00C50D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C50D7F

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a626ed8fafa09803db168bff00ba9724c61dcae43eb9e9f724e04cd5829f4bae
Instruction ID: fdc82468553106bbffa2193e900c540b3de718a9d188fe083c05f4a606972a99
Opcode Fuzzy Hash: a626ed8fafa09803db168bff00ba9724c61dcae43eb9e9f724e04cd5829f4bae
Instruction Fuzzy Hash: A6E092B82007518BD7309FB8D448B467BF0BF00741F104D2DE886C6751DBB4E4898BA1

Function 00CA3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00CA302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00CA3044

Strings

aut, xrefs: 00CA3038

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 1e8031acbccf62976e670a5e2a60cf724f766262166d1cf056e0df2830151bcf
Instruction ID: 57ecc98b5811609669061f54329cf26f1a1f17a308480ce1fb1652b19e149dd2
Opcode Fuzzy Hash: 1e8031acbccf62976e670a5e2a60cf724f766262166d1cf056e0df2830151bcf
Instruction Fuzzy Hash: AAD05EB250032867DA60E7A4EC4EFDB3A6CDB04750F0002A1F659E2491DAB49984CAD0

Function 00CC2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CC236C
PostMessageW.USER32(00000000), ref: 00CC2373

Part of subcall function 00C9E97B: Sleep.KERNEL32 ref: 00C9E9F3

Strings

Shell_TrayWnd, xrefs: 00CC2365

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4d5dfa435921d57d7f9264e25562a82b189206c30744ace0f99b038a1f4e3ebb
Instruction ID: 45a351328e20112652abdf7d8a2297a07cf78b10b3b6b41063accd19ef6d8d02
Opcode Fuzzy Hash: 4d5dfa435921d57d7f9264e25562a82b189206c30744ace0f99b038a1f4e3ebb
Instruction Fuzzy Hash: 6CD0C9327853107AE6A4B771EC4FFCA66149B14B14F114916F74AEA1D0C9A4A8418A54

Function 00CC2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CC232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CC233F

Part of subcall function 00C9E97B: Sleep.KERNEL32 ref: 00C9E9F3

Strings

Shell_TrayWnd, xrefs: 00CC2325

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 00c20797912cb28673a8b2dedabaa8f49d653f2546c1762ec375190b8ba01f0c
Instruction ID: 0b87c47c630664828fd1f9fe8b80273907d9324b78b7d24bbe3f5acb8649f41d
Opcode Fuzzy Hash: 00c20797912cb28673a8b2dedabaa8f49d653f2546c1762ec375190b8ba01f0c
Instruction Fuzzy Hash: 19D01236794310B7E6A4B771EC4FFDA7A149B10B14F114916F74AEA1D0C9F4A841CB54

Function 00C6BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00C6BE93
GetLastError.KERNEL32 ref: 00C6BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C6BEFC

Memory Dump Source

Source File: 00000000.00000002.2111242064.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2111198584.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111351087.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111423374.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111454891.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e5e91b8650300bcc1c62ec7d730714e958fb8c0e7fc5d349899bb134e0298a7e
Instruction ID: 3bf3638671d07866aaa34f7a8239c3ca7ed457e14c278b6a74b7b63689f4eb81
Opcode Fuzzy Hash: e5e91b8650300bcc1c62ec7d730714e958fb8c0e7fc5d349899bb134e0298a7e
Instruction Fuzzy Hash: F341E339604206AFCB318FA5CCC4BAA7BA5AF41310F144169F969D71B1DB318E82DB62

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2127764588.000001C80A482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2260427909.000001C808A7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2250418629.000001C80BB63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2236992211.000001C80BB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2224461961.000001C810DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2215651763.000001C811311000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222437636.000001C811088000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2232650493.000001C814E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2215651763.000001C811311000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222437636.000001C811088000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2232650493.000001C814E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2250418629.000001C80BB63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2236992211.000001C80BB62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2247196775.000001C80A6E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2224461961.000001C810DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2215651763.000001C811311000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250006050.000001C811358000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233598589.000001C811311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2215651763.000001C811311000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250006050.000001C811358000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233598589.000001C811311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2215651763.000001C811311000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222437636.000001C811088000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2111080239.000001C81135D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2215651763.000001C811311000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222437636.000001C811088000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2111080239.000001C81135D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000002.3896240715.0000018820A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.3896240715.0000018820A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000002.3896240715.0000018820A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.3896211733.00000240CFF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3896240715.0000018820A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3896211733.00000240CFF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3896240715.0000018820A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.3896211733.00000240CFF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3896240715.0000018820A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2127764588.000001C80A482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2250418629.000001C80BB63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2236992211.000001C80BB62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2247196775.000001C80A6E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2224461961.000001C810DE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2232650493.000001C814E67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2232578550.000001C814E80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2236992211.000001C80BB62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250322613.000001C80BBA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2238134982.000001C80ACB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2112503837.000001C80A6A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.5:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49860 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_9e9c0082-7c11-4da8-82d5-0c31ec2fda48.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_9e9c0082-7c11-4da8-82d5-0c31ec2fda48.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2514MH3B5R7JZV5A4DXY.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9IKSXKB4AAYQ8L7U83HN.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre