Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574222
MD5:	cfd9ab2985983b15f40a6f8ddda94ee0
SHA1:	1b3aa3ee12fb143281e3b704208bee2a0e045697
SHA256:	54fa403f5d329dd8060e67a18fc46ce1bd3d75a8d5e6c88820c59ede26f83e87
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 1976 cmdline: "C:\Users\user\Desktop\file.exe" MD5: CFD9AB2985983B15F40A6F8DDDA94EE0)

taskkill.exe (PID: 2332 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3360 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5700 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2224 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4368 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 3004 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2304 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1292 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1128 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {466d0f2b-478f-4a58-a3ee-61e738435d03} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1cb4ad6df10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7704 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3180 -parentBuildID 20230927232528 -prefsHandle 3520 -prefMapHandle 4364 -prefsLen 26200 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d58dc31a-a9a2-471c-b845-da573512b240} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1cb5cde2d10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7532 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4688 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5136 -prefMapHandle 5132 -prefsLen 33093 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ffe92e7-c0ba-4aaf-a681-46e1e664ac44} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1cb5cbac110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 1976	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_007DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_007DEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007DED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_007DED6A

Source: C:\Users\user\Desktop\file.exe

0_2_007DEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007CAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_007CAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007F9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_007F9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2117967334.0000000000822000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5b3ce3d8-6
Source: file.exe, 00000000.00000000.2117967334.0000000000822000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e763dc45-0
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_31d374a6-6
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6fc3a230-5

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001E4A85F8077 NtQuerySystemInformation,		18_2_000001E4A85F8077
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001E4A8CCA172 NtQuerySystemInformation,		18_2_000001E4A8CCA172

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007CD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_007CD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_007C1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007CE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_007CE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00768060	0_2_00768060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D2046	0_2_007D2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C8298	0_2_007C8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0079E4FF	0_2_0079E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0079676B	0_2_0079676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F4873	0_2_007F4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076CAF0	0_2_0076CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078CAA0	0_2_0078CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077CC39	0_2_0077CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00796DD9	0_2_00796DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077B119	0_2_0077B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007691C0	0_2_007691C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00781394	0_2_00781394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078781B	0_2_0078781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077997D	0_2_0077997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00767920	0_2_00767920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00787A4A	0_2_00787A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00787CA7	0_2_00787CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007EBE44	0_2_007EBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00799EEE	0_2_00799EEE
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001E4A85F8077	18_2_000001E4A85F8077
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001E4A8CCA172	18_2_000001E4A8CCA172
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001E4A8CCA1B2	18_2_000001E4A8CCA1B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001E4A8CCA89C	18_2_000001E4A8CCA89C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0077F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00769CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00780A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/34@67/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007D37B5 GetLastError,FormatMessageW,

0_2_007D37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C10BF AdjustTokenPrivileges,CloseHandle,		0_2_007C10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007C16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007D51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007D51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007CD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_007CD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007D648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_007D648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007642A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6552:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2343262395.000001CB5929A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2336027064.000001CB5929A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2351181510.000001CB5C6B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2334427497.000001CB5C6BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {466d0f2b-478f-4a58-a3ee-61e738435d03} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1cb4ad6df10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3180 -parentBuildID 20230927232528 -prefsHandle 3520 -prefMapHandle 4364 -prefsLen 26200 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d58dc31a-a9a2-471c-b845-da573512b240} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1cb5cde2d10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4688 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5136 -prefMapHandle 5132 -prefsLen 33093 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ffe92e7-c0ba-4aaf-a681-46e1e664ac44} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1cb5cbac110 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {466d0f2b-478f-4a58-a3ee-61e738435d03} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1cb4ad6df10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3180 -parentBuildID 20230927232528 -prefsHandle 3520 -prefMapHandle 4364 -prefsLen 26200 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d58dc31a-a9a2-471c-b845-da573512b240} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1cb5cde2d10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4688 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5136 -prefMapHandle 5132 -prefsLen 33093 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ffe92e7-c0ba-4aaf-a681-46e1e664ac44} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1cb5cbac110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007642DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00780A76 push ecx; ret

0_2_00780A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0077F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_007F1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96025

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000001E4A85F8077 rdtsc

18_2_000001E4A85F8077

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_007CDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0079C2A2 FindFirstFileExW,	0_2_0079C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D68EE FindFirstFileW,FindClose,	0_2_007D68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_007D698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007CD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007CD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007D9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007D979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_007D9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_007D5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007642DE

Source: firefox.exe, 00000010.00000002.3389059393.00000269C2D40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9&
Source: firefox.exe, 00000010.00000002.3389059393.00000269C2D40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6!
Source: file.exe, 00000000.00000003.2203148029.0000000001104000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2203722473.000000000113A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2202662019.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2201951587.00000000010F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2203640971.000000000110F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2202762064.0000000001102000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3383500634.00000269C23CA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3383496284.0000023B7EDEA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3387963032.0000023B7F300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3388269122.00000269C2917000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000012.00000002.3382427838.000001E4A83CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`H
Source: firefox.exe, 00000012.00000002.3388266695.000001E4A8D30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW?
Source: firefox.exe, 00000010.00000002.3383500634.00000269C23CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2121648978.000000000113F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3389059393.00000269C2D40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3388266695.000001E4A8D30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000012.00000002.3388266695.000001E4A8D30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8x

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000001E4A85F8077 rdtsc

18_2_000001E4A85F8077

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007DEAA2 BlockInput,

0_2_007DEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00792622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00792622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007642DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00784CE8 mov eax, dword ptr fs:[00000030h]

0_2_00784CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_007C0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00792622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00792622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0078083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007809D5 SetUnhandledExceptionFilter,	0_2_007809D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00780C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00780C21

Source: C:\Users\user\Desktop\file.exe

0_2_007C1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007A2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_007A2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007CB226 SendInput,keybd_event,

0_2_007CB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007E22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_007C0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007C1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_007C1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2395351479.000001CB66203000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00780698 cpuid

0_2_00780698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007BD21C GetLocalTime,

0_2_007BD21C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007BD27A GetUserNameW,

0_2_007BD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0079B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0079B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007642DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1976, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1976, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_007E1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_007E1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	29%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.1	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.129.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.110	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	142.250.181.14	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.1.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000014.00000002.3384928041.0000023B7F2C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2331757101.000001CB5D7E1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2302363506.000001CB5B746000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301938960.000001CB5B744000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000014.00000002.3384928041.0000023B7F28F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2362080654.000001CB64EA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326162505.000001CB64EA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220366309.000001CB64EA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2353147758.000001CB64EA5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2352218285.000001CB5ACDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381261573.000001CB635D2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2368566166.000001CB63C8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2327494937.000001CB63C8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2379809302.000001CB63C8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2348848664.000001CB63C8B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2175092066.000001CB59A32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2174764739.000001CB5AE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2175287867.000001CB59A53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2174941000.000001CB59A10000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2375544219.000001CB5C685000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2342015820.000001CB5C678000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388939974.000001CB5BE18000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2351495042.000001CB5C681000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2334597085.000001CB5C678000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388939974.000001CB5BE9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388499989.000001CB5C687000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388939974.000001CB5BEE8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2330153644.000001CB5ED3E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2221581420.000001CB5EE96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382703935.000001CB5EE7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329171875.000001CB5EE93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364795397.000001CB5EE7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2349578016.000001CB6360B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2174764739.000001CB5AE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337440941.000001CB5E1DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2353753997.000001CB5E1DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2175287867.000001CB59A53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2174941000.000001CB59A10000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000E.00000003.2383436351.000001CB5EAFD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2175092066.000001CB59A32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2174764739.000001CB5AE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2174941000.000001CB59A10000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.2383436351.000001CB5EAE3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2369205487.000001CB6370D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2362080654.000001CB64EA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326162505.000001CB64EA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220366309.000001CB64EA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2353147758.000001CB64EA5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://ac	firefox.exe, 00000012.00000002.3387495929.000001E4A88D0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://accounts.googlU	firefox.exe, 00000014.00000002.3383496284.0000023B7EDEA000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 0000000E.00000003.2211527867.000001CB64F99000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2337440941.000001CB5E1F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363815483.000001CB636B7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2221581420.000001CB5EE96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382703935.000001CB5EE7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329171875.000001CB5EE93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364795397.000001CB5EE7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2342633935.000001CB5B4E6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2349578016.000001CB636B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2373096109.000001CB5E58A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331069013.000001CB5E58A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363815483.000001CB636B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3384528532.000001E4A870A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3384928041.0000023B7F20C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2269022782.000001CB5CABF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000014.00000002.3384928041.0000023B7F2C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2299860053.000001CB63EB4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2387453127.000001CB5D0DF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2388939974.000001CB5BEE8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2330153644.000001CB5ED6A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2364795397.000001CB5EE7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000014.00000002.3384928041.0000023B7F213000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2334597085.000001CB5C678000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2330153644.000001CB5ED3E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2369205487.000001CB63755000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2380291979.000001CB63755000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2222020682.000001CB5EE3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2207630257.000001CB64FF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2336360960.000001CB648E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222400968.000001CB5E1FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2237850775.000001CB5C88A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2238859345.000001CB5C792000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2360893001.000001CB64FAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2322829254.000001CB586D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2178900609.000001CB5B52D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2299860053.000001CB63E9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180754757.000001CB5B52B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291815351.000001CB5ECC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212982619.000001CB5EFD4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337440941.000001CB5E1FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2386521743.000001CB5D71E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198604876.000001CB5EC81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2320766396.000001CB586D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343262395.000001CB5929A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2339345527.000001CB5E1A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2325531974.000001CB64FAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341692452.000001CB5D54B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2340573708.000001CB5D6BB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.openh264.org/	firefox.exe, 0000000E.00000003.2388939974.000001CB5BE74000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2342633935.000001CB5B4E6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2342633935.000001CB5B4E6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2369205487.000001CB63755000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2380291979.000001CB63755000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2329171875.000001CB5EE7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221581420.000001CB5EE7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382703935.000001CB5EE7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364795397.000001CB5EE7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2349578016.000001CB636B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363815483.000001CB636B7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2221581420.000001CB5EE96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382703935.000001CB5EE7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329171875.000001CB5EE93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364795397.000001CB5EE7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2352218285.000001CB5AC7E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2388682179.000001CB5C619000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2382353172.000001CB63493000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212204614.000001CB63493000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2269022782.000001CB5CABF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2352218285.000001CB5AC7E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2381261573.000001CB635BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2370182604.000001CB635D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381261573.000001CB635D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2325395247.000001CB64FC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2174941000.000001CB59A10000.00000004.00000800.00020000.00000000.sdmp	false	high
https://truecolors.firefox.com/	firefox.exe, 0000000E.00000003.2334597085.000001CB5C678000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 0000000E.00000003.2349578016.000001CB636EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2174764739.000001CB5AE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337440941.000001CB5E1DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2353753997.000001CB5E1DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2175287867.000001CB59A53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2174941000.000001CB59A10000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000E.00000003.2330153644.000001CB5ED3E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000E.00000003.2362080654.000001CB64EA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326162505.000001CB64EA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220366309.000001CB64EA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2353147758.000001CB64EA5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000010.00000002.3384502660.00000269C2470000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3387769126.000001E4A8C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3383802424.0000023B7EEF0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.wykop.pl/	firefox.exe, 0000000E.00000003.2349578016.000001CB636B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363815483.000001CB636B7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://twitter.com/	firefox.exe, 0000000E.00000003.2337440941.000001CB5E1F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363815483.000001CB636B7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.olx.pl/	firefox.exe, 0000000E.00000003.2349578016.000001CB636B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363815483.000001CB636B7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000E.00000003.2269022782.000001CB5CABF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	firefox.exe, 00000010.00000002.3385545837.00000269C28C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3384528532.000001E4A87ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3388126673.0000023B7F403000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.181.110	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574222
Start date and time:	2024-12-13 05:40:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/34@67/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 48 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.85.93.176, 44.228.225.150, 54.213.181.160, 142.250.181.106, 142.250.181.138, 172.217.17.46, 88.221.134.155, 88.221.134.209, 13.107.246.63, 23.218.208.109, 172.202.163.200
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
23:41:10	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.121.53
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	http://sourceforge.net/projects/nircmd/files/nircmd-x64.zip/download	Get hash	malicious	Unknown	Browse	34.117.77.79
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	b3astmode.arm5.elf	Get hash	malicious	Mirai	Browse	34.66.227.80
ATGS-MMD-ASUS	arm7.nn-20241213-0355.elf	Get hash	malicious	Mirai, Okiru	Browse	56.211.75.194
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	57.2.87.119
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.64.214.188
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.51.229.161
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.106.195.4
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
FASTLYUS	http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450	Get hash	malicious	Unknown	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	185.199.111.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
ATGS-MMD-ASUS	arm7.nn-20241213-0355.elf	Get hash	malicious	Mirai, Okiru	Browse	56.211.75.194
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	57.2.87.119
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.64.214.188
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.51.229.161
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.106.195.4
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c6f9921d-9f1e-4b00-8216-db10b5eacdb0.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.1779762030120295
Encrypted:	false
SSDEEP:	192:i1BMX51ucbhbVbTbfbRbObtbyEl7nsr5JA6unSrDtTkdxSofp:iimcNhnzFSJMrU1nSrDhkdxN
MD5:	73A8369903836A517684156B80E3E222
SHA1:	D8206EB1C30492AB53C8ED1A1A4CE6969561D236
SHA-256:	0C9B5E3235519225A7FEA16EB3B5B05AB51561CCA91F681E58FE9993429C0157
SHA-512:	5A4493F55BA689351FF85760448F6F399CC838B851534CD3CB7150217A84146B2260ABB1CDCE5044DFC347A0C2F37AE76C62864E8030D01E803E23DB2C8A4E1D
Malicious:	false
Preview:	{"type":"uninstall","id":"c6f9921d-9f1e-4b00-8216-db10b5eacdb0","creationDate":"2024-12-13T06:35:02.115Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c6f9921d-9f1e-4b00-8216-db10b5eacdb0.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.1779762030120295
Encrypted:	false
SSDEEP:	192:i1BMX51ucbhbVbTbfbRbObtbyEl7nsr5JA6unSrDtTkdxSofp:iimcNhnzFSJMrU1nSrDhkdxN
MD5:	73A8369903836A517684156B80E3E222
SHA1:	D8206EB1C30492AB53C8ED1A1A4CE6969561D236
SHA-256:	0C9B5E3235519225A7FEA16EB3B5B05AB51561CCA91F681E58FE9993429C0157
SHA-512:	5A4493F55BA689351FF85760448F6F399CC838B851534CD3CB7150217A84146B2260ABB1CDCE5044DFC347A0C2F37AE76C62864E8030D01E803E23DB2C8A4E1D
Malicious:	false
Preview:	{"type":"uninstall","id":"c6f9921d-9f1e-4b00-8216-db10b5eacdb0","creationDate":"2024-12-13T06:35:02.115Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.930554102015076
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsL5Wf8P:gXiNFS+OcUGOdwiOdwBjkYL5Y8P
MD5:	A891C59486A29935B76B9CDCBDD787EF
SHA1:	C43B33D3B8864EF8B4E6A2DCFEE9694B5594A9D9
SHA-256:	89D6606ABD41A4F54379BC6D5B1730E527F30F407BEEC6B11151C0185FB92AF2
SHA-512:	456B445B946F33095D2E8410E772FBC6422908BE3E078B836616A5B6C5F5316B91BD8402F4141E5EBA5D7F133E2538DC231A0911E5851136854DD164FF48E4F1
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.930554102015076
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsL5Wf8P:gXiNFS+OcUGOdwiOdwBjkYL5Y8P
MD5:	A891C59486A29935B76B9CDCBDD787EF
SHA1:	C43B33D3B8864EF8B4E6A2DCFEE9694B5594A9D9
SHA-256:	89D6606ABD41A4F54379BC6D5B1730E527F30F407BEEC6B11151C0185FB92AF2
SHA-512:	456B445B946F33095D2E8410E772FBC6422908BE3E078B836616A5B6C5F5316B91BD8402F4141E5EBA5D7F133E2538DC231A0911E5851136854DD164FF48E4F1
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0732727778622636
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	D8AF0304BE78CFF203CEDE173D654E73
SHA1:	40C429D75E42C605A3F198173A7367598AA3F5D5
SHA-256:	8D3DC61EB88269EBAD2266C7801DCC08832EDA132FB66EDEBB756D5B0E3E21E8
SHA-512:	3B7E575EF6FCB3C4BE19D5DB82EFA4ED7068F43051C2F8BD10D7FA07764B8B49CFA2DC48F3386806930837610589F70AF991813DD368764641F8923278AFBB1C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035822017202226504
Encrypted:	false
SSDEEP:	3:GtlstFPAAQdwWvCUZhxylstFPAAQdwWvCUZhxXlJ89//alEl:GtWteArUZnyWteArUZn789XuM
MD5:	679DCAB4AF5C748E8CF2884B6BFB48DF
SHA1:	F9E6635F31838E7E12CC3AFB9E49E9A5DB6F6ADC
SHA-256:	E3DB977D470ABD8F0512D988451D025E1D3649878EEAB460DA36909745DB5834
SHA-512:	633E94143C14A8C7FCB6C7321D2D54ABB73DDF54644FB46046F44A8202E60173FC95C82E743FFB3AA8B832068C91B6C0208F95D351A935683E0A26FED36D2068
Malicious:	false
Preview:	..-......................;zB.v.u\8..H..h.n......-......................;zB.v.u\8..H..h.n............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.034996981648093825
Encrypted:	false
SSDEEP:	3:Ol1ZWw/k/ofQfltoHSrV//mwl8XW3R2:KFOpuw93w
MD5:	C9DD8C81DB4C885ACC5243B36ACFE6AE
SHA1:	69F0437DDE7CA33EAF9304428579B0366B1DE3DC
SHA-256:	87C8E8187DA850952E6C82B31A5A13AF8EA06686D50A391888F459832F927122
SHA-512:	56FD2EA236BAC8C7B4D1A0500AFF92D90F3DB0E28388F877BEA752CC2F512894932C7CCDD81133E88E597DED2F4CF8708AD855D3F31E228B3D06C12310E6FB1F
Malicious:	false
Preview:	7....-..........u\8..H..._.............u\8..H.Bz;..v..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.466742441780074
Encrypted:	false
SSDEEP:	192:nnTFTRRUYbBp6PLZNMGaXR6qU4j27zy+/3/75b5RYiNBw8diSl:TKeqFNMEU2HyCRdwJ0
MD5:	2908D5B2E2B7BD5F8C961F716A3FFF42
SHA1:	87D5D0F233DF59636D9C9BDC7ABC069F7EBA2AF0
SHA-256:	B071A6044523901DB4A69F2A292715CFBB32E3AF0BCD1FDA0836F3E9B4FF8DE1
SHA-512:	C72ACB82AB30ABF1B9B579B9D264C0BAA94320B2AED2094AEB7464FCD7D9E1BFA019BFDE866A9FB06C92ABC84F53480ED9AAAC9937EC4BD6BE8599D0F3BE8171
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734071672);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734071672);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734071672);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173407

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.466742441780074
Encrypted:	false
SSDEEP:	192:nnTFTRRUYbBp6PLZNMGaXR6qU4j27zy+/3/75b5RYiNBw8diSl:TKeqFNMEU2HyCRdwJ0
MD5:	2908D5B2E2B7BD5F8C961F716A3FFF42
SHA1:	87D5D0F233DF59636D9C9BDC7ABC069F7EBA2AF0
SHA-256:	B071A6044523901DB4A69F2A292715CFBB32E3AF0BCD1FDA0836F3E9B4FF8DE1
SHA-512:	C72ACB82AB30ABF1B9B579B9D264C0BAA94320B2AED2094AEB7464FCD7D9E1BFA019BFDE866A9FB06C92ABC84F53480ED9AAAC9937EC4BD6BE8599D0F3BE8171
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734071672);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734071672);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734071672);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173407

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.331807977141472
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSNzLXnIgo/pnxQwRlszT5sKLV3eHVvwKXTcamhujJmyOOxmD6maoRm:GUpOx+z4nR6x3eNwCTc4JNGbRh4
MD5:	42011A7C956E756FDD5EEC9A99A064E6
SHA1:	62E8CF72D25173ED7FADBABA8E0BB954833839C6
SHA-256:	A9CF854C26456C99FE0E1D258232A3E3A81FCC766F2EB262B6ED8971F7F2BDD2
SHA-512:	5F102D6E46E1B804A2E0BC8E2123B4BDDE9655243567C4ECE24E5ECC36CD374938538D6E715BD2008954CD918E2251DA8E49F65FE5C1087537E4F034A23F7643
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{0c6f3438-8bc3-44c5-8aea-17dd3220b0bf}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734071678739,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P41575...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...44451,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.331807977141472
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSNzLXnIgo/pnxQwRlszT5sKLV3eHVvwKXTcamhujJmyOOxmD6maoRm:GUpOx+z4nR6x3eNwCTc4JNGbRh4
MD5:	42011A7C956E756FDD5EEC9A99A064E6
SHA1:	62E8CF72D25173ED7FADBABA8E0BB954833839C6
SHA-256:	A9CF854C26456C99FE0E1D258232A3E3A81FCC766F2EB262B6ED8971F7F2BDD2
SHA-512:	5F102D6E46E1B804A2E0BC8E2123B4BDDE9655243567C4ECE24E5ECC36CD374938538D6E715BD2008954CD918E2251DA8E49F65FE5C1087537E4F034A23F7643
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{0c6f3438-8bc3-44c5-8aea-17dd3220b0bf}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734071678739,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P41575...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...44451,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.331807977141472
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSNzLXnIgo/pnxQwRlszT5sKLV3eHVvwKXTcamhujJmyOOxmD6maoRm:GUpOx+z4nR6x3eNwCTc4JNGbRh4
MD5:	42011A7C956E756FDD5EEC9A99A064E6
SHA1:	62E8CF72D25173ED7FADBABA8E0BB954833839C6
SHA-256:	A9CF854C26456C99FE0E1D258232A3E3A81FCC766F2EB262B6ED8971F7F2BDD2
SHA-512:	5F102D6E46E1B804A2E0BC8E2123B4BDDE9655243567C4ECE24E5ECC36CD374938538D6E715BD2008954CD918E2251DA8E49F65FE5C1087537E4F034A23F7643
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{0c6f3438-8bc3-44c5-8aea-17dd3220b0bf}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734071678739,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P41575...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...44451,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.009127525076916
Encrypted:	false
SSDEEP:	48:YrSAYOjHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycuCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	6CA24971F77106AAD374DD14D4DC390C
SHA1:	E4D597899E280A5850547838EB85713B5903D81D
SHA-256:	0320CCE3C2820CE2BFFC33D5ADDEFD2E64C617B2869D3E1189A8AB7F2C8D4FCE
SHA-512:	F7489B931D8429FEC00DFA3B3D9E8059B66A29D9CB52A99573EE35745BB0F81874A288FD10E71B27FBD1890CD3A371D35926FEBA6EC94232AC901E565C7A7BC7
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T06:34:21.943Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.009127525076916
Encrypted:	false
SSDEEP:	48:YrSAYOjHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycuCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	6CA24971F77106AAD374DD14D4DC390C
SHA1:	E4D597899E280A5850547838EB85713B5903D81D
SHA-256:	0320CCE3C2820CE2BFFC33D5ADDEFD2E64C617B2869D3E1189A8AB7F2C8D4FCE
SHA-512:	F7489B931D8429FEC00DFA3B3D9E8059B66A29D9CB52A99573EE35745BB0F81874A288FD10E71B27FBD1890CD3A371D35926FEBA6EC94232AC901E565C7A7BC7
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T06:34:21.943Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.700093786879539
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	969'216 bytes
MD5:	cfd9ab2985983b15f40a6f8ddda94ee0
SHA1:	1b3aa3ee12fb143281e3b704208bee2a0e045697
SHA256:	54fa403f5d329dd8060e67a18fc46ce1bd3d75a8d5e6c88820c59ede26f83e87
SHA512:	665dcff2d024376db57ef5c3a4f7788aab3ad04ae8f830426b6f95e8d2ec888a8bddd78a87ae464f7277b3c04875ce78f0a70e57c675b0aa34bf75b24af9e21f
SSDEEP:	24576:rqDEvCTbMWu7rQYlBQcBiT6rprG8a87GAsa:rTvC/MTQYxsWR7a87GAs
TLSH:	A5259E027391C062FFAB92334F5AF6515BBC69260123E62F13981D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675BB5F6 [Fri Dec 13 04:20:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F37D50B2303h
jmp 00007F37D50B1C0Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F37D50B1DEDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F37D50B1DBAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F37D50B49ADh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F37D50B49F8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F37D50B49E1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x15f08	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x15f08	0x16000	aeea5c0c3ad919aee950866bd8187ee5	False	0.6982754794034091	data	7.155141989080583	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xd08c	data			1.0004870008241553
RT_GROUP_ICON	0xe9988	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe9a00	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe9a14	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe9a28	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe9a3c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xe9b18	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 05:41:08.149996042 CET	49714	443	192.168.2.6	35.190.72.216
Dec 13, 2024 05:41:08.150033951 CET	443	49714	35.190.72.216	192.168.2.6
Dec 13, 2024 05:41:08.150681019 CET	49714	443	192.168.2.6	35.190.72.216
Dec 13, 2024 05:41:08.326602936 CET	49714	443	192.168.2.6	35.190.72.216
Dec 13, 2024 05:41:08.326632023 CET	443	49714	35.190.72.216	192.168.2.6
Dec 13, 2024 05:41:09.328489065 CET	49716	443	192.168.2.6	142.250.181.110
Dec 13, 2024 05:41:09.328536987 CET	443	49716	142.250.181.110	192.168.2.6
Dec 13, 2024 05:41:09.328722954 CET	49717	443	192.168.2.6	142.250.181.110
Dec 13, 2024 05:41:09.328775883 CET	443	49717	142.250.181.110	192.168.2.6
Dec 13, 2024 05:41:09.329238892 CET	49716	443	192.168.2.6	142.250.181.110
Dec 13, 2024 05:41:09.329288960 CET	49717	443	192.168.2.6	142.250.181.110
Dec 13, 2024 05:41:09.330637932 CET	49716	443	192.168.2.6	142.250.181.110
Dec 13, 2024 05:41:09.330657959 CET	443	49716	142.250.181.110	192.168.2.6
Dec 13, 2024 05:41:09.331888914 CET	49717	443	192.168.2.6	142.250.181.110
Dec 13, 2024 05:41:09.331933022 CET	443	49717	142.250.181.110	192.168.2.6
Dec 13, 2024 05:41:09.350341082 CET	49718	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:09.470206976 CET	80	49718	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:09.470411062 CET	49718	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:09.470473051 CET	49718	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:09.545607090 CET	443	49714	35.190.72.216	192.168.2.6
Dec 13, 2024 05:41:09.547607899 CET	49714	443	192.168.2.6	35.190.72.216
Dec 13, 2024 05:41:09.583357096 CET	49714	443	192.168.2.6	35.190.72.216
Dec 13, 2024 05:41:09.583394051 CET	443	49714	35.190.72.216	192.168.2.6
Dec 13, 2024 05:41:09.583955050 CET	443	49714	35.190.72.216	192.168.2.6
Dec 13, 2024 05:41:09.585192919 CET	49714	443	192.168.2.6	35.190.72.216
Dec 13, 2024 05:41:09.585217953 CET	443	49714	35.190.72.216	192.168.2.6
Dec 13, 2024 05:41:09.588143110 CET	49714	443	192.168.2.6	35.190.72.216
Dec 13, 2024 05:41:09.588794947 CET	49719	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:09.588835955 CET	443	49719	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:09.589160919 CET	49719	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:09.590199947 CET	80	49718	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:09.591216087 CET	49719	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:09.591231108 CET	443	49719	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:09.662733078 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:09.662787914 CET	443	49720	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:09.662934065 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:09.663110971 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:09.663125038 CET	443	49720	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:09.798418999 CET	49721	443	192.168.2.6	34.160.144.191
Dec 13, 2024 05:41:09.798476934 CET	443	49721	34.160.144.191	192.168.2.6
Dec 13, 2024 05:41:09.798669100 CET	49721	443	192.168.2.6	34.160.144.191
Dec 13, 2024 05:41:09.798809052 CET	49721	443	192.168.2.6	34.160.144.191
Dec 13, 2024 05:41:09.798823118 CET	443	49721	34.160.144.191	192.168.2.6
Dec 13, 2024 05:41:10.300884962 CET	49723	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:10.300932884 CET	443	49723	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:10.301019907 CET	49723	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:10.302464962 CET	49723	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:10.302481890 CET	443	49723	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:10.562371016 CET	80	49718	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:10.607714891 CET	49718	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:10.817255974 CET	443	49719	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:10.823395967 CET	443	49719	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:10.824060917 CET	49719	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:10.830789089 CET	49719	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:10.830789089 CET	49719	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:10.830807924 CET	443	49719	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:10.830974102 CET	443	49719	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:10.831913948 CET	49719	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:10.882827044 CET	443	49720	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:10.883625031 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:10.887048960 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:10.887058973 CET	443	49720	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:10.887408972 CET	443	49720	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:10.889452934 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:10.889452934 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:10.889452934 CET	49720	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:10.963644028 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:10.996084929 CET	49718	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:11.025178909 CET	443	49721	34.160.144.191	192.168.2.6
Dec 13, 2024 05:41:11.025257111 CET	49721	443	192.168.2.6	34.160.144.191
Dec 13, 2024 05:41:11.028142929 CET	49721	443	192.168.2.6	34.160.144.191
Dec 13, 2024 05:41:11.028155088 CET	443	49721	34.160.144.191	192.168.2.6
Dec 13, 2024 05:41:11.028412104 CET	443	49721	34.160.144.191	192.168.2.6
Dec 13, 2024 05:41:11.030334949 CET	49721	443	192.168.2.6	34.160.144.191
Dec 13, 2024 05:41:11.030404091 CET	49721	443	192.168.2.6	34.160.144.191
Dec 13, 2024 05:41:11.030456066 CET	443	49721	34.160.144.191	192.168.2.6
Dec 13, 2024 05:41:11.031106949 CET	49721	443	192.168.2.6	34.160.144.191
Dec 13, 2024 05:41:11.031126022 CET	49721	443	192.168.2.6	34.160.144.191
Dec 13, 2024 05:41:11.034389973 CET	443	49717	142.250.181.110	192.168.2.6
Dec 13, 2024 05:41:11.034547091 CET	49717	443	192.168.2.6	142.250.181.110
Dec 13, 2024 05:41:11.035394907 CET	443	49717	142.250.181.110	192.168.2.6
Dec 13, 2024 05:41:11.036422014 CET	49717	443	192.168.2.6	142.250.181.110
Dec 13, 2024 05:41:11.037653923 CET	443	49716	142.250.181.110	192.168.2.6
Dec 13, 2024 05:41:11.038645983 CET	443	49716	142.250.181.110	192.168.2.6
Dec 13, 2024 05:41:11.039530039 CET	49717	443	192.168.2.6	142.250.181.110
Dec 13, 2024 05:41:11.039541006 CET	443	49717	142.250.181.110	192.168.2.6
Dec 13, 2024 05:41:11.039690971 CET	49717	443	192.168.2.6	142.250.181.110
Dec 13, 2024 05:41:11.039735079 CET	49716	443	192.168.2.6	142.250.181.110
Dec 13, 2024 05:41:11.039752960 CET	443	49716	142.250.181.110	192.168.2.6
Dec 13, 2024 05:41:11.039797068 CET	443	49717	142.250.181.110	192.168.2.6
Dec 13, 2024 05:41:11.040623903 CET	49717	443	192.168.2.6	142.250.181.110
Dec 13, 2024 05:41:11.043705940 CET	49716	443	192.168.2.6	142.250.181.110
Dec 13, 2024 05:41:11.043720961 CET	443	49716	142.250.181.110	192.168.2.6
Dec 13, 2024 05:41:11.043785095 CET	49716	443	192.168.2.6	142.250.181.110
Dec 13, 2024 05:41:11.043961048 CET	443	49716	142.250.181.110	192.168.2.6
Dec 13, 2024 05:41:11.045905113 CET	49716	443	192.168.2.6	142.250.181.110
Dec 13, 2024 05:41:11.083497047 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:11.085966110 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:11.086179972 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:11.116064072 CET	80	49718	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:11.124897003 CET	49718	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:11.205837011 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:11.524127007 CET	443	49723	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:11.524316072 CET	49723	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:11.528458118 CET	49723	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:11.528466940 CET	443	49723	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:11.528603077 CET	443	49723	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:11.528620005 CET	49723	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:11.528639078 CET	443	49723	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:11.528903008 CET	49723	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:11.997055054 CET	49727	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:11.997116089 CET	443	49727	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:12.006217957 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:12.011882067 CET	49727	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:12.014586926 CET	49727	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:12.014622927 CET	443	49727	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:12.126013041 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:12.127927065 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:12.128427029 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:12.179994106 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:12.225327969 CET	49729	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:12.225425005 CET	443	49729	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:12.227994919 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:12.228107929 CET	49729	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:12.229481936 CET	49729	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:12.229521036 CET	443	49729	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:12.248148918 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:13.214739084 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:13.233653069 CET	443	49727	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:13.233680964 CET	443	49727	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:13.236716032 CET	49727	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:13.241272926 CET	49727	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:13.241286039 CET	443	49727	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:13.241389990 CET	49727	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:13.241453886 CET	443	49727	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:13.241766930 CET	49730	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:13.241799116 CET	443	49730	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:13.242790937 CET	49727	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:13.242827892 CET	49730	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:13.244281054 CET	49730	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:13.244301081 CET	443	49730	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:13.261764050 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:13.447088003 CET	443	49729	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:13.447313070 CET	49729	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:13.452613115 CET	49729	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:13.452624083 CET	443	49729	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:13.452837944 CET	49729	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:13.452918053 CET	443	49729	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:13.453000069 CET	49729	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:13.946310997 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:14.066127062 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:14.261085987 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:14.304692984 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:14.460320950 CET	443	49730	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:14.460401058 CET	49730	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:14.465280056 CET	49730	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:14.465293884 CET	443	49730	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:14.465387106 CET	49730	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:14.465481043 CET	443	49730	34.117.188.166	192.168.2.6
Dec 13, 2024 05:41:14.465545893 CET	49730	443	192.168.2.6	34.117.188.166
Dec 13, 2024 05:41:16.459960938 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:16.580491066 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:16.775732994 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:16.827662945 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:16.921073914 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:16.986983061 CET	49743	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:16.987024069 CET	443	49743	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:16.987157106 CET	49743	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:16.988532066 CET	49743	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:16.988549948 CET	443	49743	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:17.040851116 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:17.065193892 CET	49744	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:17.065227032 CET	443	49744	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:17.065521955 CET	49744	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:17.067023039 CET	49744	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:17.067043066 CET	443	49744	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:17.235949039 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:17.282124043 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:18.201577902 CET	443	49743	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:18.211332083 CET	443	49743	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:18.216022015 CET	49743	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:18.220419884 CET	49743	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:18.220437050 CET	443	49743	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:18.220557928 CET	49743	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:18.220628023 CET	443	49743	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:18.231656075 CET	49743	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:18.284672022 CET	443	49744	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:18.286762953 CET	49744	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:18.305804014 CET	49744	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:18.305804014 CET	49744	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:18.305895090 CET	443	49744	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:18.306116104 CET	443	49744	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:18.306284904 CET	49744	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:21.189533949 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:21.309442997 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:21.324595928 CET	49759	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:21.324609995 CET	443	49759	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:21.324744940 CET	49759	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:21.326090097 CET	49759	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:21.326097012 CET	443	49759	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:21.344194889 CET	49760	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:21.344254017 CET	443	49760	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:21.344319105 CET	49760	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:21.345873117 CET	49760	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:21.345891953 CET	443	49760	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:21.346586943 CET	49761	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:21.346596003 CET	443	49761	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:21.346852064 CET	49761	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:21.346971035 CET	49761	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:21.346976995 CET	443	49761	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:21.505003929 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:21.545666933 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:22.545262098 CET	443	49759	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:22.545339108 CET	49759	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:22.556009054 CET	443	49760	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:22.556082964 CET	49760	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:22.563817024 CET	443	49761	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:22.563885927 CET	49761	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:23.173481941 CET	49761	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:23.173495054 CET	443	49761	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:23.173858881 CET	443	49761	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:23.177797079 CET	49759	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:23.177807093 CET	443	49759	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:23.178030014 CET	443	49759	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:23.178129911 CET	49759	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:23.178136110 CET	443	49759	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:23.178288937 CET	49760	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:23.178307056 CET	443	49760	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:23.178426981 CET	49760	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:23.178435087 CET	49761	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:23.178467035 CET	49761	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:23.178474903 CET	443	49760	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:23.178633928 CET	443	49761	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:23.178746939 CET	49761	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:23.178801060 CET	49760	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:23.178833008 CET	49759	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:23.979374886 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:23.980304956 CET	49768	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:23.980340958 CET	443	49768	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:23.980424881 CET	49769	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:23.980465889 CET	443	49769	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:23.983452082 CET	49768	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:23.983467102 CET	49769	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:23.983592987 CET	49768	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:23.983604908 CET	443	49768	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:23.983674049 CET	49769	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:23.983690977 CET	443	49769	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:24.099131107 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:24.144433975 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:24.145869017 CET	49770	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:24.145967007 CET	443	49770	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:24.146828890 CET	49770	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:24.148526907 CET	49770	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:24.148569107 CET	443	49770	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:24.264173031 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:24.294127941 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:24.348609924 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:24.459482908 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:24.511399984 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:25.026093960 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:25.145898104 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:25.195538044 CET	443	49769	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:25.195816994 CET	49769	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.199089050 CET	49769	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.199096918 CET	443	49769	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:25.199434042 CET	443	49769	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:25.200923920 CET	443	49768	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:25.203205109 CET	49769	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.203290939 CET	49769	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.203376055 CET	443	49769	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:25.204273939 CET	49769	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.204281092 CET	49768	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.206783056 CET	49769	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.206783056 CET	49768	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.206816912 CET	443	49768	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:25.207178116 CET	443	49768	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:25.208960056 CET	49768	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.209043026 CET	49768	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.209141016 CET	443	49768	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:25.210985899 CET	49768	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.210985899 CET	49768	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.341394901 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:25.342318058 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:25.358644009 CET	443	49770	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:25.358717918 CET	49770	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.362428904 CET	49770	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.362436056 CET	443	49770	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:25.362518072 CET	49770	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.362552881 CET	443	49770	34.120.208.123	192.168.2.6
Dec 13, 2024 05:41:25.363823891 CET	49770	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:41:25.398379087 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:25.461105108 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:25.658190012 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:25.699285984 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:27.194430113 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:27.314163923 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:27.509252071 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:27.573438883 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:34.887276888 CET	49797	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:34.887394905 CET	443	49797	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:34.887865067 CET	49797	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:34.889313936 CET	49797	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:34.889350891 CET	443	49797	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:35.665565014 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:35.785267115 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:36.105869055 CET	443	49797	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:36.105961084 CET	49797	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:36.110948086 CET	49797	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:36.110966921 CET	443	49797	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:36.111056089 CET	49797	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:36.111346960 CET	443	49797	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:36.111416101 CET	49797	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:36.113884926 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:36.233612061 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:36.428998947 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:36.433125019 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:36.483457088 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:36.552911043 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:36.747885942 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:36.799959898 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:37.503724098 CET	49803	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:37.503742933 CET	443	49803	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:37.504056931 CET	49804	443	192.168.2.6	35.190.72.216
Dec 13, 2024 05:41:37.504149914 CET	443	49804	35.190.72.216	192.168.2.6
Dec 13, 2024 05:41:37.507025957 CET	49803	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:37.507186890 CET	49803	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:37.507195950 CET	49804	443	192.168.2.6	35.190.72.216
Dec 13, 2024 05:41:37.507199049 CET	443	49803	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:37.508637905 CET	49804	443	192.168.2.6	35.190.72.216
Dec 13, 2024 05:41:37.508676052 CET	443	49804	35.190.72.216	192.168.2.6
Dec 13, 2024 05:41:37.720282078 CET	49805	443	192.168.2.6	151.101.129.91
Dec 13, 2024 05:41:37.720333099 CET	443	49805	151.101.129.91	192.168.2.6
Dec 13, 2024 05:41:37.720577955 CET	49805	443	192.168.2.6	151.101.129.91
Dec 13, 2024 05:41:37.720725060 CET	49805	443	192.168.2.6	151.101.129.91
Dec 13, 2024 05:41:37.720741034 CET	443	49805	151.101.129.91	192.168.2.6
Dec 13, 2024 05:41:37.837208033 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:37.837243080 CET	443	49806	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:37.837699890 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:37.837831974 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:37.837841034 CET	443	49806	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:37.988478899 CET	49807	443	192.168.2.6	35.201.103.21
Dec 13, 2024 05:41:37.988523006 CET	443	49807	35.201.103.21	192.168.2.6
Dec 13, 2024 05:41:37.988687992 CET	49807	443	192.168.2.6	35.201.103.21
Dec 13, 2024 05:41:37.990016937 CET	49807	443	192.168.2.6	35.201.103.21
Dec 13, 2024 05:41:37.990031958 CET	443	49807	35.201.103.21	192.168.2.6
Dec 13, 2024 05:41:38.742896080 CET	443	49804	35.190.72.216	192.168.2.6
Dec 13, 2024 05:41:38.742997885 CET	49804	443	192.168.2.6	35.190.72.216
Dec 13, 2024 05:41:38.747054100 CET	49804	443	192.168.2.6	35.190.72.216
Dec 13, 2024 05:41:38.747087002 CET	443	49804	35.190.72.216	192.168.2.6
Dec 13, 2024 05:41:38.747140884 CET	49804	443	192.168.2.6	35.190.72.216
Dec 13, 2024 05:41:38.747220039 CET	443	49804	35.190.72.216	192.168.2.6
Dec 13, 2024 05:41:38.747824907 CET	443	49803	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:38.749392033 CET	49804	443	192.168.2.6	35.190.72.216
Dec 13, 2024 05:41:38.749420881 CET	49803	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:38.752218008 CET	49803	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:38.752222061 CET	443	49803	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:38.752623081 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:38.752868891 CET	443	49803	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:38.754503965 CET	49803	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:38.754584074 CET	49803	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:38.754686117 CET	443	49803	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:38.754865885 CET	49803	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:38.872457027 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:38.948256969 CET	443	49805	151.101.129.91	192.168.2.6
Dec 13, 2024 05:41:38.948338032 CET	49805	443	192.168.2.6	151.101.129.91
Dec 13, 2024 05:41:38.950954914 CET	49805	443	192.168.2.6	151.101.129.91
Dec 13, 2024 05:41:38.950963974 CET	443	49805	151.101.129.91	192.168.2.6
Dec 13, 2024 05:41:38.951392889 CET	443	49805	151.101.129.91	192.168.2.6
Dec 13, 2024 05:41:38.953001976 CET	49805	443	192.168.2.6	151.101.129.91
Dec 13, 2024 05:41:38.953111887 CET	49805	443	192.168.2.6	151.101.129.91
Dec 13, 2024 05:41:38.953177929 CET	443	49805	151.101.129.91	192.168.2.6
Dec 13, 2024 05:41:38.958977938 CET	49805	443	192.168.2.6	151.101.129.91
Dec 13, 2024 05:41:38.960313082 CET	49813	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:38.960356951 CET	443	49813	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:38.960468054 CET	49813	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:38.960587978 CET	49813	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:38.960601091 CET	443	49813	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:38.962199926 CET	49814	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:38.962238073 CET	443	49814	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:38.962774038 CET	49814	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:38.962774038 CET	49814	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:38.962805033 CET	443	49814	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:38.964020967 CET	49815	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:38.964032888 CET	443	49815	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:38.964231968 CET	49815	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:38.964339972 CET	49815	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:38.964351892 CET	443	49815	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:39.053339958 CET	443	49806	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:39.057849884 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:39.060471058 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:39.060483932 CET	443	49806	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:39.060777903 CET	443	49806	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:39.062467098 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:39.062551975 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:39.062617064 CET	443	49806	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:39.067348003 CET	443	49806	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:39.068196058 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:39.072035074 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:39.072055101 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:39.072072029 CET	49806	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:39.075304031 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:39.122159004 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:39.195144892 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:39.217046976 CET	443	49807	35.201.103.21	192.168.2.6
Dec 13, 2024 05:41:39.217199087 CET	49807	443	192.168.2.6	35.201.103.21
Dec 13, 2024 05:41:39.220962048 CET	49807	443	192.168.2.6	35.201.103.21
Dec 13, 2024 05:41:39.220962048 CET	49807	443	192.168.2.6	35.201.103.21
Dec 13, 2024 05:41:39.220974922 CET	443	49807	35.201.103.21	192.168.2.6
Dec 13, 2024 05:41:39.221215963 CET	443	49807	35.201.103.21	192.168.2.6
Dec 13, 2024 05:41:39.222501040 CET	49807	443	192.168.2.6	35.201.103.21
Dec 13, 2024 05:41:39.230513096 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:39.237350941 CET	49816	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:39.237436056 CET	443	49816	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:39.237529039 CET	49816	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:39.237622023 CET	49816	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:39.237656116 CET	443	49816	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:39.350236893 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:39.390187979 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:39.438679934 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:39.547508001 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:39.550236940 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:39.592379093 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:39.669931889 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:39.911585093 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:39.955755949 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:40.286268950 CET	443	49814	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:40.287105083 CET	443	49813	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:40.291258097 CET	443	49815	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:40.291336060 CET	443	49814	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:40.294502020 CET	49813	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.294507027 CET	49814	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.295449972 CET	443	49815	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:40.296842098 CET	49814	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.296852112 CET	443	49814	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:40.297245979 CET	443	49814	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:40.298762083 CET	49813	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.298777103 CET	443	49813	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:40.299520016 CET	443	49813	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:40.300950050 CET	49814	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.301171064 CET	49814	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.301178932 CET	443	49814	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:40.301208019 CET	443	49814	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:40.301239014 CET	49813	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.301280975 CET	49813	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.301532030 CET	443	49813	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:40.306241989 CET	49815	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.306272984 CET	49814	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.306272984 CET	49814	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.306495905 CET	49813	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.306498051 CET	49814	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.306514978 CET	49813	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.306516886 CET	49814	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.308845043 CET	49815	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.308850050 CET	443	49815	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:40.309288979 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:40.309730053 CET	443	49815	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:40.312216997 CET	49815	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.312284946 CET	49815	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.312577009 CET	443	49815	35.244.181.201	192.168.2.6
Dec 13, 2024 05:41:40.312907934 CET	49815	443	192.168.2.6	35.244.181.201
Dec 13, 2024 05:41:40.429018021 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:40.557734966 CET	443	49816	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:40.557806015 CET	49816	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:40.560358047 CET	49816	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:40.560364008 CET	443	49816	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:40.560692072 CET	443	49816	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:40.563235998 CET	49816	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:40.563334942 CET	49816	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:40.563410997 CET	443	49816	34.149.100.209	192.168.2.6
Dec 13, 2024 05:41:40.563512087 CET	49816	443	192.168.2.6	34.149.100.209
Dec 13, 2024 05:41:40.631881952 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:40.635499954 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:40.679939985 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:40.755222082 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:40.950690985 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:40.996428967 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:50.637577057 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:50.757663012 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:50.960683107 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:51.080420017 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:56.500499010 CET	49859	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:56.500525951 CET	443	49859	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:56.501087904 CET	49859	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:56.503125906 CET	49859	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:56.503139019 CET	443	49859	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:57.721463919 CET	443	49859	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:57.721569061 CET	49859	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:57.726588011 CET	49859	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:57.726593018 CET	443	49859	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:57.726727962 CET	49859	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:57.726825953 CET	443	49859	34.107.243.93	192.168.2.6
Dec 13, 2024 05:41:57.728233099 CET	49859	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:41:57.731520891 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:57.851279020 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:58.046540976 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:58.054294109 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:58.098186016 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:41:58.174168110 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:58.369277000 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:41:58.414694071 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:07.417946100 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.417994976 CET	443	49886	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:07.418287992 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.418359041 CET	443	49887	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:07.418405056 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.418490887 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.418498993 CET	443	49888	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:07.418540955 CET	443	49889	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:07.418632030 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.418653965 CET	443	49890	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:07.418695927 CET	49891	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.418706894 CET	443	49891	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:07.418783903 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.418791056 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.418801069 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.418812990 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.418812990 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.418859959 CET	49891	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.418917894 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.418927908 CET	443	49886	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:07.419101954 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.419142008 CET	443	49890	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:07.419169903 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.419192076 CET	443	49889	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:07.419248104 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.419271946 CET	443	49888	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:07.419331074 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.419368982 CET	443	49887	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:07.419441938 CET	49891	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:07.419456959 CET	443	49891	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.057728052 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:08.177423954 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:08.380888939 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:08.500541925 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:08.632179976 CET	443	49890	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.632612944 CET	443	49891	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.633233070 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.633308887 CET	49891	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.633881092 CET	443	49887	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.635178089 CET	443	49889	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.636264086 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.636293888 CET	443	49890	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.636560917 CET	443	49890	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.638520002 CET	49891	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.638528109 CET	443	49891	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.638763905 CET	443	49891	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.639332056 CET	443	49889	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.639333010 CET	443	49887	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.641347885 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.641453028 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.641473055 CET	443	49890	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.641536951 CET	443	49888	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.641562939 CET	49891	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.641624928 CET	49891	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.641690969 CET	443	49891	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.641880035 CET	443	49886	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.641999006 CET	49895	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.642024994 CET	443	49895	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.642149925 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.642174006 CET	443	49896	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.642307997 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.642313957 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.642318010 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.643846989 CET	49891	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.643863916 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.643866062 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.643873930 CET	49891	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.643884897 CET	49890	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.643902063 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.643914938 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.645627022 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.645632029 CET	443	49887	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.645955086 CET	443	49887	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.647603035 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.647628069 CET	443	49888	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.647875071 CET	443	49888	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.651987076 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.651997089 CET	443	49889	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.652844906 CET	443	49889	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.656124115 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.656233072 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.656281948 CET	443	49887	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.656313896 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.656394005 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.656440020 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.656502962 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.656743050 CET	443	49888	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.656806946 CET	443	49889	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.659410954 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.659447908 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.659459114 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.659471035 CET	49895	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.659677029 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.661686897 CET	49887	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.661710978 CET	49889	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.661717892 CET	49888	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.662900925 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.662916899 CET	443	49886	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.663208961 CET	49895	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.663228035 CET	443	49895	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.663280010 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.663295031 CET	443	49896	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.663829088 CET	443	49886	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.665488958 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.665558100 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.665910959 CET	443	49886	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:08.669089079 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.669605017 CET	49886	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:08.692948103 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:08.812647104 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:09.008387089 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:09.012152910 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:09.060621023 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:09.133927107 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:09.328047991 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:09.383740902 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:09.877262115 CET	443	49896	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:09.877279997 CET	443	49896	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:09.877518892 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:09.880832911 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:09.880844116 CET	443	49896	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:09.881195068 CET	443	49896	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:09.882349968 CET	443	49895	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:09.882391930 CET	443	49895	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:09.882463932 CET	49895	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:09.884793043 CET	49895	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:09.884818077 CET	443	49895	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:09.885128021 CET	443	49895	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:09.885329962 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:09.885433912 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:09.885509014 CET	443	49896	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:09.887223005 CET	49896	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:09.887684107 CET	49895	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:09.887795925 CET	49895	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:09.887855053 CET	443	49895	34.120.208.123	192.168.2.6
Dec 13, 2024 05:42:09.889657021 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:09.889873028 CET	49895	443	192.168.2.6	34.120.208.123
Dec 13, 2024 05:42:10.009449959 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:10.205198050 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:10.208620071 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:10.248456001 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:10.328747988 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:10.523431063 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:10.565057993 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:20.215594053 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:20.335360050 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:20.531722069 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:20.651726007 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:30.345237970 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:30.464989901 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:30.661801100 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:30.781516075 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:37.871944904 CET	49965	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:42:37.871961117 CET	443	49965	34.107.243.93	192.168.2.6
Dec 13, 2024 05:42:37.872432947 CET	49965	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:42:37.874599934 CET	49965	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:42:37.874610901 CET	443	49965	34.107.243.93	192.168.2.6
Dec 13, 2024 05:42:39.152121067 CET	443	49965	34.107.243.93	192.168.2.6
Dec 13, 2024 05:42:39.152225018 CET	49965	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:42:39.157419920 CET	49965	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:42:39.157424927 CET	443	49965	34.107.243.93	192.168.2.6
Dec 13, 2024 05:42:39.157586098 CET	49965	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:42:39.157603979 CET	443	49965	34.107.243.93	192.168.2.6
Dec 13, 2024 05:42:39.157850981 CET	49965	443	192.168.2.6	34.107.243.93
Dec 13, 2024 05:42:39.160516024 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:39.280193090 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:39.476052046 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:39.480086088 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:39.519119978 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:39.599822998 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:39.799861908 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:39.850687027 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:49.478986025 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:49.599138021 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:49.802148104 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:49.922281981 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:59.608633995 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:42:59.728296995 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:42:59.931703091 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:43:00.051420927 CET	80	49724	34.107.221.82	192.168.2.6
Dec 13, 2024 05:43:09.738305092 CET	49728	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:43:09.858000994 CET	80	49728	34.107.221.82	192.168.2.6
Dec 13, 2024 05:43:10.054744005 CET	49724	80	192.168.2.6	34.107.221.82
Dec 13, 2024 05:43:10.174503088 CET	80	49724	34.107.221.82	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 05:41:08.149967909 CET	59735	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:08.477746010 CET	53	59735	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:08.478945017 CET	61313	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:08.714589119 CET	53	61313	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:09.190113068 CET	64510	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:09.210632086 CET	52459	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:09.327517986 CET	53	64510	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:09.329075098 CET	52025	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:09.350509882 CET	57269	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:09.444120884 CET	52097	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:09.467546940 CET	53	52025	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:09.468251944 CET	56087	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:09.477998018 CET	53898	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:09.488878012 CET	53	57269	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:09.501503944 CET	60026	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:09.581542969 CET	53	52097	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:09.589051008 CET	61915	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:09.605581999 CET	53	56087	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:09.639764071 CET	53	60026	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:09.660162926 CET	50999	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:09.662360907 CET	58273	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:09.690268040 CET	58728	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:09.726176977 CET	53	61915	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:09.727261066 CET	60352	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:09.797369957 CET	53	50999	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:09.798557043 CET	50469	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:09.865489006 CET	53	60352	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:09.937009096 CET	53	50469	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:09.937789917 CET	52642	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:09.983609915 CET	53	58273	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:09.984471083 CET	55250	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:10.076198101 CET	53	52642	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:10.121954918 CET	53	55250	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:10.292226076 CET	53	53898	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:10.300971985 CET	51680	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:10.352299929 CET	53	60152	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:10.439551115 CET	53	51680	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:10.440365076 CET	50031	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:10.578254938 CET	53	50031	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:10.817286015 CET	59748	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:10.817879915 CET	54559	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:10.824122906 CET	53552	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:10.897525072 CET	50799	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:10.955485106 CET	53	59748	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:10.955574036 CET	53	54559	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:11.034617901 CET	53	50799	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:11.036338091 CET	51962	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:11.173722029 CET	53	51962	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:11.210017920 CET	64154	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:11.352276087 CET	53	64154	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:16.464483023 CET	50504	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:16.926439047 CET	60275	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:16.986816883 CET	52547	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:17.064121962 CET	53	60275	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:17.065474987 CET	52518	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:17.123914003 CET	53	52547	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:17.124778032 CET	54379	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:17.180901051 CET	53	50504	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:17.181835890 CET	59244	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:17.202898026 CET	53	52518	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:17.203769922 CET	53212	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:17.262411118 CET	53	54379	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:17.340907097 CET	53	53212	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:17.604671955 CET	53	59244	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:17.607065916 CET	57199	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:17.852104902 CET	53	57199	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:21.185251951 CET	64514	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:21.209572077 CET	64672	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:21.323260069 CET	53	64514	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:21.324621916 CET	54089	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:21.347229958 CET	53	64672	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:21.463430882 CET	53	54089	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:23.984864950 CET	60368	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:24.121768951 CET	53	60368	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:27.194633007 CET	53287	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:30.730329037 CET	61471	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:30.730329037 CET	57532	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:30.730631113 CET	51835	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:30.867305994 CET	53	57532	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:30.868551970 CET	59222	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:30.868864059 CET	53	61471	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:30.869612932 CET	52045	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:30.950349092 CET	53	51835	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:30.951339960 CET	54144	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:31.005685091 CET	53	59222	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:31.006423950 CET	53	52045	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:31.011008024 CET	58780	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:31.011354923 CET	50223	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:31.148895979 CET	53	50223	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:31.148999929 CET	53	54144	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:31.153590918 CET	61536	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:31.154063940 CET	63442	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:31.232073069 CET	53	58780	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:31.233007908 CET	59349	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:31.352277994 CET	53	61536	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:31.353399992 CET	56242	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:31.369550943 CET	53	63442	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:31.369940996 CET	53	59349	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:31.370608091 CET	54737	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:31.507785082 CET	53	54737	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:31.508470058 CET	50287	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:31.570740938 CET	53	56242	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:31.572213888 CET	64796	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:31.645734072 CET	53	50287	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:31.793308020 CET	53	64796	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:34.887798071 CET	61859	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:35.025078058 CET	53	61859	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:37.497345924 CET	56785	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:37.511512041 CET	49172	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:37.719115019 CET	53	56785	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:37.720529079 CET	54938	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:37.838196993 CET	62924	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:37.859333038 CET	53	54938	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:37.859872103 CET	62887	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:37.975604057 CET	53	62924	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:37.987370968 CET	53	49172	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:37.990056038 CET	64869	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:37.999672890 CET	53	62887	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:38.226733923 CET	53	64869	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:38.229675055 CET	57939	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:38.368484974 CET	53	57939	1.1.1.1	192.168.2.6
Dec 13, 2024 05:41:56.501138926 CET	56308	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:41:56.638994932 CET	53	56308	1.1.1.1	192.168.2.6
Dec 13, 2024 05:42:07.418319941 CET	56292	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:42:07.555469990 CET	53	56292	1.1.1.1	192.168.2.6
Dec 13, 2024 05:42:37.732368946 CET	55129	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:42:37.869812965 CET	53	55129	1.1.1.1	192.168.2.6
Dec 13, 2024 05:42:37.872250080 CET	54600	53	192.168.2.6	1.1.1.1
Dec 13, 2024 05:42:38.010704041 CET	53	54600	1.1.1.1	192.168.2.6
Dec 13, 2024 05:42:39.160754919 CET	49783	53	192.168.2.6	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 05:41:08.149967909 CET	192.168.2.6	1.1.1.1	0x7201	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:08.478945017 CET	192.168.2.6	1.1.1.1	0xdac9	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:41:09.190113068 CET	192.168.2.6	1.1.1.1	0xd442	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.210632086 CET	192.168.2.6	1.1.1.1	0xb2a8	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.329075098 CET	192.168.2.6	1.1.1.1	0x3673	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.350509882 CET	192.168.2.6	1.1.1.1	0x73e2	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.444120884 CET	192.168.2.6	1.1.1.1	0xcf88	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.468251944 CET	192.168.2.6	1.1.1.1	0x6315	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 13, 2024 05:41:09.477998018 CET	192.168.2.6	1.1.1.1	0x588b	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.501503944 CET	192.168.2.6	1.1.1.1	0xb75c	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:41:09.589051008 CET	192.168.2.6	1.1.1.1	0xc6f7	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.660162926 CET	192.168.2.6	1.1.1.1	0x2fee	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.662360907 CET	192.168.2.6	1.1.1.1	0x82c0	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.690268040 CET	192.168.2.6	1.1.1.1	0x6c7e	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.727261066 CET	192.168.2.6	1.1.1.1	0xc177	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:41:09.798557043 CET	192.168.2.6	1.1.1.1	0x9be6	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.937789917 CET	192.168.2.6	1.1.1.1	0xb235	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:41:09.984471083 CET	192.168.2.6	1.1.1.1	0xee8f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:41:10.300971985 CET	192.168.2.6	1.1.1.1	0xc9b4	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:10.440365076 CET	192.168.2.6	1.1.1.1	0x5beb	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:41:10.817286015 CET	192.168.2.6	1.1.1.1	0xf854	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:10.817879915 CET	192.168.2.6	1.1.1.1	0xdccc	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:10.824122906 CET	192.168.2.6	1.1.1.1	0x3488	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:10.897525072 CET	192.168.2.6	1.1.1.1	0x37bf	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:11.036338091 CET	192.168.2.6	1.1.1.1	0xb465	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:11.210017920 CET	192.168.2.6	1.1.1.1	0xb6c2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:41:16.464483023 CET	192.168.2.6	1.1.1.1	0x2986	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:16.926439047 CET	192.168.2.6	1.1.1.1	0xf9a3	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:16.986816883 CET	192.168.2.6	1.1.1.1	0x2fb1	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:17.065474987 CET	192.168.2.6	1.1.1.1	0x13ab	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:17.124778032 CET	192.168.2.6	1.1.1.1	0x92ea	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:41:17.181835890 CET	192.168.2.6	1.1.1.1	0x4172	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:17.203769922 CET	192.168.2.6	1.1.1.1	0xb110	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:41:17.607065916 CET	192.168.2.6	1.1.1.1	0x2a4d	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:41:21.185251951 CET	192.168.2.6	1.1.1.1	0x18ed	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:21.209572077 CET	192.168.2.6	1.1.1.1	0x2ff9	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:41:21.324621916 CET	192.168.2.6	1.1.1.1	0xecc8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:41:23.984864950 CET	192.168.2.6	1.1.1.1	0xaddf	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:41:27.194633007 CET	192.168.2.6	1.1.1.1	0xcbe3	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.730329037 CET	192.168.2.6	1.1.1.1	0xa875	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.730329037 CET	192.168.2.6	1.1.1.1	0xcba8	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.730631113 CET	192.168.2.6	1.1.1.1	0xc584	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.868551970 CET	192.168.2.6	1.1.1.1	0xcb76	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.869612932 CET	192.168.2.6	1.1.1.1	0x7807	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.951339960 CET	192.168.2.6	1.1.1.1	0x9d33	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.011008024 CET	192.168.2.6	1.1.1.1	0x2c0	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 13, 2024 05:41:31.011354923 CET	192.168.2.6	1.1.1.1	0x711a	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 13, 2024 05:41:31.153590918 CET	192.168.2.6	1.1.1.1	0xd829	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.154063940 CET	192.168.2.6	1.1.1.1	0x9c88	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 13, 2024 05:41:31.233007908 CET	192.168.2.6	1.1.1.1	0xad0e	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.353399992 CET	192.168.2.6	1.1.1.1	0x5ce3	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.370608091 CET	192.168.2.6	1.1.1.1	0x8a39	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.508470058 CET	192.168.2.6	1.1.1.1	0x53ab	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 13, 2024 05:41:31.572213888 CET	192.168.2.6	1.1.1.1	0x81d3	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Dec 13, 2024 05:41:34.887798071 CET	192.168.2.6	1.1.1.1	0xd1d3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:41:37.497345924 CET	192.168.2.6	1.1.1.1	0x3e92	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:37.511512041 CET	192.168.2.6	1.1.1.1	0x7d3b	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:37.720529079 CET	192.168.2.6	1.1.1.1	0x851b	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:37.838196993 CET	192.168.2.6	1.1.1.1	0x1823	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:41:37.859872103 CET	192.168.2.6	1.1.1.1	0x2ab2	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 13, 2024 05:41:37.990056038 CET	192.168.2.6	1.1.1.1	0x8d5b	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:38.229675055 CET	192.168.2.6	1.1.1.1	0x2c2	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:41:56.501138926 CET	192.168.2.6	1.1.1.1	0x5754	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:42:07.418319941 CET	192.168.2.6	1.1.1.1	0x7fb6	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:42:37.732368946 CET	192.168.2.6	1.1.1.1	0x43c3	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:42:37.872250080 CET	192.168.2.6	1.1.1.1	0x6f2d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:42:39.160754919 CET	192.168.2.6	1.1.1.1	0x2b9e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 05:41:08.136614084 CET	1.1.1.1	192.168.2.6	0xb9ca	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:08.477746010 CET	1.1.1.1	192.168.2.6	0x7201	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.327517986 CET	1.1.1.1	192.168.2.6	0xd442	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.348622084 CET	1.1.1.1	192.168.2.6	0xb2a8	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:09.348622084 CET	1.1.1.1	192.168.2.6	0xb2a8	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.467546940 CET	1.1.1.1	192.168.2.6	0x3673	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.488878012 CET	1.1.1.1	192.168.2.6	0x73e2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.581542969 CET	1.1.1.1	192.168.2.6	0xcf88	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.605581999 CET	1.1.1.1	192.168.2.6	0x6315	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 13, 2024 05:41:09.639764071 CET	1.1.1.1	192.168.2.6	0xb75c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 05:41:09.659751892 CET	1.1.1.1	192.168.2.6	0x3ade	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:09.659751892 CET	1.1.1.1	192.168.2.6	0x3ade	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.726176977 CET	1.1.1.1	192.168.2.6	0xc6f7	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.797369957 CET	1.1.1.1	192.168.2.6	0x2fee	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:09.797369957 CET	1.1.1.1	192.168.2.6	0x2fee	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:09.797369957 CET	1.1.1.1	192.168.2.6	0x2fee	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.904021025 CET	1.1.1.1	192.168.2.6	0x6c7e	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:09.937009096 CET	1.1.1.1	192.168.2.6	0x9be6	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:09.983609915 CET	1.1.1.1	192.168.2.6	0x82c0	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:10.076198101 CET	1.1.1.1	192.168.2.6	0xb235	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 05:41:10.292226076 CET	1.1.1.1	192.168.2.6	0x588b	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:10.292226076 CET	1.1.1.1	192.168.2.6	0x588b	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:10.439551115 CET	1.1.1.1	192.168.2.6	0xc9b4	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:10.955485106 CET	1.1.1.1	192.168.2.6	0xf854	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:10.955574036 CET	1.1.1.1	192.168.2.6	0xdccc	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:10.955574036 CET	1.1.1.1	192.168.2.6	0xdccc	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:10.961577892 CET	1.1.1.1	192.168.2.6	0x3488	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:10.961577892 CET	1.1.1.1	192.168.2.6	0x3488	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:11.034617901 CET	1.1.1.1	192.168.2.6	0x37bf	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:11.173722029 CET	1.1.1.1	192.168.2.6	0xb465	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:16.985431910 CET	1.1.1.1	192.168.2.6	0xdff6	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:17.064121962 CET	1.1.1.1	192.168.2.6	0xf9a3	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:17.064121962 CET	1.1.1.1	192.168.2.6	0xf9a3	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:17.123914003 CET	1.1.1.1	192.168.2.6	0x2fb1	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:17.180901051 CET	1.1.1.1	192.168.2.6	0x2986	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:17.180901051 CET	1.1.1.1	192.168.2.6	0x2986	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:17.180901051 CET	1.1.1.1	192.168.2.6	0x2986	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:17.202898026 CET	1.1.1.1	192.168.2.6	0x13ab	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:17.604671955 CET	1.1.1.1	192.168.2.6	0x4172	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:21.323260069 CET	1.1.1.1	192.168.2.6	0x18ed	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:21.343421936 CET	1.1.1.1	192.168.2.6	0xc95	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:21.345921040 CET	1.1.1.1	192.168.2.6	0x8e27	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:21.345921040 CET	1.1.1.1	192.168.2.6	0x8e27	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:27.606031895 CET	1.1.1.1	192.168.2.6	0xcbe3	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:27.606031895 CET	1.1.1.1	192.168.2.6	0xcbe3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.867305994 CET	1.1.1.1	192.168.2.6	0xcba8	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:30.867305994 CET	1.1.1.1	192.168.2.6	0xcba8	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.867305994 CET	1.1.1.1	192.168.2.6	0xcba8	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.867305994 CET	1.1.1.1	192.168.2.6	0xcba8	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.867305994 CET	1.1.1.1	192.168.2.6	0xcba8	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.867305994 CET	1.1.1.1	192.168.2.6	0xcba8	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.867305994 CET	1.1.1.1	192.168.2.6	0xcba8	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.867305994 CET	1.1.1.1	192.168.2.6	0xcba8	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.867305994 CET	1.1.1.1	192.168.2.6	0xcba8	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.867305994 CET	1.1.1.1	192.168.2.6	0xcba8	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.867305994 CET	1.1.1.1	192.168.2.6	0xcba8	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.868864059 CET	1.1.1.1	192.168.2.6	0xa875	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:30.868864059 CET	1.1.1.1	192.168.2.6	0xa875	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:30.950349092 CET	1.1.1.1	192.168.2.6	0xc584	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:30.950349092 CET	1.1.1.1	192.168.2.6	0xc584	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.005685091 CET	1.1.1.1	192.168.2.6	0xcb76	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.005685091 CET	1.1.1.1	192.168.2.6	0xcb76	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.005685091 CET	1.1.1.1	192.168.2.6	0xcb76	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.005685091 CET	1.1.1.1	192.168.2.6	0xcb76	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.005685091 CET	1.1.1.1	192.168.2.6	0xcb76	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.005685091 CET	1.1.1.1	192.168.2.6	0xcb76	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.005685091 CET	1.1.1.1	192.168.2.6	0xcb76	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.005685091 CET	1.1.1.1	192.168.2.6	0xcb76	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.005685091 CET	1.1.1.1	192.168.2.6	0xcb76	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.005685091 CET	1.1.1.1	192.168.2.6	0xcb76	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.006423950 CET	1.1.1.1	192.168.2.6	0x7807	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.148895979 CET	1.1.1.1	192.168.2.6	0x711a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 05:41:31.148895979 CET	1.1.1.1	192.168.2.6	0x711a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 05:41:31.148895979 CET	1.1.1.1	192.168.2.6	0x711a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 05:41:31.148895979 CET	1.1.1.1	192.168.2.6	0x711a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 05:41:31.148999929 CET	1.1.1.1	192.168.2.6	0x9d33	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.232073069 CET	1.1.1.1	192.168.2.6	0x2c0	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 13, 2024 05:41:31.352277994 CET	1.1.1.1	192.168.2.6	0xd829	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:31.352277994 CET	1.1.1.1	192.168.2.6	0xd829	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.352277994 CET	1.1.1.1	192.168.2.6	0xd829	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.352277994 CET	1.1.1.1	192.168.2.6	0xd829	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.352277994 CET	1.1.1.1	192.168.2.6	0xd829	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.369550943 CET	1.1.1.1	192.168.2.6	0x9c88	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 13, 2024 05:41:31.369940996 CET	1.1.1.1	192.168.2.6	0xad0e	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.507785082 CET	1.1.1.1	192.168.2.6	0x8a39	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.570740938 CET	1.1.1.1	192.168.2.6	0x5ce3	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.570740938 CET	1.1.1.1	192.168.2.6	0x5ce3	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.570740938 CET	1.1.1.1	192.168.2.6	0x5ce3	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:31.570740938 CET	1.1.1.1	192.168.2.6	0x5ce3	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:37.719115019 CET	1.1.1.1	192.168.2.6	0x3e92	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:37.719115019 CET	1.1.1.1	192.168.2.6	0x3e92	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:37.719115019 CET	1.1.1.1	192.168.2.6	0x3e92	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:37.719115019 CET	1.1.1.1	192.168.2.6	0x3e92	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:37.836198092 CET	1.1.1.1	192.168.2.6	0xd5ad	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:37.836198092 CET	1.1.1.1	192.168.2.6	0xd5ad	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:37.859333038 CET	1.1.1.1	192.168.2.6	0x851b	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:37.859333038 CET	1.1.1.1	192.168.2.6	0x851b	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:37.859333038 CET	1.1.1.1	192.168.2.6	0x851b	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:37.859333038 CET	1.1.1.1	192.168.2.6	0x851b	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:37.987370968 CET	1.1.1.1	192.168.2.6	0x7d3b	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:37.987370968 CET	1.1.1.1	192.168.2.6	0x7d3b	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:37.999672890 CET	1.1.1.1	192.168.2.6	0x2ab2	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 05:41:37.999672890 CET	1.1.1.1	192.168.2.6	0x2ab2	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 05:41:37.999672890 CET	1.1.1.1	192.168.2.6	0x2ab2	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 05:41:37.999672890 CET	1.1.1.1	192.168.2.6	0x2ab2	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 05:41:38.226733923 CET	1.1.1.1	192.168.2.6	0x8d5b	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:41:41.060666084 CET	1.1.1.1	192.168.2.6	0xb764	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:41:41.060666084 CET	1.1.1.1	192.168.2.6	0xb764	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:42:07.416834116 CET	1.1.1.1	192.168.2.6	0x7338	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:42:37.869812965 CET	1.1.1.1	192.168.2.6	0x43c3	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:42:39.298317909 CET	1.1.1.1	192.168.2.6	0x2b9e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:42:39.298317909 CET	1.1.1.1	192.168.2.6	0x2b9e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49718	34.107.221.82	80	1292	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 05:41:09.470473051 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:41:10.562371016 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 66705 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49724	34.107.221.82	80	1292	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 05:41:11.086179972 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:41:12.179994106 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 50612 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:41:13.946310997 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:41:14.261085987 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 50614 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:41:16.921073914 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:41:17.235949039 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 50617 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:41:23.979374886 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:41:24.294127941 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 50624 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:41:25.026093960 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:41:25.342318058 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 50625 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:41:27.194430113 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:41:27.509252071 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 50627 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:41:36.433125019 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:41:36.747885942 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 50636 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:41:39.075304031 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:41:39.390187979 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 50639 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:41:39.550236940 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:41:39.911585093 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 50639 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:41:40.635499954 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:41:40.950690985 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 50640 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:41:50.960683107 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:41:58.054294109 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:41:58.369277000 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 50658 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:42:08.380888939 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:42:09.012152910 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:42:09.328047991 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 50669 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:42:10.208620071 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:42:10.523431063 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 50670 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:42:20.531722069 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:42:30.661801100 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:42:39.480086088 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:42:39.799861908 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 50699 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:42:49.802148104 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:42:59.931703091 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:43:10.054744005 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49728	34.107.221.82	80	1292	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 05:41:12.128427029 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:41:13.214739084 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 62611 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:41:16.459960938 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:41:16.775732994 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 62614 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:41:21.189533949 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:41:21.505003929 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 62619 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:41:24.144433975 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:41:24.459482908 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 62622 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:41:25.341394901 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:41:25.658190012 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 62623 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:41:35.665565014 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:41:36.113884926 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:41:36.428998947 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 62634 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:41:38.752623081 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:41:39.068196058 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 62636 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:41:39.230513096 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:41:39.547508001 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 62637 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:41:40.309288979 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:41:40.631881952 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 62638 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:41:50.637577057 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:41:57.731520891 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:41:58.046540976 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 62655 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:42:08.057728052 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:42:08.692948103 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:42:09.008387089 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 62666 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:42:09.889657021 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:42:10.205198050 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 62668 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:42:20.215594053 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:42:30.345237970 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:42:39.160516024 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:42:39.476052046 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 62697 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:42:49.478986025 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:42:59.608633995 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:43:09.738305092 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	23:41:00
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x760000
File size:	969'216 bytes
MD5 hash:	CFD9AB2985983B15F40A6F8DDDA94EE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:41:00
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xa70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:41:00
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:41:03
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xa70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:41:03
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:41:03
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xa70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:41:03
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:41:03
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xa70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:41:03
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:41:03
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xa70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:41:03
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:41:03
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:41:04
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	23:41:04
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	23:41:05
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {466d0f2b-478f-4a58-a3ee-61e738435d03} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1cb4ad6df10 socket
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	23:41:06
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3180 -parentBuildID 20230927232528 -prefsHandle 3520 -prefMapHandle 4364 -prefsLen 26200 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d58dc31a-a9a2-471c-b845-da573512b240} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1cb5cde2d10 rdd
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	23:41:23
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4688 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5136 -prefMapHandle 5132 -prefsLen 33093 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ffe92e7-c0ba-4aaf-a681-46e1e664ac44} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1cb5cbac110 utility
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.1%
Total number of Nodes:	1716
Total number of Limit Nodes:	50

Executed Functions

Function 007642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0076430D

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

GetCurrentProcess.KERNEL32(?,007FCB64,00000000,?,?), ref: 00764422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00764429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00764454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00764466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00764474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0076447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007644A0

Strings

|O, xrefs: 007A36F8
kernel32.dll, xrefs: 0076444F
GetNativeSystemInfo, xrefs: 00764460

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 3676bbf0ed9b9707039f492fbca73ce6644d2d019295788da35923f1ab08daab
Instruction ID: b74235ab8ddaf28661b04ad77ea95d4b646840f464257899253f72de28ce110a
Opcode Fuzzy Hash: 3676bbf0ed9b9707039f492fbca73ce6644d2d019295788da35923f1ab08daab
Instruction Fuzzy Hash: 81A1A66290A2C4DFCF12CB797C8D5E67FA47BE6F40B189D99E44293B22D67C4508CB21

Function 007642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007650AA,?,?,00000000,00000000), ref: 007642B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007650AA,?,?,00000000,00000000), ref: 007642C9
LoadResource.KERNEL32(?,00000000,?,?,007650AA,?,?,00000000,00000000,?,?,?,?,?,?,00764F20), ref: 007A35BE
SizeofResource.KERNEL32(?,00000000,?,?,007650AA,?,?,00000000,00000000,?,?,?,?,?,?,00764F20), ref: 007A35D3
LockResource.KERNEL32(007650AA,?,?,007650AA,?,?,00000000,00000000,?,?,?,?,?,?,00764F20,?), ref: 007A35E6

Strings

SCRIPT, xrefs: 007642BF

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: bd532494d17e0baae516c06e66b6ae05f5e851f01c368d89f7d59d335b52e5a1
Instruction ID: 9b6ba0b5d174f9129b24e8bcd9fa4713b8bad3e6a7da9ed9e28a873302b54355
Opcode Fuzzy Hash: bd532494d17e0baae516c06e66b6ae05f5e851f01c368d89f7d59d335b52e5a1
Instruction Fuzzy Hash: C3115771200604AFEB228BA9DD59F277BB9FBC5B51F208169F802962A0DB75D810DA20

Function 007A2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00762B6B

Part of subcall function 00763A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00831418,?,00762E7F,?,?,?,00000000), ref: 00763A78

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00822224), ref: 007A2C10
ShellExecuteW.SHELL32(00000000,?,?,00822224), ref: 007A2C17

Strings

runas, xrefs: 007A2C0B

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 133085eb1de4f77b4c6c7ebcdeccac615a2b83c170dcc00073b04b6e06e0edba
Instruction ID: 42b4a409faf6e061ee67142d71f508f9f0cdb3c664e1ed6e806c99098dee4338
Opcode Fuzzy Hash: 133085eb1de4f77b4c6c7ebcdeccac615a2b83c170dcc00073b04b6e06e0edba
Instruction Fuzzy Hash: A011D271208245EACB04FF60E8599BEBBA9EBD1700F44042DF987531A3DF3C894AD762

Function 007CD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007CD501
Process32FirstW.KERNEL32(00000000,?), ref: 007CD50F
Process32NextW.KERNEL32(00000000,?), ref: 007CD52F
CloseHandle.KERNEL32(00000000), ref: 007CD5DC

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: d8aaade4ec8814bbaca34acc6d5b5f0002a600c07398e7199b26e7a1ebc55281
Instruction ID: 914fcd0fd11476ac48a8c57fdc3c203a207c5bd6db0b0e3fae635ebc3f181f74
Opcode Fuzzy Hash: d8aaade4ec8814bbaca34acc6d5b5f0002a600c07398e7199b26e7a1ebc55281
Instruction Fuzzy Hash: 1431AF71008304DFD311EF54D885EAFBBE8EF99344F10092DF982931A1EB759948CBA2

Function 007CDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,007A5222), ref: 007CDBCE
GetFileAttributesW.KERNEL32(?), ref: 007CDBDD
FindFirstFileW.KERNEL32(?,?), ref: 007CDBEE
FindClose.KERNEL32(00000000), ref: 007CDBFA

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 5e393d91c126c96d88a350537bb9b9523d1eb1c1c0594add5be0e90618eda807
Instruction ID: d180d16b52f42616a8c53f537658f1c07964703a50056e479e6335cdc7ac43ed
Opcode Fuzzy Hash: 5e393d91c126c96d88a350537bb9b9523d1eb1c1c0594add5be0e90618eda807
Instruction Fuzzy Hash: F8F0A0308109185B92316B7CAE0D9BA376CAE01334F10871AF836C20E0EBB86D54C6A9

Function 007BD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007BD220

Strings

%.3d, xrefs: 007BD22B
X64, xrefs: 007BD2A8

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 403d08c66e73d316aa17721a46647debcef426ca4218a8c4119c39507d09dce4
Instruction ID: 5573c71f8276da3cbbfc3df7b9b5de49d3f6390be0bb9e1fc0db4448308f44f1
Opcode Fuzzy Hash: 403d08c66e73d316aa17721a46647debcef426ca4218a8c4119c39507d09dce4
Instruction Fuzzy Hash: 62D012A1C09158E9CF6096E0DD49AF9B37CFB08341F50C462F91AD1040F62CCD48AB61

Function 00784CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007928E9,?,00784CBE,007928E9,008288B8,0000000C,00784E15,007928E9,00000002,00000000,?,007928E9), ref: 00784D09
TerminateProcess.KERNEL32(00000000,?,00784CBE,007928E9,008288B8,0000000C,00784E15,007928E9,00000002,00000000,?,007928E9), ref: 00784D10
ExitProcess.KERNEL32 ref: 00784D22

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8c56d2c53a60f9cc4052b527b8b18397f2decefb3a9e8eb856ec8013cffef9ce
Instruction ID: a580905bb1d86930fb8aec9b56725abe85e8c57027a9e2778e1b2a50d76a8a58
Opcode Fuzzy Hash: 8c56d2c53a60f9cc4052b527b8b18397f2decefb3a9e8eb856ec8013cffef9ce
Instruction Fuzzy Hash: 85E0B63114054DEBCF12BF64DE09A687B79EF41781B118014FD058A122CB7DED52DB95

Function 007BD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 007BD28C

Strings

X64, xrefs: 007BD2A8

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: d5af0c6f62338a7ba3a1434bd8948687b8db2824d0e283bda2ad1980ac45665a
Instruction ID: 5c74e0ecc1a759f7e87f25aee6b50c48e61e3ed7b4af495b7099d18ba6f9c456
Opcode Fuzzy Hash: d5af0c6f62338a7ba3a1434bd8948687b8db2824d0e283bda2ad1980ac45665a
Instruction Fuzzy Hash: 71D0C9B481111DEACFA4CB90DD88DE9B37CBF04345F104155F106A2000DB7899498F10

Function 007EAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 007EB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007EB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007EB1D4
_wcslen.LIBCMT ref: 007EB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007EB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007EB236
_wcslen.LIBCMT ref: 007EB332

Part of subcall function 007D05A7: GetStdHandle.KERNEL32(000000F6), ref: 007D05C6

_wcslen.LIBCMT ref: 007EB34B
_wcslen.LIBCMT ref: 007EB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007EB3B6
GetLastError.KERNEL32(00000000), ref: 007EB407
CloseHandle.KERNEL32(?), ref: 007EB439
CloseHandle.KERNEL32(00000000), ref: 007EB44A
CloseHandle.KERNEL32(00000000), ref: 007EB45C
CloseHandle.KERNEL32(00000000), ref: 007EB46E
CloseHandle.KERNEL32(?), ref: 007EB4E3

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 767c9fbd8da0a26eb84749a1948971962a0869f984fac204ff3d8e47e3c4fc4a
Instruction ID: 6150536e190fc44be50286247371759dbe566625a1e5ab48742de3c567552d3f
Opcode Fuzzy Hash: 767c9fbd8da0a26eb84749a1948971962a0869f984fac204ff3d8e47e3c4fc4a
Instruction Fuzzy Hash: E1F1AB31509380DFC715EF25C895B6BBBE4AF89314F14845DF89A9B2A2DB38EC44CB52

Function 0076D730 Relevance: 21.6, APIs: 14, Instructions: 631sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0076D807
timeGetTime.WINMM ref: 0076DA07
Sleep.KERNEL32(0000000A), ref: 0076DBB1
Sleep.KERNEL32(0000000A), ref: 007B2B76
GetExitCodeProcess.KERNEL32(?,?), ref: 007B2C11
WaitForSingleObject.KERNEL32(?,00000000), ref: 007B2C29
CloseHandle.KERNEL32(?), ref: 007B2C3D
Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 007B2CA9

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
String ID:
API String ID: 388478766-0
Opcode ID: 3e71f307eaa8ab118e4fec93502413db3266a370f6102a99a220f1b09bdf25b5
Instruction ID: 60212c234f3809ca08dcae3a68127f1d35754b2b7b9052712a2f901266f88d76
Opcode Fuzzy Hash: 3e71f307eaa8ab118e4fec93502413db3266a370f6102a99a220f1b09bdf25b5
Instruction Fuzzy Hash: 0142E170B18341DFD739CF24C858BAAB7A0FF85304F548959E85A87292D778EC45CB92

Function 00762CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00762D07
RegisterClassExW.USER32(00000030), ref: 00762D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00762D42
InitCommonControlsEx.COMCTL32(?), ref: 00762D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00762D6F
LoadIconW.USER32(000000A9), ref: 00762D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00762D94

Strings

0, xrefs: 00762CE9
TaskbarCreated, xrefs: 00762D37
+, xrefs: 00762CF0
AutoIt v3 GUI, xrefs: 00762D23

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3c60790e56e88ed08bcee7bc8654c7b68cf0c319dd6f5cd7f7ae3aad47c58ff2
Instruction ID: dbdc109b11adce856692788660580050893e2cc4278b9e9fc6cb0991e221db00
Opcode Fuzzy Hash: 3c60790e56e88ed08bcee7bc8654c7b68cf0c319dd6f5cd7f7ae3aad47c58ff2
Instruction Fuzzy Hash: 8421B2B590121CAFDF01DFA4ED49BEDBBB4FB48B00F00851AEA11A62A0D7B95544CFA5

Function 007A065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007A039A: CreateFileW.KERNEL32(00000000,00000000,?,007A0704,?,?,00000000,?,007A0704,00000000,0000000C), ref: 007A03B7

GetLastError.KERNEL32 ref: 007A076F
__dosmaperr.LIBCMT ref: 007A0776
GetFileType.KERNEL32(00000000), ref: 007A0782
GetLastError.KERNEL32 ref: 007A078C
__dosmaperr.LIBCMT ref: 007A0795
CloseHandle.KERNEL32(00000000), ref: 007A07B5
CloseHandle.KERNEL32(?), ref: 007A08FF
GetLastError.KERNEL32 ref: 007A0931
__dosmaperr.LIBCMT ref: 007A0938

Strings

H, xrefs: 007A08BD

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 964f6ac7b2ddb99e2701686fd7a79da8a6daa6b28968e4eb7cde5fe34c8cfdd9
Instruction ID: d299999c551613b00eb28a0ad4db8ef2188fbb7d59709df9856cdc852027dff7
Opcode Fuzzy Hash: 964f6ac7b2ddb99e2701686fd7a79da8a6daa6b28968e4eb7cde5fe34c8cfdd9
Instruction Fuzzy Hash: 18A12332A001088FDF19AF68D855BAE7BA0AB87324F14465DF815DB2D1DB399D12CBD1

Function 0076344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00763A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00831418,?,00762E7F,?,?,?,00000000), ref: 00763A78

Part of subcall function 00763357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00763379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0076356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 007A318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007A31CE
RegCloseKey.ADVAPI32(?), ref: 007A3210
_wcslen.LIBCMT ref: 007A3277
_wcslen.LIBCMT ref: 007A3286

Strings

\, xrefs: 007A328C
Software\AutoIt v3\AutoIt, xrefs: 00763560
\Include\, xrefs: 00763527
Include, xrefs: 007A3184, 007A31C5

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 035fbefb2f00802b9a3ad7b420eba839d1509082d00730c9beee5815585f4b87
Instruction ID: f602a3e351d6e1ebc85431f4c4aae0061c7a006149f8a1d9e12b43e2502630d3
Opcode Fuzzy Hash: 035fbefb2f00802b9a3ad7b420eba839d1509082d00730c9beee5815585f4b87
Instruction Fuzzy Hash: 0C717B71404305AEC314EF65EC859ABBBE8FFC5750F50492EF546932B0EB789A48CB62

Function 00762B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00762B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00762B9D
LoadIconW.USER32(00000063), ref: 00762BB3
LoadIconW.USER32(000000A4), ref: 00762BC5
LoadIconW.USER32(000000A2), ref: 00762BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00762BEF
RegisterClassExW.USER32(?), ref: 00762C40

Part of subcall function 00762CD4: GetSysColorBrush.USER32(0000000F), ref: 00762D07
Part of subcall function 00762CD4: RegisterClassExW.USER32(00000030), ref: 00762D31
Part of subcall function 00762CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00762D42
Part of subcall function 00762CD4: InitCommonControlsEx.COMCTL32(?), ref: 00762D5F
Part of subcall function 00762CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00762D6F
Part of subcall function 00762CD4: LoadIconW.USER32(000000A9), ref: 00762D85
Part of subcall function 00762CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00762D94

Strings

#, xrefs: 00762C16
0, xrefs: 00762C0F
AutoIt v3, xrefs: 00762C2F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 31bd7f3342e6c23aa9a6dfe6cbe416e2b7d059414dbbe1bb7adeab01e29811ab
Instruction ID: 6e3fcbb45fff5e06fd2a3238d952bf31eddd1cda86ca4cd5a040d2e5192c02d4
Opcode Fuzzy Hash: 31bd7f3342e6c23aa9a6dfe6cbe416e2b7d059414dbbe1bb7adeab01e29811ab
Instruction Fuzzy Hash: 74214C71E00318ABDF119FA6ED49AA97FB4FB88F50F00442AE500A67A0D3B91540DFA4

Function 00763170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0076316A,?,?), ref: 007631D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0076316A,?,?), ref: 00763204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00763227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0076316A,?,?), ref: 00763232
CreatePopupMenu.USER32 ref: 00763246
PostQuitMessage.USER32(00000000), ref: 00763267

Strings

TaskbarCreated, xrefs: 0076322D

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f621e7378011667579f42649cfc64afe2e5c3f26ba1da8b7564089f7c73d7b14
Instruction ID: 1d695c9cce6cbd13572eebebe3d609753b79207ce5fd7c9b8a6b9106d6a990c7
Opcode Fuzzy Hash: f621e7378011667579f42649cfc64afe2e5c3f26ba1da8b7564089f7c73d7b14
Instruction Fuzzy Hash: 49415731244208EBDF1A2B78DD5DB793B19FB86710F044229FE03C62A2CB7D9A44C7A5

Function 00761410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00761459
CoUninitialize.COMBASE ref: 007614F8
UnregisterHotKey.USER32(?), ref: 007616DD
DestroyWindow.USER32(?), ref: 007A24B9
FreeLibrary.KERNEL32(?), ref: 007A251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 007A254B

Strings

close all, xrefs: 00761454

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 79bc5f43fa0d7b93697420aab64fab8cee4b0a446016d1baaee1afc2617bc8ce
Instruction ID: 33d361d61ebb31d26f625d91be3a9528dd7e7b490b7db406e5175ee7170cba5f
Opcode Fuzzy Hash: 79bc5f43fa0d7b93697420aab64fab8cee4b0a446016d1baaee1afc2617bc8ce
Instruction Fuzzy Hash: 2FD15D31701212CFCB19EF19C599A29F7A4BF45700F5882ADE94B6B252DB38ED22CF51

Function 007CDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 007CDE42
gethostname.WS2_32(?,00000100), ref: 007CDE5C
gethostbyname.WS2_32(?), ref: 007CDE69
inet_ntoa.WSOCK32(?), ref: 007CDEAB
_strcat.LIBCMT ref: 007CDEB9
WSACleanup.WSOCK32 ref: 007CDEDE

Strings

0.0.0.0, xrefs: 007CDE87

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 54db51c406a7850f0eb2e1e3b5305cd2282b88a5a9e5f501cec83268520cbf71
Instruction ID: 5aa2876e1d290835096a43c9d1c7de9e251e630d4bb208a234053690d1a1f2df
Opcode Fuzzy Hash: 54db51c406a7850f0eb2e1e3b5305cd2282b88a5a9e5f501cec83268520cbf71
Instruction Fuzzy Hash: F511E471904119ABCB31BB20DD0AEEE77ACDB14710F01017EF50996091EFBC9E81CBA0

Function 00762C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00762C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00762CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00761CAD,?), ref: 00762CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00761CAD,?), ref: 00762CCF

Strings

edit, xrefs: 00762CAC
AutoIt v3, xrefs: 00762C89, 00762C8E, 00762C8F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f034c8eda41b989bcd97167a303ca6378edf11a824b1db01bc5cd42c7b956a27
Instruction ID: 79955b107f2334d424db5367f4d7c706b3f89b0af82a5b8d40f3036054056864
Opcode Fuzzy Hash: f034c8eda41b989bcd97167a303ca6378edf11a824b1db01bc5cd42c7b956a27
Instruction Fuzzy Hash: DFF0DA755402987AEB315717AC0CEB76EBDE7C6F50B00445AFA00A36A0C6691854DEB4

Function 007BD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 007BD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007BD3BF
FreeLibrary.KERNEL32(00000000), ref: 007BD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 007BD3B9
X64, xrefs: 007BD2A8

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 00fe1e1b8955a79d4a82586f8656cd6a3abf19d3e5ac71bcd8569fd1b22379ee
Instruction ID: e614e7b3c606d267839c29dc62cd26d960226b1fd6ef60f2b0c340bfa6e13f4d
Opcode Fuzzy Hash: 00fe1e1b8955a79d4a82586f8656cd6a3abf19d3e5ac71bcd8569fd1b22379ee
Instruction Fuzzy Hash: A6F055B5401A69CBDB3223108D18BFD3320BF10B01B58C068F806E2102FB6CCD84C683

Function 00763B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00763B0F,SwapMouseButtons,00000004,?), ref: 00763B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00763B0F,SwapMouseButtons,00000004,?), ref: 00763B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00763B0F,SwapMouseButtons,00000004,?), ref: 00763B83

Strings

Control Panel\Mouse, xrefs: 00763B3E

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a0cc54bd53c695927b756c2b4e5cedd0b6efe295f9bca918f740c0e5a4b13230
Instruction ID: e92ee00a7cd8d3e81187bee8184cfa0ac2e42212d1ef181d3edfe057340bd71e
Opcode Fuzzy Hash: a0cc54bd53c695927b756c2b4e5cedd0b6efe295f9bca918f740c0e5a4b13230
Instruction Fuzzy Hash: 1A1157B1610208FFDB218FA4DC84EEEBBB8EF01750B10846AA80AD7110E6359E40DBA4

Function 0076DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 007B32B7

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: c76f66484228c0c3b005fd9e387cae07a49ab27300db5fe5710610b38faf0472
Instruction ID: 0a4738460d60d076262b916d113f0e3d8e5b95c43028bc6133120fb7683e8e1f
Opcode Fuzzy Hash: c76f66484228c0c3b005fd9e387cae07a49ab27300db5fe5710610b38faf0472
Instruction Fuzzy Hash: CEC28C79A00215CFCB24CF58C884AADB7B1FF58310F248569ED16AB391D779ED81CBA1

Function 0076EC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0076FE66

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 0906b505d046813f00610f49279c72d339622b05381aef5850e15f4b8252895c
Instruction ID: 99cff62145a5329c3e06b305719340d830bd37ae83757376ef05457e2e44f5bb
Opcode Fuzzy Hash: 0906b505d046813f00610f49279c72d339622b05381aef5850e15f4b8252895c
Instruction Fuzzy Hash: 56B28A74608341CFCB24CF18D494A2AB7E1BF99310F24886DE98A9B361D779ED45CF92

Function 00763923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007A33A2

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00763A04

Strings

Line: , xrefs: 007A33EB

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 31f79df1d86e1138a815606121c75e94ed94de8ae71c2d3053aed7eaee5935cc
Instruction ID: 400d769fb88c9f36f8d40e61facc6d65a334b31dbe41a405f6969bbc57dd9496
Opcode Fuzzy Hash: 31f79df1d86e1138a815606121c75e94ed94de8ae71c2d3053aed7eaee5935cc
Instruction Fuzzy Hash: 9931D871408304EAC721EB10DC49BEBB7DCAF80714F00491AF99A932D1DB7C9A48CBC2

Function 0077FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00780668

Part of subcall function 007832A4: RaiseException.KERNEL32(?,?,?,0078068A,?,00831444,?,?,?,?,?,?,0078068A,00761129,00828738,00761129), ref: 00783304

__CxxThrowException@8.LIBVCRUNTIME ref: 00780685

Strings

Unknown exception, xrefs: 00780692

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 494de79b23739e9b0a82327ac076fa8687890391ab20f6f2d1a4ad8f3ab29882
Instruction ID: 8489fcfbeb0caf9eb2bb858bfce63ed2d4429784c0262ae3b0e4def8e13aec2e
Opcode Fuzzy Hash: 494de79b23739e9b0a82327ac076fa8687890391ab20f6f2d1a4ad8f3ab29882
Instruction Fuzzy Hash: E9F02234A8020DF78F14B668E85AD9E776CAE00360B608031F828C2691EF78DA69C7D0

Function 007610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00761BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00761BF4
Part of subcall function 00761BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00761BFC
Part of subcall function 00761BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00761C07
Part of subcall function 00761BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00761C12
Part of subcall function 00761BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00761C1A
Part of subcall function 00761BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00761C22

Part of subcall function 00761B4A: RegisterWindowMessageW.USER32(00000004,?,007612C4), ref: 00761BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0076136A
OleInitialize.OLE32 ref: 00761388
CloseHandle.KERNEL32(00000000,00000000), ref: 007A24AB

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 6ff1b337a39d8c40756ba9f70f9cbb64a410c1bb2f31e4fbe44a3ae3778dd14f
Instruction ID: a8baaaca39cf82fa473e1c9d4564a0f91741f93ee5f5639a3dd202c9c5536345
Opcode Fuzzy Hash: 6ff1b337a39d8c40756ba9f70f9cbb64a410c1bb2f31e4fbe44a3ae3778dd14f
Instruction Fuzzy Hash: 2B71B9B5901304CECF84EFB9A94E6653AE1FBC8F407588A3AD50AD7361EB784405CF98

Function 007CC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00763923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00763A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007CC259
KillTimer.USER32(?,00000001,?,?), ref: 007CC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007CC270

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 2b2ab8ca40a6445147b1a5219f0d3f4cce05115ce33b1ef5a20723237bd2ba37
Instruction ID: f9d10a1f03b722166bbec6e35c720d36c8a5673aab04b3a028b8d7d06ffc890a
Opcode Fuzzy Hash: 2b2ab8ca40a6445147b1a5219f0d3f4cce05115ce33b1ef5a20723237bd2ba37
Instruction Fuzzy Hash: C931C370904744AFEB339F648899FE7BBECAB06308F04449ED6DE93241C3785A84CB51

Function 007986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,007985CC,?,00828CC8,0000000C), ref: 00798704
GetLastError.KERNEL32(?,007985CC,?,00828CC8,0000000C), ref: 0079870E
__dosmaperr.LIBCMT ref: 00798739

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 43a50fc47bf2a7dd00f55a26c1338ef934bcf6f126a4973e3881c6fda3ccbcfd
Instruction ID: ce156b7556190042679c5915f8183f92a31624d91df89a99ba08e7fa662cc5f5
Opcode Fuzzy Hash: 43a50fc47bf2a7dd00f55a26c1338ef934bcf6f126a4973e3881c6fda3ccbcfd
Instruction Fuzzy Hash: 20012633A0563066DEA66274B84AB7E6B594B83778F390119F9148F1D3DEAD8C81C292

Function 0076DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0076DB7B
DispatchMessageW.USER32(?), ref: 0076DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0076DB9F
Sleep.KERNEL32(0000000A), ref: 0076DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 007B1CC9

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: f8e4c46a29474ee44592aee706034d251209dfbe8ffa473e362bd2411d30b6e5
Instruction ID: b5cf235869863a3d89ecb2ec636963ea72f9d2ab1f9571c5ac75452d85f8a179
Opcode Fuzzy Hash: f8e4c46a29474ee44592aee706034d251209dfbe8ffa473e362bd2411d30b6e5
Instruction Fuzzy Hash: F4F05E30614345DBEB30DBA08D59FEA73A8EB84710F508929E61AC70D0DB38A448CB29

Function 00771310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007717F6

Strings

CALL, xrefs: 007717C6

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: d5a2f100318098920f953838ea943fae7ef7cf3a5db11906defabf56ead391f5
Instruction ID: 4ec82c75ec3c2b35cf93c2ea27136fc4d3966f8fd1aa33e2bd56fe19b05d94c5
Opcode Fuzzy Hash: d5a2f100318098920f953838ea943fae7ef7cf3a5db11906defabf56ead391f5
Instruction Fuzzy Hash: EF22AA70608241DFCB14CF18C484B2ABBF1BF89394F54892DF59A8B361D739E955CB92

Function 007701E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99597ac413bec31d506aceabe590941541992f57136cb421d4bdc98a3910b569
Instruction ID: a9e0ae90c9011ca55003e21dc966efc9f18362cdc286bc39b648f245b427b51e
Opcode Fuzzy Hash: 99597ac413bec31d506aceabe590941541992f57136cb421d4bdc98a3910b569
Instruction Fuzzy Hash: 9A32C031A00605DFCF24DF54C889BAEB7B1BF05350F148569F91AAB2A2E779ED40CB91

Function 00762DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 007A2C8C

Part of subcall function 00763AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00763A97,?,?,00762E7F,?,?,?,00000000), ref: 00763AC2

Part of subcall function 00762DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00762DC4

Strings

X, xrefs: 007A2C5A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: a2eacb349c3aa6c5b3fac9f8cee49e9a276f8abbb99f2e4dbff648c441be9288
Instruction ID: f230e40474831c7a929c685b1b026b09e81731f731e095c39a81388b666b3401
Opcode Fuzzy Hash: a2eacb349c3aa6c5b3fac9f8cee49e9a276f8abbb99f2e4dbff648c441be9288
Instruction Fuzzy Hash: 2521A871A00298DFDB41EF94D8497EE7BF8AF49714F008059E905E7242DBBC5A89CF61

Function 007BD363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 007BD375

Strings

X64, xrefs: 007BD2A8

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: 4f5508be7036924cd4e1843d653ea3f3e234e0c05e736a3275c7ebab576bc235
Instruction ID: 5c2f0c86a001afd290ab9f2acab6ca439f31794cbfac5e079f333f19a8c53489
Opcode Fuzzy Hash: 4f5508be7036924cd4e1843d653ea3f3e234e0c05e736a3275c7ebab576bc235
Instruction Fuzzy Hash: AFD0C9B580515CEACBA4CB40DC88EE9B37CBF04345F508155F006A2000E77899489B11

Function 00763837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00763908

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4f2513117a602d8b03c6c839068250c04d2f7c8b44424f222cd5315f65aaeb53
Instruction ID: a6fdded9cef4c4d1d84a07c32e95f1b6b3db890065136ab09e58be3779ff0bb3
Opcode Fuzzy Hash: 4f2513117a602d8b03c6c839068250c04d2f7c8b44424f222cd5315f65aaeb53
Instruction Fuzzy Hash: 60316F71504701DFD761DF24D8897E7BBE8FB89708F00092EF99A87250E779AA44CB62

Function 0077F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0077F661

Part of subcall function 0076D730: GetInputState.USER32 ref: 0076D807

Sleep.KERNEL32(00000000), ref: 007BF2DE

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 3d31886aa29c32c3b2a6ba98ca1b57c035ec1ea2fd185bff4cbdce9ba2cfc3bf
Instruction ID: 02ad3d9c72c2f2b06f81abf6180d24d97f4df8846b7544969e910c1fe2485326
Opcode Fuzzy Hash: 3d31886aa29c32c3b2a6ba98ca1b57c035ec1ea2fd185bff4cbdce9ba2cfc3bf
Instruction Fuzzy Hash: D5F08C312402099FD310EF69D949BAAB7E8FF4A760F00402AE85AD7361EB74AC50CB95

Function 0076B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0076BB4E

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 96840394ace3e7450dab76db0ae77d13da018d4e70de038ee0a6b2af8cf97c88
Instruction ID: 4c7cb07fa05d7cf94dc508928a5d9c373448d14321d3c54fcb7e95bc5777558e
Opcode Fuzzy Hash: 96840394ace3e7450dab76db0ae77d13da018d4e70de038ee0a6b2af8cf97c88
Instruction Fuzzy Hash: 2A328974A00209DFDB24CF58C898BBEB7B9FF46314F148059ED06AB261D778AD81CB91

Function 00764ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00764E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00764EDD,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764E9C
Part of subcall function 00764E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00764EAE
Part of subcall function 00764E90: FreeLibrary.KERNEL32(00000000,?,?,00764EDD,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764EFD

Part of subcall function 00764E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007A3CDE,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764E62
Part of subcall function 00764E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00764E74
Part of subcall function 00764E59: FreeLibrary.KERNEL32(00000000,?,?,007A3CDE,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764E87

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 41a314dd698a8922836dfadf57e45cbdde6afa6897f0290d670ad2bfbe675133
Instruction ID: df1830c49cb83a3434de84a2177b53c08f87b3214cd7340ba71bd547777c6a4d
Opcode Fuzzy Hash: 41a314dd698a8922836dfadf57e45cbdde6afa6897f0290d670ad2bfbe675133
Instruction Fuzzy Hash: 4B11E332610205EACB15BF60DC0AFED77A5AF50710F24842EF943A61C1EE799A05A790

Function 00798402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00798440

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 7544afde25ad8a229b270cea4519efe5c82f8e922a8de5dbcc8092a21133bd57
Instruction ID: 2973fd8be91629e25ba979202663a3634f436104f5d0523a87e02faed71bb0a0
Opcode Fuzzy Hash: 7544afde25ad8a229b270cea4519efe5c82f8e922a8de5dbcc8092a21133bd57
Instruction Fuzzy Hash: 0611157590420AAFCF05DF58E94599A7BF9EF49314F1044A9F808AB312DA31EA21CBA5

Function 0078E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 7208489c50f1aa9695750747b3806739ac7b8b053efa0a1869112e180a32f68f
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 8DF02D32650A14E6DB313A699C0DB5A33989F52330F140715F524D31E2EB7CE80287A6

Function 00769CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00769CBD

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: adafec5abc8015c7044a09e001c359287384851bfa8f5e3c1cb68c0661a74ac0
Instruction ID: e185b0be58269b4e70581d32ccec9f6f962b265daf304ab281132ce223ee705b
Opcode Fuzzy Hash: adafec5abc8015c7044a09e001c359287384851bfa8f5e3c1cb68c0661a74ac0
Instruction Fuzzy Hash: D5F0C8B3640601BED725AF38D806B67BB98EB44760F10853AFA1ACB1D1DB75E514C7E0

Function 00793820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00831444,?,0077FDF5,?,?,0076A976,00000010,00831440,007613FC,?,007613C6,?,00761129), ref: 00793852

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bc81fae7c81d83a1f22d05bd048a45603f5a1d7f49b31a98a6e1df33f6451941
Instruction ID: 56ebba0b6e2f205615b26477981bb369b29e4ccf559b975c17785c4d7979ab38
Opcode Fuzzy Hash: bc81fae7c81d83a1f22d05bd048a45603f5a1d7f49b31a98a6e1df33f6451941
Instruction Fuzzy Hash: 4EE0E5321406299AEE213667BC09F9A3749AF42BB0F050022BC0592980CB5CDD0192F0

Function 00764F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764F6D

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5ce2dc3fc6659d6e1f81d8ca6ce543df07fd55b91eb2b247d28cfc9c60c46a03
Instruction ID: 6da3bd3f00a955ff1963265a2b3c1418ef85bc234a4bead6961398e35ba31f8b
Opcode Fuzzy Hash: 5ce2dc3fc6659d6e1f81d8ca6ce543df07fd55b91eb2b247d28cfc9c60c46a03
Instruction Fuzzy Hash: 54F03071105751CFDB389F64D494862B7E5AF14319318897EE5DB82511C7399848DF10

Function 007F2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007F2A66

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: febd01e2df47d2390d862eabc7180b0f4e20d0e6798780eddc60071a900d28c1
Instruction ID: 7480db5c397a48655b803f58ee9c4e33af3361eaa4d71f980bbec0632b87d782
Opcode Fuzzy Hash: febd01e2df47d2390d862eabc7180b0f4e20d0e6798780eddc60071a900d28c1
Instruction Fuzzy Hash: 1FE04F3635411AAAC715EA30EC849FA775CEB50395710853AAD1AC2201DB389996D6A0

Function 007630F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0076314E

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 1d6d86b8cef6f2f9280f616e2d6f57ac3a0b53922b5f9a586195c5147f6d8e2e
Instruction ID: 16c85448af54abbcf7cb478637edf07609ad04db2f6b085bfa6cdb3dd0155c8b
Opcode Fuzzy Hash: 1d6d86b8cef6f2f9280f616e2d6f57ac3a0b53922b5f9a586195c5147f6d8e2e
Instruction Fuzzy Hash: 7EF037709143589FEB529B24DC497D57BFCB741708F0000E5A54997296D7785788CF51

Function 00762DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00762DC4

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 067506ce4d5fbbbbb6a9d6285ab92780f5bf30d0daa3a643583b6a41aea30f69
Instruction ID: f7ff4f29ed9f27e9b423cab033a936e00f9d0818ff2709f9bce065a8165321d3
Opcode Fuzzy Hash: 067506ce4d5fbbbbb6a9d6285ab92780f5bf30d0daa3a643583b6a41aea30f69
Instruction Fuzzy Hash: 3DE0CD766001249BD71196589C09FEA77DDDFC8790F044171FD09D7248D964AD80C550

Function 00762B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00763837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00763908

Part of subcall function 0076D730: GetInputState.USER32 ref: 0076D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00762B6B

Part of subcall function 007630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0076314E

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 0d3c6a8960c890e68c2a0bfee78b3b7a80698f4135d603533252ed1118fb7f53
Instruction ID: a00f6aa3d8feb63aae8e5022abea421f58f7f0b6cbb7237acb9554f7ef49cefe
Opcode Fuzzy Hash: 0d3c6a8960c890e68c2a0bfee78b3b7a80698f4135d603533252ed1118fb7f53
Instruction Fuzzy Hash: 12E0262130024482CE08BBB0A85E4BDE34ADBD1751F00083EFD43831A3CF2C4949C252

Function 007CDF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 007CDF40

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 559a1b370124841008fe4b11d3421e6ddc1f8ba1aa89551c3189ebcf7c67a46f
Instruction ID: 5f2d3d12c3f426e31ff01bb47987ce2cd479c7b03d3687e59052713b3c04a121
Opcode Fuzzy Hash: 559a1b370124841008fe4b11d3421e6ddc1f8ba1aa89551c3189ebcf7c67a46f
Instruction Fuzzy Hash: CAD05EE2A002286BDF60E6749D0DDF73AACC740214F0046A0786DD3152E964ED4486B0

Function 007A039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,007A0704,?,?,00000000,?,007A0704,00000000,0000000C), ref: 007A03B7

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4219a6c38abdccedf0153a16586a6fc1a0015b3e2093bf124ba201efd44fa3fc
Instruction ID: e1e78d0b9a5c555fd6da7748de8e6328bbce022da412291de4a2845c63816254
Opcode Fuzzy Hash: 4219a6c38abdccedf0153a16586a6fc1a0015b3e2093bf124ba201efd44fa3fc
Instruction Fuzzy Hash: AAD06C3204010DBBDF028F84DD06EDA3BAAFB48714F018000BE1856020C736E831EB94

Function 00761CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00761CBC

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 14406750a3c9d4f92ba6825bbc4ae91d0a3fb2290ca3a1e0c1e4c42aa526a92b
Instruction ID: 49b6417f67a244ad0a27caca103bb461700320ae552d3c9769ee254c791d21c3
Opcode Fuzzy Hash: 14406750a3c9d4f92ba6825bbc4ae91d0a3fb2290ca3a1e0c1e4c42aa526a92b
Instruction Fuzzy Hash: A6C09236280308AFF6158B80BD4EF207768B388F01F148801F609AA6E3C3A62824EA54

Non-executed Functions

Function 007F9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007F961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007F965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007F969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007F96C9
SendMessageW.USER32 ref: 007F96F2
GetKeyState.USER32(00000011), ref: 007F978B
GetKeyState.USER32(00000009), ref: 007F9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007F97AE
GetKeyState.USER32(00000010), ref: 007F97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007F97E9
SendMessageW.USER32 ref: 007F9810
SendMessageW.USER32(?,00001030,?,007F7E95), ref: 007F9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007F992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007F9941
SetCapture.USER32(?), ref: 007F994A
ClientToScreen.USER32(?,?), ref: 007F99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007F99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007F99D6
ReleaseCapture.USER32 ref: 007F99E1
GetCursorPos.USER32(?), ref: 007F9A19
ScreenToClient.USER32(?,?), ref: 007F9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 007F9A80
SendMessageW.USER32 ref: 007F9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 007F9AEB
SendMessageW.USER32 ref: 007F9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007F9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007F9B4A
GetCursorPos.USER32(?), ref: 007F9B68
ScreenToClient.USER32(?,?), ref: 007F9B75
GetParent.USER32(?), ref: 007F9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 007F9BFA
SendMessageW.USER32 ref: 007F9C2B
ClientToScreen.USER32(?,?), ref: 007F9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007F9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 007F9CDE
SendMessageW.USER32 ref: 007F9D01
ClientToScreen.USER32(?,?), ref: 007F9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007F9D82

Part of subcall function 00779944: GetWindowLongW.USER32(?,000000EB), ref: 00779952

GetWindowLongW.USER32(?,000000F0), ref: 007F9E05

Strings

F, xrefs: 007F9D07
@GUI_DRAGID, xrefs: 007F997D

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 7049266bd96c9ba88842a0706f553aac3f2533e5b7246291cf8e2729436ba4f2
Instruction ID: bf528f62b2768c4e2032ecda70e1a6e35c824e39c12ffb4207f28bb8d2a2542f
Opcode Fuzzy Hash: 7049266bd96c9ba88842a0706f553aac3f2533e5b7246291cf8e2729436ba4f2
Instruction Fuzzy Hash: 27426B30208209EFDB25DF24C948BBABBE5FF88720F144A59F759C72A1D739A854CB51

Function 007F4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007F48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 007F4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 007F4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 007F494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 007F495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 007F497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007F49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007F49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 007F4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007F4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007F4A7E
IsMenu.USER32(?), ref: 007F4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007F4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007F4B20
GetWindowLongW.USER32(?,000000F0), ref: 007F4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 007F4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 007F4C82
wsprintfW.USER32 ref: 007F4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007F4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 007F4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007F4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007F4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 007F4D5A

Strings

%d/%02d/%02d, xrefs: 007F4CA8

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 0bc24937f09ebdd238dbb79c4dfe7383d7b297936737c5270faaeb779cfb8a4e
Instruction ID: 496c8a5dbed8b44edc8fca6204aed1c042234b1c2a88a9181510b44d11d43ed4
Opcode Fuzzy Hash: 0bc24937f09ebdd238dbb79c4dfe7383d7b297936737c5270faaeb779cfb8a4e
Instruction Fuzzy Hash: 8712DF71600218ABEB258F28CD49FBF7BF8BF45710F148159FA1ADA2A1DB789941CB50

Function 0077F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0077F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007BF474
IsIconic.USER32(00000000), ref: 007BF47D
ShowWindow.USER32(00000000,00000009), ref: 007BF48A
SetForegroundWindow.USER32(00000000), ref: 007BF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007BF4AA
GetCurrentThreadId.KERNEL32 ref: 007BF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007BF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 007BF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 007BF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 007BF4DE
SetForegroundWindow.USER32(00000000), ref: 007BF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 007BF4F6
keybd_event.USER32(00000012,00000000), ref: 007BF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 007BF50B
keybd_event.USER32(00000012,00000000), ref: 007BF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 007BF519
keybd_event.USER32(00000012,00000000), ref: 007BF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 007BF528
keybd_event.USER32(00000012,00000000), ref: 007BF52D
SetForegroundWindow.USER32(00000000), ref: 007BF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 007BF557

Strings

Shell_TrayWnd, xrefs: 007BF46F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d0fb0e20be0381ee02797c43262bab1f6dd6e9a32151d931540dabdc4cccd440
Instruction ID: 11f8036e770d709ff84a2f1667caba35327d8c5c01c2c57fc96cd1c3d660089e
Opcode Fuzzy Hash: d0fb0e20be0381ee02797c43262bab1f6dd6e9a32151d931540dabdc4cccd440
Instruction Fuzzy Hash: EF315071A4021CBBEB216BB55D4AFBF7F6CEF44B50F204065FA00E61D1C6B85D10EA65

Function 007C1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C170D
Part of subcall function 007C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C173A
Part of subcall function 007C16C3: GetLastError.KERNEL32 ref: 007C174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 007C1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007C12A8
CloseHandle.KERNEL32(?), ref: 007C12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007C12D1
GetProcessWindowStation.USER32 ref: 007C12EA
SetProcessWindowStation.USER32(00000000), ref: 007C12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 007C1310

Part of subcall function 007C10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007C11FC), ref: 007C10D4
Part of subcall function 007C10BF: CloseHandle.KERNEL32(?,?,007C11FC), ref: 007C10E9

Strings

, xrefs: 007C125A
winsta0, xrefs: 007C12CC
default, xrefs: 007C130B

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: d0428c6949dc009dd8bbab1f309edc300f37891af66238d9eff8b707cc1a6e08
Instruction ID: a31855028193198fc6e7a7ea908301c1c3117dc6d94b64c53ff69e5778c630fb
Opcode Fuzzy Hash: d0428c6949dc009dd8bbab1f309edc300f37891af66238d9eff8b707cc1a6e08
Instruction Fuzzy Hash: 5681AA71900248AFDF269FA4DD49FEE7BB9EF05700F14816DF910E61A2D7388A44CB64

Function 007C0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C1114
Part of subcall function 007C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C1120
Part of subcall function 007C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C112F
Part of subcall function 007C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C1136
Part of subcall function 007C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007C0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007C0C00
GetLengthSid.ADVAPI32(?), ref: 007C0C17
GetAce.ADVAPI32(?,00000000,?), ref: 007C0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007C0C6D
GetLengthSid.ADVAPI32(?), ref: 007C0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 007C0C8C
HeapAlloc.KERNEL32(00000000), ref: 007C0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 007C0CB4
CopySid.ADVAPI32(00000000), ref: 007C0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007C0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007C0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007C0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C0D45
HeapFree.KERNEL32(00000000), ref: 007C0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C0D55
HeapFree.KERNEL32(00000000), ref: 007C0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C0D65
HeapFree.KERNEL32(00000000), ref: 007C0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 007C0D78
HeapFree.KERNEL32(00000000), ref: 007C0D7F

Part of subcall function 007C1193: GetProcessHeap.KERNEL32(00000008,007C0BB1,?,00000000,?,007C0BB1,?), ref: 007C11A1
Part of subcall function 007C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,007C0BB1,?), ref: 007C11A8
Part of subcall function 007C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,007C0BB1,?), ref: 007C11B7

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2cc0eded6298618e287ddf9a403b89b1d6fdea97cbf6009ef5652a417686a35b
Instruction ID: 84ab5828c77bec85196b80f0ca3c9f0084715c3002a4527ef7d590c0dd72e1af
Opcode Fuzzy Hash: 2cc0eded6298618e287ddf9a403b89b1d6fdea97cbf6009ef5652a417686a35b
Instruction Fuzzy Hash: 93715DB1A0020EEBDF11DFA4DD45FEEBBB8BF04700F048519E915A6191D779A905CBE0

Function 007DEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(007FCC08), ref: 007DEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 007DEB37
GetClipboardData.USER32(0000000D), ref: 007DEB43
CloseClipboard.USER32 ref: 007DEB4F
GlobalLock.KERNEL32(00000000), ref: 007DEB87
CloseClipboard.USER32 ref: 007DEB91
GlobalUnlock.KERNEL32(00000000), ref: 007DEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 007DEBC9
GetClipboardData.USER32(00000001), ref: 007DEBD1
GlobalLock.KERNEL32(00000000), ref: 007DEBE2
GlobalUnlock.KERNEL32(00000000), ref: 007DEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 007DEC38
GetClipboardData.USER32(0000000F), ref: 007DEC44
GlobalLock.KERNEL32(00000000), ref: 007DEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 007DEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 007DEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 007DECD2
GlobalUnlock.KERNEL32(00000000), ref: 007DECF3
CountClipboardFormats.USER32 ref: 007DED14
CloseClipboard.USER32 ref: 007DED59

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 29a08c33f3145a0cb952b0ae750bd72348545ec46d4e58d2a593a8ce2df067e8
Instruction ID: cb2c64f9e6c6dcf4fa400838ce251d79d638a652298948411d0ca6af073b852b
Opcode Fuzzy Hash: 29a08c33f3145a0cb952b0ae750bd72348545ec46d4e58d2a593a8ce2df067e8
Instruction Fuzzy Hash: 3361AE742042069FD302EF24D988F3AB7B4AF84704F14855EF8569B3A1CB39E909CB62

Function 007D698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007D69BE
FindClose.KERNEL32(00000000), ref: 007D6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007D6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007D6A75

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 007D6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 007D6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 007D6B6A
%4d, xrefs: 007D6BB1
%02d, xrefs: 007D6C00, 007D6C0A, 007D6C5A, 007D6CAA, 007D6CFA, 007D6D4A
%03d, xrefs: 007D6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 007D6B32

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: aae5bfd6692eaefd1660ee05de52a1c879f37364e5a9169275a062dcee477129
Instruction ID: c7fb7c4eba1f8ce5d50948b9259e9c0d7570da75d21f1b46b48097414ad02d7a
Opcode Fuzzy Hash: aae5bfd6692eaefd1660ee05de52a1c879f37364e5a9169275a062dcee477129
Instruction Fuzzy Hash: B5D14072508340EFC714DBA4C985EABB7ECBF88704F44491DF986D6251EB78DA44C762

Function 007D9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 007D9663
GetFileAttributesW.KERNEL32(?), ref: 007D96A1
SetFileAttributesW.KERNEL32(?,?), ref: 007D96BB
FindNextFileW.KERNEL32(00000000,?), ref: 007D96D3
FindClose.KERNEL32(00000000), ref: 007D96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007D96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 007D974A
SetCurrentDirectoryW.KERNEL32(00826B7C), ref: 007D9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 007D9772
FindClose.KERNEL32(00000000), ref: 007D977F
FindClose.KERNEL32(00000000), ref: 007D978F

Strings

*.*, xrefs: 007D96F5

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 785a6cbc9578ffd7ca46fd9805eb0280d667faf5cefb15f8a0274ccbdf502658
Instruction ID: 82b5fce6038461fcba1ff1e1fe6d91e94a9dc92d37b70aad810a8aef3741126b
Opcode Fuzzy Hash: 785a6cbc9578ffd7ca46fd9805eb0280d667faf5cefb15f8a0274ccbdf502658
Instruction Fuzzy Hash: 5E31A27254021DAADF15AFB4ED49AEE77BCEF09331F108156EA15E22A0EB38D944CB14

Function 007D979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 007D97BE
FindNextFileW.KERNEL32(00000000,?), ref: 007D9819
FindClose.KERNEL32(00000000), ref: 007D9824
FindFirstFileW.KERNEL32(*.*,?), ref: 007D9840
SetCurrentDirectoryW.KERNEL32(?), ref: 007D9890
SetCurrentDirectoryW.KERNEL32(00826B7C), ref: 007D98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007D98B8
FindClose.KERNEL32(00000000), ref: 007D98C5
FindClose.KERNEL32(00000000), ref: 007D98D5

Part of subcall function 007CDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007CDB00

Strings

*.*, xrefs: 007D983B

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: ee5bbc89a271a075fe9d63a9db7e07af7be3c1b677b6612a83afc71429177f51
Instruction ID: 5d161996b524efc65ee24951d1f1686f62ae2334d362bdc8853cbfa56b143501
Opcode Fuzzy Hash: ee5bbc89a271a075fe9d63a9db7e07af7be3c1b677b6612a83afc71429177f51
Instruction Fuzzy Hash: 5931953254061DAADF15AFB4EC48AEE77BCEF06720F148156E514E22A0DB38D984DB64

Function 007EBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EB6AE,?,?), ref: 007EC9B5
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007EC9F1
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007ECA68
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007EBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 007EBFA9
RegCloseKey.ADVAPI32(00000000), ref: 007EBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007EC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007EC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007EC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007EC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 007EC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007EC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007EC382
RegCloseKey.ADVAPI32(00000000), ref: 007EC38F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: f121d2b83bcb1c5ec870f1494ed7db6055d308a91e4bebf4ada26c6da2f4a4b8
Instruction ID: 8c2ca6ee230b953118acd85837bfdf783606a1c149a2fb959eec9b57190aa4d1
Opcode Fuzzy Hash: f121d2b83bcb1c5ec870f1494ed7db6055d308a91e4bebf4ada26c6da2f4a4b8
Instruction Fuzzy Hash: 0D027D75604240DFD715CF29C895E2ABBE4AF49308F18C49DF84ADB2A2DB35EC42CB52

Function 007CD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00763AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00763A97,?,?,00762E7F,?,?,?,00000000), ref: 00763AC2

Part of subcall function 007CE199: GetFileAttributesW.KERNEL32(?,007CCF95), ref: 007CE19A

FindFirstFileW.KERNEL32(?,?), ref: 007CD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 007CD1DD
MoveFileW.KERNEL32(?,?), ref: 007CD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 007CD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 007CD237

Part of subcall function 007CD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,007CD21C,?,?), ref: 007CD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 007CD253
FindClose.KERNEL32(00000000), ref: 007CD264

Strings

\*.*, xrefs: 007CD0CD, 007CD0D6, 007CD0EB

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: c1579c81a6b710d7221619d1162464ac4fab440c796034bc76a519ae480bedb0
Instruction ID: fdfe536cdbb1e1331aec0cf5bff14ddda66d5f4ce2831fd03dcf4e8aa8b9e807
Opcode Fuzzy Hash: c1579c81a6b710d7221619d1162464ac4fab440c796034bc76a519ae480bedb0
Instruction Fuzzy Hash: E5611A3180110DEBDF15EBA0DA56EEDB7B9AF55300F244169E80277191EB38AF09DB61

Function 007DED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 007DED91
EmptyClipboard.USER32 ref: 007DED97
GlobalAlloc.KERNEL32(00000002,?), ref: 007DEDAC
CloseClipboard.USER32 ref: 007DEEA3

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 668a052e6810ce4365bfd6640c0e3efc0b9aacf529f90f3aad997906fc8c45a3
Instruction ID: c18b894f88c45d70d08d14a516a511a526a0c58538f808f526ad01f6aaf04812
Opcode Fuzzy Hash: 668a052e6810ce4365bfd6640c0e3efc0b9aacf529f90f3aad997906fc8c45a3
Instruction Fuzzy Hash: 2E417935204611AFE722EF15D988B29BBA1EF44318F14C09AE85A8F762C779EC41CB90

Function 007CE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C170D
Part of subcall function 007C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C173A
Part of subcall function 007C16C3: GetLastError.KERNEL32 ref: 007C174A

ExitWindowsEx.USER32(?,00000000), ref: 007CE932

Strings

, xrefs: 007CE920
, xrefs: 007CE95C
@, xrefs: 007CE925
SeShutdownPrivilege, xrefs: 007CE902

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 9efab3b76cc43b7a74f34ba582ea8b83957d4e9a71d7f81c5b73d838778386c8
Instruction ID: 432172e507df5e533ee5431cbe2a500c49bdba222ada3022abd3c8c52defc789
Opcode Fuzzy Hash: 9efab3b76cc43b7a74f34ba582ea8b83957d4e9a71d7f81c5b73d838778386c8
Instruction Fuzzy Hash: 9B012632610214EBEB5422B49C8AFBF735CA704740F15452DFC02E31D2D9BC6C80C295

Function 007E1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007E1276
WSAGetLastError.WSOCK32 ref: 007E1283
bind.WSOCK32(00000000,?,00000010), ref: 007E12BA
WSAGetLastError.WSOCK32 ref: 007E12C5
closesocket.WSOCK32(00000000), ref: 007E12F4
listen.WSOCK32(00000000,00000005), ref: 007E1303
WSAGetLastError.WSOCK32 ref: 007E130D
closesocket.WSOCK32(00000000), ref: 007E133C

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 7ef7a9a62ad461d4cbccf6ae333713c9b639d62c5b4781d00f8be47ca041d1fb
Instruction ID: d094ba4c4e3e64c84bafa61f75a3160f051fa4f92fd05709e290622c60b7632e
Opcode Fuzzy Hash: 7ef7a9a62ad461d4cbccf6ae333713c9b639d62c5b4781d00f8be47ca041d1fb
Instruction Fuzzy Hash: 8141B131600140DFD710DF65C989B69BBE5BF4A318F58C188E9569F292C779EC81CBE1

Function 0079B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0079B9D4
_free.LIBCMT ref: 0079B9F8
_free.LIBCMT ref: 0079BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00803700), ref: 0079BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0083121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0079BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00831270,000000FF,?,0000003F,00000000,?), ref: 0079BC36
_free.LIBCMT ref: 0079BD4B

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 8a61e27661ac3848dd3b55b9a0371f7ac6aca4de455355a545733ad74b4935b3
Instruction ID: 08e3d57a7321689bd8a51107d9a194bb9d28c9c8ad534b421847df115b3562eb
Opcode Fuzzy Hash: 8a61e27661ac3848dd3b55b9a0371f7ac6aca4de455355a545733ad74b4935b3
Instruction Fuzzy Hash: 2DC12971904209EFCF20DF68BE49BAE7BB9EF81710F14459AE494D7291D7389E41C790

Function 007CD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00763AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00763A97,?,?,00762E7F,?,?,?,00000000), ref: 00763AC2

Part of subcall function 007CE199: GetFileAttributesW.KERNEL32(?,007CCF95), ref: 007CE19A

FindFirstFileW.KERNEL32(?,?), ref: 007CD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 007CD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 007CD481
FindClose.KERNEL32(00000000), ref: 007CD498
FindClose.KERNEL32(00000000), ref: 007CD4A1

Strings

\*.*, xrefs: 007CD3F2

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: d7bb248fbefea1f67aab7ead4a78a20448cd4c61df20f2e9954db32612cce9f4
Instruction ID: eb91586faaa713509eafa421a8467a18265515740393cb7323baa511fd433c55
Opcode Fuzzy Hash: d7bb248fbefea1f67aab7ead4a78a20448cd4c61df20f2e9954db32612cce9f4
Instruction Fuzzy Hash: 5831A2310083859FC315EF60D955DAFB7A8BE91300F444A2DF9D693191EB38AE09DB63

Function 0079E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0079E645

Strings

1#QNAN, xrefs: 0079F84B
1#INF, xrefs: 0079F852
1#IND, xrefs: 0079F83D
1#SNAN, xrefs: 0079F844

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6cf8557cbbf2682be4fbf868f101653d4ea7e9bf8c817c47c6919525075dbcf9
Instruction ID: 89b79fce50a931a1740ea0420004e0bb5bc2664ff8a8d075efa04ebc54eff42b
Opcode Fuzzy Hash: 6cf8557cbbf2682be4fbf868f101653d4ea7e9bf8c817c47c6919525075dbcf9
Instruction Fuzzy Hash: 42C24A72E086288FDF65CE28ED447EAB7B5EB48315F1441EAD44DE7241E778AE818F40

Function 007D648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007D64DC
CoInitialize.OLE32(00000000), ref: 007D6639
CoCreateInstance.OLE32(007FFCF8,00000000,00000001,007FFB68,?), ref: 007D6650
CoUninitialize.OLE32 ref: 007D68D4

Strings

.lnk, xrefs: 007D64BA, 007D6524, 007D65E0

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 4dde745f7bbcc5c8d48c2be201bca874eb9eb8dcdc76ea422655a66c96236f0f
Instruction ID: 7612ccab025a1acd94036aae3b5904a8a963a57a4cfa539e0b029d078cd885b4
Opcode Fuzzy Hash: 4dde745f7bbcc5c8d48c2be201bca874eb9eb8dcdc76ea422655a66c96236f0f
Instruction Fuzzy Hash: CBD15A71508301AFC304EF24C885A6BB7E8FF94704F14496DF5968B291EB75ED45CBA2

Function 007E22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007E22E8

Part of subcall function 007DE4EC: GetWindowRect.USER32(?,?), ref: 007DE504

GetDesktopWindow.USER32 ref: 007E2312
GetWindowRect.USER32(00000000), ref: 007E2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 007E2355
GetCursorPos.USER32(?), ref: 007E2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007E23DF

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: f7ddc42ef79d88c4d8248fd9ddc380ef45fae67b92001bc2e837587afff2c524
Instruction ID: 3e1c0bb2644181a51d56f5fab4cbf0a79b12fbe14e89cf97b97f2a52d9a7af8e
Opcode Fuzzy Hash: f7ddc42ef79d88c4d8248fd9ddc380ef45fae67b92001bc2e837587afff2c524
Instruction Fuzzy Hash: 4131CD72505359ABC721DF15C849F6BBBAEFF88310F00091DF98597182DB38EA09CB96

Function 007D9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 007D9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 007D9C8B

Part of subcall function 007D3874: GetInputState.USER32 ref: 007D38CB
Part of subcall function 007D3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007D3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 007D9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 007D9C75

Strings

*.*, xrefs: 007D9B5D

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 4802fdc0617577a081196f8bf65cb1effae7b2a4afae65ae5b7c4a9e58fc132a
Instruction ID: 7cc908f3f3d978508a8ad99f0bda45f36bbb015c358334f82f77938c1a98252a
Opcode Fuzzy Hash: 4802fdc0617577a081196f8bf65cb1effae7b2a4afae65ae5b7c4a9e58fc132a
Instruction Fuzzy Hash: 1C41507194420AEFDF15DF64C949AEEBBB8FF05310F144156E919A32A1EB389E84CF60

Function 00768060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 007A5DF0
VUUU, xrefs: 007683E8
VUUU, xrefs: 0076843C
InitializeCriticalSectionEx, xrefs: 007A5D04
VUUU, xrefs: 007683FA
ERCP, xrefs: 0076813C

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: ERCP$InitializeCriticalSectionEx$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1173862840
Opcode ID: e50d94ed516820dba74abce0b77a4fe8e46190f33e45260ea262c60c41ef8efc
Instruction ID: e66bfccac7632a9474f0c60912296919502fff889e9df721004170420761d079
Opcode Fuzzy Hash: e50d94ed516820dba74abce0b77a4fe8e46190f33e45260ea262c60c41ef8efc
Instruction Fuzzy Hash: 34A27271E0061ACBDF64CF58C8447AEB7B1BF95310F24829AEC16A7285EB789D81CF51

Function 0077997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00779A4E
GetSysColor.USER32(0000000F), ref: 00779B23
SetBkColor.GDI32(?,00000000), ref: 00779B36

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 3cee0028e0cf394f72806b650dc5d87e59e215d872631b7b56362dc0eda9f6bc
Instruction ID: 91ceb991548dd903d7664474e65ce7d2b4ecf3b07d2e39ed1810e7f8b6f5efc3
Opcode Fuzzy Hash: 3cee0028e0cf394f72806b650dc5d87e59e215d872631b7b56362dc0eda9f6bc
Instruction Fuzzy Hash: 3EA1E97020B404FEEF299A2C8C5DFBB2A5DEBC2380B16C119F706C6695CA2D9D11D376

Function 007E1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007E304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007E307A
Part of subcall function 007E304E: _wcslen.LIBCMT ref: 007E309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007E185D
WSAGetLastError.WSOCK32 ref: 007E1884
bind.WSOCK32(00000000,?,00000010), ref: 007E18DB
WSAGetLastError.WSOCK32 ref: 007E18E6
closesocket.WSOCK32(00000000), ref: 007E1915

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 91766d07ec17d29c30ddfc3065345656db62ceeac23cd9704880a67a78728eb6
Instruction ID: 3010d0c89cded1c92c5176983d227dee072218bf75e1f678b32047dbaaef74f5
Opcode Fuzzy Hash: 91766d07ec17d29c30ddfc3065345656db62ceeac23cd9704880a67a78728eb6
Instruction Fuzzy Hash: 3951B371A00240DFDB11AF24C88AF6A77E5AB49758F488098F9469F393C779AD41CBA1

Function 007F1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007F1CC0
IsWindowEnabled.USER32 ref: 007F1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 007F1CDB
IsIconic.USER32 ref: 007F1CE9
IsZoomed.USER32 ref: 007F1CF7

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: acae5ce49bded223099afac0e4bb2d8dba882901aaa8196ecec3ac32e6515d22
Instruction ID: a68949d6db2694bca585b36a56b3172277f2aefa2087bc89e58e75105147360c
Opcode Fuzzy Hash: acae5ce49bded223099afac0e4bb2d8dba882901aaa8196ecec3ac32e6515d22
Instruction Fuzzy Hash: E221D331740208DFD7218F2AC844B7A7BA5EF85324F998058E946CB351CB79EC42CBA4

Function 007CAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 007CAAAC
SetKeyboardState.USER32(00000080), ref: 007CAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 007CAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 007CAB88

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f7e86045aeb83d57b92701d36fdeb297f5f609326a9387e0faad6859831c3b09
Instruction ID: bd8a4ef1bbc8b239b94f8337edce63ca260a15d89d7ad3b959918f1bddea1d73
Opcode Fuzzy Hash: f7e86045aeb83d57b92701d36fdeb297f5f609326a9387e0faad6859831c3b09
Instruction Fuzzy Hash: 7231F3B0A4024CBEFB358E64CC09FFA7BA6AB44316F04821EF181965D1D77D8D81C766

Function 007DCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 007DCE89
GetLastError.KERNEL32(?,00000000), ref: 007DCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 007DCEFE

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: db487737059a1e37620c747385daa5890675f6450654b882d54bee04e6ba30d4
Instruction ID: ed2ab0c5befae003b4cb3b1fa515d34ce527b38b6f1b6d096ad7eb2e03fd73a6
Opcode Fuzzy Hash: db487737059a1e37620c747385daa5890675f6450654b882d54bee04e6ba30d4
Instruction Fuzzy Hash: 60219DB2500306DBEB22DFA5C949BA777FCEB50354F10841EE546E2251E778EE04DB64

Function 007C8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007C82AA

Strings

|, xrefs: 007C82DA
(, xrefs: 007C82F0

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 583882d565fd9245d0459ed0f2878d50c8e1568418e8474096b79a5fe2666a63
Instruction ID: ad4e3cd876c8d828f2d3dcf1fafe35bea8092f338211f12a9d8acf0f5fc26529
Opcode Fuzzy Hash: 583882d565fd9245d0459ed0f2878d50c8e1568418e8474096b79a5fe2666a63
Instruction Fuzzy Hash: 32322374A00605DFCB68CF59C480E6AB7F0FF48710B15856EE59ADB7A1EB74E981CB40

Function 007D5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007D5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 007D5D17
FindClose.KERNEL32(?), ref: 007D5D5F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1bc90e7e6efc94c73d0dd658a1fe41b487daa91cf65bf13c8744404903150b47
Instruction ID: c458b112d5e243e805efc84af5f95179a0d2b8996ca7df10350185deb9ab8a7f
Opcode Fuzzy Hash: 1bc90e7e6efc94c73d0dd658a1fe41b487daa91cf65bf13c8744404903150b47
Instruction Fuzzy Hash: E5518775604A01DFC714CF28C498AA6B7F5FF09314F14855EE99A8B3A2CB38E804CBA1

Function 00792622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0079271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00792724
UnhandledExceptionFilter.KERNEL32(?), ref: 00792731

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9c764bc902422395cd07518a4b2bd1d1af9fc709366b632b3722c35163e952fe
Instruction ID: 302882d8a03e8b405d8fe2bc258d1352cd57253f01e6adb86c8df56ec701bda1
Opcode Fuzzy Hash: 9c764bc902422395cd07518a4b2bd1d1af9fc709366b632b3722c35163e952fe
Instruction Fuzzy Hash: 1031D57494121CABCB21EF64DD8879CBBB8BF08310F5081EAE41CA7261E7349F858F45

Function 007D51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007D51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 007D5238
SetErrorMode.KERNEL32(00000000), ref: 007D52A1

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9edfd3ff17b9b23b5d98e1c13418d79e77703224059283ce94cd58e0e6abb6ba
Instruction ID: 1be38dd9ebccf4d13d21d1d707a6c65f0606c8c742fcb63bd33001a651d0065c
Opcode Fuzzy Hash: 9edfd3ff17b9b23b5d98e1c13418d79e77703224059283ce94cd58e0e6abb6ba
Instruction Fuzzy Hash: 04314175A00518DFDB01DF54D888EADBBB5FF49314F088099E8459B352DB35EC59CB90

Function 007C16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0077FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00780668
Part of subcall function 0077FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00780685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C173A
GetLastError.KERNEL32 ref: 007C174A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f5f7f0e5e4e4514f1359b34f4e80c121d95592500568bca6d793458032df8bab
Instruction ID: d1d83aadfb25c8813bc48834cc571445e2e240a6af8c4d895c9736d82a0229fa
Opcode Fuzzy Hash: f5f7f0e5e4e4514f1359b34f4e80c121d95592500568bca6d793458032df8bab
Instruction Fuzzy Hash: 6811CEB2500308FFD728AF54DD8AE6AB7B9EB04754B20C56EE05693242EB74FC41CA24

Function 007CD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007CD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 007CD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007CD650

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 6cd1536899cee8d137ecf78ee0fb04e775cbc1f0885029f6ac55ecf44ae27161
Instruction ID: a3633e5d1c8e39044a227b532328c02a772ce3697fcb61669a5f906a9189bd48
Opcode Fuzzy Hash: 6cd1536899cee8d137ecf78ee0fb04e775cbc1f0885029f6ac55ecf44ae27161
Instruction Fuzzy Hash: 5E117C71E05228BBDB208F989C44FAFBBBCEB45B50F108126F904E7290C2744A01CBA1

Function 007C1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 007C168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007C16A1
FreeSid.ADVAPI32(?), ref: 007C16B1

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 64a5f2e38d5bf422bd72f0de0cc774f6d630f3648fb39473cdc4005160a235fc
Instruction ID: d6539eef14045e790adf7922a5b0dea97edc5d13d03bd654c8cfffe76a7a88ef
Opcode Fuzzy Hash: 64a5f2e38d5bf422bd72f0de0cc774f6d630f3648fb39473cdc4005160a235fc
Instruction Fuzzy Hash: 80F0F97195030DFBDB00DFE49D89EAEBBBCEB04704F504965E501E2181D774AA449A54

Function 0079C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0079C36C

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 4ea93b577e93977e5c02a9d814129ddeaad46556bf0d0721a2ba0d936703f1ba
Instruction ID: 9a4fa77bfbe330bcc42668e5a21bb87b9a6a0729fac3849a5583ca677a8908e6
Opcode Fuzzy Hash: 4ea93b577e93977e5c02a9d814129ddeaad46556bf0d0721a2ba0d936703f1ba
Instruction Fuzzy Hash: 2C412772900219AFCF249FB9EC49EBB77B8EB84354F5082A9F905D7181E6749D81CB50

Function 0078CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d72b0d0c41fca111f0fd1c2b132996ee077a0e694047673b2917bd82835d0e86
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: E9022D72E401199BDF15DFA9C8806ADFBF1FF48324F258169E919E7380D734A941CBA4

Function 007D68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007D6918
FindClose.KERNEL32(00000000), ref: 007D6961

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 16b72fb6d416e6ad50569da13ddf8cc489d250e22f9f926da998a75931e9606c
Instruction ID: 5235fab562d23bc76b54535e115ede71d7e94250a27ce2d8f4ed0e586c2b2c2e
Opcode Fuzzy Hash: 16b72fb6d416e6ad50569da13ddf8cc489d250e22f9f926da998a75931e9606c
Instruction Fuzzy Hash: E4117F716042009FD710DF69D488A26BBE5FF85328F14C69EE8698B7A2C734EC05CB91

Function 007D37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,007E4891,?,?,00000035,?), ref: 007D37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,007E4891,?,?,00000035,?), ref: 007D37F4

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f7e401bdfa5522671770c4f1e98aaa1f64d65dec704ac5e955db6e74f3153500
Instruction ID: 5a2f662a4234fad72279026eef1f7d9f3287773a9f96ecb3620e85c21ac399f0
Opcode Fuzzy Hash: f7e401bdfa5522671770c4f1e98aaa1f64d65dec704ac5e955db6e74f3153500
Instruction Fuzzy Hash: 92F0E5B06052296AE72017768D8DFEB3BAEEFC5771F000266F509E2281D9749904C6B1

Function 007CB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 007CB25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 007CB270

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 577edb2a02d7c567d77f192f7b16760430b06ab754ceee1bae79ca304e4d37b0
Instruction ID: 31ebc57e09e8c93de696b88bee00ca8e86037b09576497ed32744abb553f6e06
Opcode Fuzzy Hash: 577edb2a02d7c567d77f192f7b16760430b06ab754ceee1bae79ca304e4d37b0
Instruction Fuzzy Hash: 50F01D7180424DABDB059FA0C806BBE7BB4FF08305F108409F965A6191C37D9615DF94

Function 007C10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007C11FC), ref: 007C10D4
CloseHandle.KERNEL32(?,?,007C11FC), ref: 007C10E9

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c428633bb70fafbe2c2247cd2b1daf5685725367588c9899349efaeaf1f8c4b2
Instruction ID: 2fa46c99acb7360395866b2604a13c4d81ed79c4c89b583e305827a7dd5ed753
Opcode Fuzzy Hash: c428633bb70fafbe2c2247cd2b1daf5685725367588c9899349efaeaf1f8c4b2
Instruction Fuzzy Hash: C8E04F32008600EEEB262B11FD09E7377A9EF04350B10C82DF4A5804B1DB666C90EB54

Function 0076CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 007B0C40

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: a4415f5271cdb98e6b9794134181992eb5ea02ca201e46feddf68af8f0bf5ae8
Instruction ID: c08d00d29de3703b337d50008b7cad8e88b5d68a0701f979230b23e106ed6dd1
Opcode Fuzzy Hash: a4415f5271cdb98e6b9794134181992eb5ea02ca201e46feddf68af8f0bf5ae8
Instruction Fuzzy Hash: 4F326A70A00218DBCF15DF94C895BFEB7B5BF05344F148059E847AB292DB79AE49CBA0

Function 0079676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00796766,?,?,00000008,?,?,0079FEFE,00000000), ref: 00796998

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3490a814563acbacab47af7d86cd1b32209eaabd4dfee09c1f3f0ca3561c99eb
Instruction ID: 4f09b7516dd11303a127aaffb744ed59053e1877d0916e97f1cab93f8e764f27
Opcode Fuzzy Hash: 3490a814563acbacab47af7d86cd1b32209eaabd4dfee09c1f3f0ca3561c99eb
Instruction Fuzzy Hash: EBB139716106089FDB19CF28D48AB657BE0FF45364F25C658E8A9CF2A2C739E991CB40

Function 0077B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 007B851F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9c6294b85f717cb31f19ddbd775755571eabcbd102b794072593c5abf193d643
Instruction ID: ff2816fb14bd1f4985fc2b3ed42c0fceb7566e3e89562d82836ba69792220421
Opcode Fuzzy Hash: 9c6294b85f717cb31f19ddbd775755571eabcbd102b794072593c5abf193d643
Instruction Fuzzy Hash: B2124F75900229DBCF64CF58C8807EEB7F5FF48710F14819AE849EB255EB389A81CB91

Function 007DEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 007DEABD

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: c544acc820f5b417bded72f3e0817e098b866c25825c363d315125e8ce44722c
Instruction ID: d68c7b4c408bef8f3c2de93a5c64bce48c81e833ea73f7be8267aba83a58101b
Opcode Fuzzy Hash: c544acc820f5b417bded72f3e0817e098b866c25825c363d315125e8ce44722c
Instruction Fuzzy Hash: BAE012312002059FC711EF59D404DAABBE9AF98760F00C416FC46DB351D674A8408B91

Function 007809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007803EE), ref: 007809DA

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e8bf01daa6f9ac14c3718bf3dcdff1fca4d0ebe162ed289b7a3c6f8cf0bd1dbc
Instruction ID: daac9dc25e03a7d5b697878af22665c746b99b1fe0394d889d75c0d22fab9049
Opcode Fuzzy Hash: e8bf01daa6f9ac14c3718bf3dcdff1fca4d0ebe162ed289b7a3c6f8cf0bd1dbc
Instruction Fuzzy Hash:

Function 0078781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0078798B

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 965ea658bbacbb71d23ae4d66354fbfce03e3248c71728979c11bbf3124a3dea
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: B05189716CC7059BDB3CB968889E7BE27899B12340F780509D887DB282DA1DFE41D352

Function 00796DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9b5c7a03a4fbe59e4357f0455ce1188e77a668ab018563b7dcac512a8b9f09
Instruction ID: e0c9933503b48271d2cf796bc8cd187a70090599352d504470b8e24ff7c312e4
Opcode Fuzzy Hash: 4c9b5c7a03a4fbe59e4357f0455ce1188e77a668ab018563b7dcac512a8b9f09
Instruction Fuzzy Hash: C1324322D39F414DDB679634EC26336A249BFB73C5F15C337E81AB59A6EB28C4838100

Function 0077CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352bdba2f8452111bdb0f8a47f43ff3608e55e3ecbad35d371218e769c3d2998
Instruction ID: f8fa55ba4c14864969f492470435b3c63bea6c54e6a22e016318ed2585fd1da4
Opcode Fuzzy Hash: 352bdba2f8452111bdb0f8a47f43ff3608e55e3ecbad35d371218e769c3d2998
Instruction Fuzzy Hash: 0332F331A002158BDF3BCE28C4A47FD7BA1EB49354F28C56AD45ADB291E63CDD81DB60

Function 00767920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecdaace830912d54f928fc1de4c807351b200f4870a2f95c9bd0ece8d796e537
Instruction ID: dc8d595d835ad78a88a456d61fc5d6ecd7332e036c94ca2460ac21d9508a4d26
Opcode Fuzzy Hash: ecdaace830912d54f928fc1de4c807351b200f4870a2f95c9bd0ece8d796e537
Instruction Fuzzy Hash: 9A22E5B0A00609DFDF14CFA8C945AAEB3F6FF45344F248629E816A7291E73D9D15CB50

Function 007691C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de65980a3b0f847d03811220abf751ff7ca14b67c2798fd18c61c1d88fbd37f1
Instruction ID: b0f46370c895c76097af60f17bc392e879d409107cbc85dfe6441e02f36ec682
Opcode Fuzzy Hash: de65980a3b0f847d03811220abf751ff7ca14b67c2798fd18c61c1d88fbd37f1
Instruction Fuzzy Hash: 3402C6B1A00205EFDF04DF64D995AAEB7B5FF45300F108169E906DB391EB39AE21CB91

Function 00799EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23c66e978804601c325435eb39a139567d0b6b575ffd42b34efbe48c3456df6
Instruction ID: 357f913dbc828cec0c3e504dc875c9390599c5af1d917724e1cec5ec5a689d3b
Opcode Fuzzy Hash: e23c66e978804601c325435eb39a139567d0b6b575ffd42b34efbe48c3456df6
Instruction Fuzzy Hash: 28B12320D2AF404DD76396399871336B65CBFBB2C5F92D31BFC2674E22EB2286834140

Function 00787A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6418eda41777fcb2cb65a1d1077e6721f7eb03610c57c113b02db7ab70e64f0d
Instruction ID: 53346e3a860d382ce313e3272f0b94a126769ee6d93e0693056a4772d14e9968
Opcode Fuzzy Hash: 6418eda41777fcb2cb65a1d1077e6721f7eb03610c57c113b02db7ab70e64f0d
Instruction Fuzzy Hash: 43618AB12C870996DA3CBA2C8C99BBE679ADF51700F34491DE843DB281D61DDE42C367

Function 00787CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d22fe536e57e1f332a28f44d3e43ae3c02f86ca58219abc5a8a3f7a145b57a
Instruction ID: b49ec23ec39949e7847043927fe3d016b279e94d3f188e79a8c79bc2bd0e6fd0
Opcode Fuzzy Hash: f3d22fe536e57e1f332a28f44d3e43ae3c02f86ca58219abc5a8a3f7a145b57a
Instruction Fuzzy Hash: D9616C317CC70996DA3C79284859BBF23849F42744F741959E943DB281E61DED41C376

Function 007D2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3847a67af38ed8a73b52c11f9737d5b48e606532999d227228475ae95585fc
Instruction ID: 1afaeb50f71f252419aba2a05e138ff762e2e300edc86395a01a9ae9a0a60354
Opcode Fuzzy Hash: ea3847a67af38ed8a73b52c11f9737d5b48e606532999d227228475ae95585fc
Instruction Fuzzy Hash: 4B21AB326205118BDB28CE79C81367A73E5B7A4310F15892EE4A7C37D1DE399905C740

Function 007E2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007E2B30
DeleteObject.GDI32(00000000), ref: 007E2B43
DestroyWindow.USER32 ref: 007E2B52
GetDesktopWindow.USER32 ref: 007E2B6D
GetWindowRect.USER32(00000000), ref: 007E2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 007E2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 007E2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2CF8
GetClientRect.USER32(00000000,?), ref: 007E2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007E2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2D80
GlobalLock.KERNEL32(00000000), ref: 007E2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2D98
GlobalUnlock.KERNEL32(00000000), ref: 007E2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2DA8
GlobalFree.KERNEL32(00000000), ref: 007E2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,007FFC38,00000000), ref: 007E2DDB
GlobalFree.KERNEL32(00000000), ref: 007E2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 007E2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 007E2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E303F

Strings

DISPLAY, xrefs: 007E2EA2
, xrefs: 007E2FC5
AutoIt v3, xrefs: 007E2CF2
static, xrefs: 007E2D3A, 007E2E91

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 565b48acd1ab916f5d8520048c4029b99b30d92140ed91c96b7c0cd6170b743c
Instruction ID: f8e309d78e7bc9b753fe7f95f33a8224676aec0343b65385a19d5c6eb495bdd8
Opcode Fuzzy Hash: 565b48acd1ab916f5d8520048c4029b99b30d92140ed91c96b7c0cd6170b743c
Instruction Fuzzy Hash: 1A029D71500208EFDB15DF64CD89EAE7BB9FF48710F008558F916AB2A2DB78AD01CB60

Function 007F70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007F712F
GetSysColorBrush.USER32(0000000F), ref: 007F7160
GetSysColor.USER32(0000000F), ref: 007F716C
SetBkColor.GDI32(?,000000FF), ref: 007F7186
SelectObject.GDI32(?,?), ref: 007F7195
InflateRect.USER32(?,000000FF,000000FF), ref: 007F71C0
GetSysColor.USER32(00000010), ref: 007F71C8
CreateSolidBrush.GDI32(00000000), ref: 007F71CF
FrameRect.USER32(?,?,00000000), ref: 007F71DE
DeleteObject.GDI32(00000000), ref: 007F71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 007F7230
FillRect.USER32(?,?,?), ref: 007F7262
GetWindowLongW.USER32(?,000000F0), ref: 007F7284

Part of subcall function 007F73E8: GetSysColor.USER32(00000012), ref: 007F7421
Part of subcall function 007F73E8: SetTextColor.GDI32(?,?), ref: 007F7425
Part of subcall function 007F73E8: GetSysColorBrush.USER32(0000000F), ref: 007F743B
Part of subcall function 007F73E8: GetSysColor.USER32(0000000F), ref: 007F7446
Part of subcall function 007F73E8: GetSysColor.USER32(00000011), ref: 007F7463
Part of subcall function 007F73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007F7471
Part of subcall function 007F73E8: SelectObject.GDI32(?,00000000), ref: 007F7482
Part of subcall function 007F73E8: SetBkColor.GDI32(?,00000000), ref: 007F748B
Part of subcall function 007F73E8: SelectObject.GDI32(?,?), ref: 007F7498
Part of subcall function 007F73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007F74B7
Part of subcall function 007F73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007F74CE
Part of subcall function 007F73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007F74DB

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 6e4a34a367a3fbd66c21deacc70b8ea68d5b5cef2d888ef2f949042f0f84299c
Instruction ID: 488736ded57737b783c7c162da006f421ea4425388e96c738d1a089a2f4f7d14
Opcode Fuzzy Hash: 6e4a34a367a3fbd66c21deacc70b8ea68d5b5cef2d888ef2f949042f0f84299c
Instruction Fuzzy Hash: B1A1B172008309EFDB059F60DD48E7B7BA9FF88320F204A19FA62961E1D778E854CB51

Function 007E2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007E273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007E286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007E28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007E28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 007E2900
GetClientRect.USER32(00000000,?), ref: 007E290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 007E2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007E2964
GetStockObject.GDI32(00000011), ref: 007E2974
SelectObject.GDI32(00000000,00000000), ref: 007E2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 007E2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007E2991
DeleteDC.GDI32(00000000), ref: 007E299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007E29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007E29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 007E2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007E2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 007E2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 007E2A77
GetStockObject.GDI32(00000011), ref: 007E2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007E2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 007E2A97

Strings

DISPLAY, xrefs: 007E295A
msctls_progress32, xrefs: 007E2A13
AutoIt v3, xrefs: 007E28F8
static, xrefs: 007E294F, 007E2A71

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: be8dd9fe378b8507d4d0c4f713b8be9aede5fc20df61510ae712f49730cd8370
Instruction ID: b801e4ba4041cccd5ad6c02c65432240ecd4fc1a07089a77d084d7fcad47a1a9
Opcode Fuzzy Hash: be8dd9fe378b8507d4d0c4f713b8be9aede5fc20df61510ae712f49730cd8370
Instruction Fuzzy Hash: 64B17EB1A00209AFEB14DF68CD49FAE7BA9FB48714F008514FA15E7291D778ED40CBA4

Function 007D4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007D4AED
GetDriveTypeW.KERNEL32(?,007FCB68,?,\\.\,007FCC08), ref: 007D4BCA
SetErrorMode.KERNEL32(00000000,007FCB68,?,\\.\,007FCC08), ref: 007D4D36

Strings

CDROM, xrefs: 007D4BFB
USB, xrefs: 007D4CB4
1394, xrefs: 007D4C9F
RAMDisk, xrefs: 007D4BF4
Unknown, xrefs: 007D4BED, 007D4C83
MMC, xrefs: 007D4CDE
Virtual, xrefs: 007D4CE5
ATA, xrefs: 007D4C98
Removable, xrefs: 007D4C10, 007D4C15
SCSI, xrefs: 007D4C8A
iSCSI, xrefs: 007D4CC2
SAS, xrefs: 007D4CC9
\\.\, xrefs: 007D4B3F
SATA, xrefs: 007D4CD0
PhysicalDrive, xrefs: 007D4B76
Fibre, xrefs: 007D4CAD
RAID, xrefs: 007D4CBB
ATAPI, xrefs: 007D4C91
SSD, xrefs: 007D4C4A
Fixed, xrefs: 007D4C09
FileBackedVirtual, xrefs: 007D4CEC
Network, xrefs: 007D4C02
SSA, xrefs: 007D4CA6

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 62a0073c368ffc81cf5f1e08f148f0906ddab75c9d480fbaa8a14ea54f31e43e
Instruction ID: e7a3b9e1da4fd9996f27dca68e8decfc5c8709b1b8fc637c0859205cc5c1636a
Opcode Fuzzy Hash: 62a0073c368ffc81cf5f1e08f148f0906ddab75c9d480fbaa8a14ea54f31e43e
Instruction Fuzzy Hash: 5A61BF3061610ADBCB04DF24DA9597877B1FB04344B248417F80AEB791EB3EED91DB61

Function 007F73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007F7421
SetTextColor.GDI32(?,?), ref: 007F7425
GetSysColorBrush.USER32(0000000F), ref: 007F743B
GetSysColor.USER32(0000000F), ref: 007F7446
CreateSolidBrush.GDI32(?), ref: 007F744B
GetSysColor.USER32(00000011), ref: 007F7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007F7471
SelectObject.GDI32(?,00000000), ref: 007F7482
SetBkColor.GDI32(?,00000000), ref: 007F748B
SelectObject.GDI32(?,?), ref: 007F7498
InflateRect.USER32(?,000000FF,000000FF), ref: 007F74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007F74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007F74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007F752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007F7554
InflateRect.USER32(?,000000FD,000000FD), ref: 007F7572
DrawFocusRect.USER32(?,?), ref: 007F757D
GetSysColor.USER32(00000011), ref: 007F758E
SetTextColor.GDI32(?,00000000), ref: 007F7596
DrawTextW.USER32(?,007F70F5,000000FF,?,00000000), ref: 007F75A8
SelectObject.GDI32(?,?), ref: 007F75BF
DeleteObject.GDI32(?), ref: 007F75CA
SelectObject.GDI32(?,?), ref: 007F75D0
DeleteObject.GDI32(?), ref: 007F75D5
SetTextColor.GDI32(?,?), ref: 007F75DB
SetBkColor.GDI32(?,?), ref: 007F75E5

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b07ea902340fff9fb2b673f3175420a62c7564c25852d43fad20e78475c3f0a5
Instruction ID: a417778adb43a7bc9a37a116d5b7f810811bdaa36c7deb7f737c77e34f3484fb
Opcode Fuzzy Hash: b07ea902340fff9fb2b673f3175420a62c7564c25852d43fad20e78475c3f0a5
Instruction Fuzzy Hash: C2616F7290421CAFDF059FA4DD49EFE7FB9EB08320F208115FA15AB2A1D7789950CB94

Function 007F0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007F1128
GetDesktopWindow.USER32 ref: 007F113D
GetWindowRect.USER32(00000000), ref: 007F1144
GetWindowLongW.USER32(?,000000F0), ref: 007F1199
DestroyWindow.USER32(?), ref: 007F11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007F11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007F120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007F121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 007F1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 007F1245
IsWindowVisible.USER32(00000000), ref: 007F12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007F12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007F12D0
GetWindowRect.USER32(00000000,?), ref: 007F12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 007F130E
GetMonitorInfoW.USER32(00000000,?), ref: 007F1328
CopyRect.USER32(?,?), ref: 007F133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007F13AA

Strings

0, xrefs: 007F10D3
(, xrefs: 007F131B
tooltips_class32, xrefs: 007F11E6

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 5935befebe474a09e5f7a23f5cd4e9d7c74053be73eac35fdb525d04e3ebf3eb
Instruction ID: 4cef964b3305854ac35c8742f007ee4767e4d67264d2d094890dcd1c97ccce0b
Opcode Fuzzy Hash: 5935befebe474a09e5f7a23f5cd4e9d7c74053be73eac35fdb525d04e3ebf3eb
Instruction Fuzzy Hash: 20B1AE71608345EFD704DF64C988B6ABBE4FF88350F40891CFA9A9B261DB75E844CB91

Function 007F0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007F02E5
_wcslen.LIBCMT ref: 007F031F
_wcslen.LIBCMT ref: 007F0389
_wcslen.LIBCMT ref: 007F03F1
_wcslen.LIBCMT ref: 007F0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007F04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007F0504

Part of subcall function 0077F9F2: _wcslen.LIBCMT ref: 0077F9FD

Part of subcall function 007C223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007C2258
Part of subcall function 007C223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007C228A

Strings

SELECTALL, xrefs: 007F0515
DESELECT, xrefs: 007F059C
GETSELECTEDCOUNT, xrefs: 007F0470, 007F048B
GETSELECTED, xrefs: 007F05E1
ISSELECTED, xrefs: 007F04DD
SELECTINVERT, xrefs: 007F057E
SELECTCLEAR, xrefs: 007F052D
SELECT, xrefs: 007F0548
GETTEXT, xrefs: 007F03EC, 007F0407
FINDITEM, xrefs: 007F0627
VIEWCHANGE, xrefs: 007F0675
GETSUBITEMCOUNT, xrefs: 007F0384, 007F039F
GETITEMCOUNT, xrefs: 007F0316, 007F0337

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: cf4f969b87acee1fb7603eb4a06750a7415fb57673b3a5ca5b974ea0187539d0
Instruction ID: ad21a001d65ede46e45a1c30c6446365f42fc1b9dd732e3becc6eb24b3ca61c7
Opcode Fuzzy Hash: cf4f969b87acee1fb7603eb4a06750a7415fb57673b3a5ca5b974ea0187539d0
Instruction Fuzzy Hash: 88E1BC31208245CFCB14DF24C55497AB3E6BF88314B14895DFA96EB3A2DB38ED85CB81

Function 00778891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00778968
GetSystemMetrics.USER32(00000007), ref: 00778970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0077899B
GetSystemMetrics.USER32(00000008), ref: 007789A3
GetSystemMetrics.USER32(00000004), ref: 007789C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007789E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007789F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00778A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00778A3C
GetClientRect.USER32(00000000,000000FF), ref: 00778A5A
GetStockObject.GDI32(00000011), ref: 00778A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00778A81

Part of subcall function 0077912D: GetCursorPos.USER32(?), ref: 00779141
Part of subcall function 0077912D: ScreenToClient.USER32(00000000,?), ref: 0077915E
Part of subcall function 0077912D: GetAsyncKeyState.USER32(00000001), ref: 00779183
Part of subcall function 0077912D: GetAsyncKeyState.USER32(00000002), ref: 0077919D

SetTimer.USER32(00000000,00000000,00000028,007790FC), ref: 00778AA8

Strings

AutoIt v3 GUI, xrefs: 00778A20

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f28a1f2b51005cb6877a514a5b7cdca04aaeaafad69c3a8dda5452759f50d1f1
Instruction ID: e8cc0d4d278c8e7f8e2081748af1800d74343363a26404630ddf03b95568fcb8
Opcode Fuzzy Hash: f28a1f2b51005cb6877a514a5b7cdca04aaeaafad69c3a8dda5452759f50d1f1
Instruction Fuzzy Hash: 9EB17B71A00209DFDF14DFA8CD49BAA7BB5FB48714F108129FA15AB290DB38A840CF55

Function 007C0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C1114
Part of subcall function 007C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C1120
Part of subcall function 007C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C112F
Part of subcall function 007C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C1136
Part of subcall function 007C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007C0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007C0E29
GetLengthSid.ADVAPI32(?), ref: 007C0E40
GetAce.ADVAPI32(?,00000000,?), ref: 007C0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007C0E96
GetLengthSid.ADVAPI32(?), ref: 007C0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 007C0EB5
HeapAlloc.KERNEL32(00000000), ref: 007C0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 007C0EDD
CopySid.ADVAPI32(00000000), ref: 007C0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007C0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007C0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007C0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C0F6E
HeapFree.KERNEL32(00000000), ref: 007C0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C0F7E
HeapFree.KERNEL32(00000000), ref: 007C0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C0F8E
HeapFree.KERNEL32(00000000), ref: 007C0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 007C0FA1
HeapFree.KERNEL32(00000000), ref: 007C0FA8

Part of subcall function 007C1193: GetProcessHeap.KERNEL32(00000008,007C0BB1,?,00000000,?,007C0BB1,?), ref: 007C11A1
Part of subcall function 007C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,007C0BB1,?), ref: 007C11A8
Part of subcall function 007C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,007C0BB1,?), ref: 007C11B7

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 45018626a1bb57833ddb857ddf37099f1010e5344f58c2f4ebf9cbdf952e11b9
Instruction ID: dd29ca3f0fa496de5e329d7f12edf842008cdbbcbcea1fb27dcc4ec1d5c8ec69
Opcode Fuzzy Hash: 45018626a1bb57833ddb857ddf37099f1010e5344f58c2f4ebf9cbdf952e11b9
Instruction Fuzzy Hash: CF715C7290020AEBDF219FA4DD49FBEBBB8BF05300F04811DF919E6191D7399A55CBA0

Function 007EC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007EC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,007FCC08,00000000,?,00000000,?,?), ref: 007EC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 007EC5A4
_wcslen.LIBCMT ref: 007EC5F4
_wcslen.LIBCMT ref: 007EC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 007EC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 007EC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 007EC84D
RegCloseKey.ADVAPI32(?), ref: 007EC881
RegCloseKey.ADVAPI32(00000000), ref: 007EC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 007EC960

Strings

REG_BINARY, xrefs: 007EC913
REG_MULTI_SZ, xrefs: 007EC6F5
REG_EXPAND_SZ, xrefs: 007EC5CD
REG_SZ, xrefs: 007EC644
REG_QWORD, xrefs: 007EC8C3
REG_DWORD, xrefs: 007EC804

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: ba4a0ccf25e7287b5df08c7cd2587379beaf7301b8a4c96687e8d0f1bf91d36e
Instruction ID: cd35943119612fb305aa7a2ff701dd5bc04c49dd56622cf5ccbca150930ab275
Opcode Fuzzy Hash: ba4a0ccf25e7287b5df08c7cd2587379beaf7301b8a4c96687e8d0f1bf91d36e
Instruction Fuzzy Hash: AE126735204241DFD716DF15C885A2AB7E5EF88714F14889DF88A9B3A2DB39FD42CB81

Function 007F091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007F09C6
_wcslen.LIBCMT ref: 007F0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007F0A54
_wcslen.LIBCMT ref: 007F0A8A
_wcslen.LIBCMT ref: 007F0B06
_wcslen.LIBCMT ref: 007F0B81

Part of subcall function 0077F9F2: _wcslen.LIBCMT ref: 0077F9FD

Part of subcall function 007C2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007C2BFA

Strings

SELECT, xrefs: 007F0D11
GETTOTALCOUNT, xrefs: 007F09F2, 007F0A17
UNCHECK, xrefs: 007F0D3E
COLLAPSE, xrefs: 007F0B01, 007F0B1C
GETTEXT, xrefs: 007F0C97
EXPAND, xrefs: 007F0BF8
CHECK, xrefs: 007F0A85, 007F0AA0
GETSELECTED, xrefs: 007F0C4E
ISCHECKED, xrefs: 007F0CE1
EXISTS, xrefs: 007F0B7C, 007F0B97
GETITEMCOUNT, xrefs: 007F0C1E

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: a34c8c5db017998f2db2db5f0cabf0d0505a6d97893ef7d0feef4b97d2d68f45
Instruction ID: f161bf900b9978b0fc0d0eb9db7ad2fb25490a72a85ed19609b38575d81341b5
Opcode Fuzzy Hash: a34c8c5db017998f2db2db5f0cabf0d0505a6d97893ef7d0feef4b97d2d68f45
Instruction Fuzzy Hash: 40E18835208305DFCB14DF24C45493AB7E2BF98358B14899DF99AAB3A2D738ED45CB81

Function 007EC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EB6AE,?,?), ref: 007EC9B5
_wcslen.LIBCMT ref: 007EC9F1
_wcslen.LIBCMT ref: 007ECA68
_wcslen.LIBCMT ref: 007ECA9E
_wcslen.LIBCMT ref: 007ECAF9
_wcslen.LIBCMT ref: 007ECB2F
_wcslen.LIBCMT ref: 007ECB7F

Strings

HKCU, xrefs: 007ECBCE
HKEY_CURRENT_USER, xrefs: 007ECBBD
HKEY_USERS, xrefs: 007ECBDF
HKU, xrefs: 007ECBF0
HKCR, xrefs: 007ECB29, 007ECB2E
HKEY_CURRENT_CONFIG, xrefs: 007ECB79, 007ECB7E
HKEY_CLASSES_ROOT, xrefs: 007ECAF3, 007ECAF8
HKCC, xrefs: 007ECBAC
HKLM, xrefs: 007ECA98, 007ECA9D
HKEY_LOCAL_MACHINE, xrefs: 007ECA62, 007ECA67

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 0d221cf2e70f7b221c8a1a557eab7add8c5e4837a998df7478203bfd1b028f6e
Instruction ID: 9bae8768ae60f69510816327682f04282073605c6b56cab2dd9fc4dbfc8e3345
Opcode Fuzzy Hash: 0d221cf2e70f7b221c8a1a557eab7add8c5e4837a998df7478203bfd1b028f6e
Instruction Fuzzy Hash: AC714B766011AA8BCB22DE7ECD415BF3395AF68754B204134FC66E7284E63CDD86C3A0

Function 007F833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007F835A
_wcslen.LIBCMT ref: 007F836E
_wcslen.LIBCMT ref: 007F8391
_wcslen.LIBCMT ref: 007F83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007F83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,007F5BF2), ref: 007F844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007F8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007F84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007F8501
FreeLibrary.KERNEL32(?), ref: 007F850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007F851D
DestroyIcon.USER32(?,?,?,?,?,007F5BF2), ref: 007F852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007F8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007F8555

Strings

.dll, xrefs: 007F83AB
.icl, xrefs: 007F8368
.exe, xrefs: 007F8388

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 96c9c7caf3d78c87e615863cf0ac8948421d2a6494d0349162168f171a641f96
Instruction ID: 74e6eb0fac58f0bbf0ea0231e9d21c7f0d1dc0551c5cd412e13ef64ca8e1ab1e
Opcode Fuzzy Hash: 96c9c7caf3d78c87e615863cf0ac8948421d2a6494d0349162168f171a641f96
Instruction Fuzzy Hash: 9761F27154021AFBEB14DF64CC45BBE77A8FF04B20F108509F915D62D1DBB8A990C7A0

Function 00767778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 0076785F, 007678B1
Cannot parse #include, xrefs: 007A5279
#include, xrefs: 00767847
#pragma compile, xrefs: 007677D3
#cs, xrefs: 00767873, 007678C5
#requireadmin, xrefs: 007677FF
#ce, xrefs: 007678ED
", xrefs: 007A5153
#notrayicon, xrefs: 007677E7
Unterminated group of comments, xrefs: 007A528C
#OnAutoItStartRegister, xrefs: 00767817
#comments-end, xrefs: 007678D9
Bad directive syntax error, xrefs: 007A519A
#include-once, xrefs: 0076782F
', xrefs: 007A5169

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: f39e8daa1561e3213b422713e3e4074b694dca0a201011935d65cfaf0845bc97
Instruction ID: 39c0f8f083614740201adbe7204402ee8d353e9333b6f25fd20887f33d970a16
Opcode Fuzzy Hash: f39e8daa1561e3213b422713e3e4074b694dca0a201011935d65cfaf0845bc97
Instruction Fuzzy Hash: DB81D1B1644209EBDB25AF60CC46FBE37A8BF55344F144024FE06AB292EB7C9911C7A1

Function 007D3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 007D3EF8
_wcslen.LIBCMT ref: 007D3F03
_wcslen.LIBCMT ref: 007D3F5A
_wcslen.LIBCMT ref: 007D3F98
GetDriveTypeW.KERNEL32(?), ref: 007D3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007D401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007D4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007D4087

Strings

closed, xrefs: 007D3F08, 007D3F2D, 007D3F46, 007D3F7E, 007D3F97
open , xrefs: 007D3FE5
close cd wait, xrefs: 007D4072
type cdaudio alias cd wait, xrefs: 007D4001
close, xrefs: 007D3EFE, 007D3F18
open, xrefs: 007D3F54, 007D3F59
set cd door , xrefs: 007D4028
wait, xrefs: 007D4044

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 558e2e152d7704173980a05c1e40560cf85a7db4a183c3d4c2bfe0093437949f
Instruction ID: 204a4395da722e7c45c76c8c7a8b7a3c53bd5fc4d260bda5f87b52e38b507a48
Opcode Fuzzy Hash: 558e2e152d7704173980a05c1e40560cf85a7db4a183c3d4c2bfe0093437949f
Instruction Fuzzy Hash: 5471DF326042169FC710EF24C88086AB7F4FF94758F10492EF99693351EB38ED45CB92

Function 007C5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 007C5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 007C5A40
SetWindowTextW.USER32(?,?), ref: 007C5A57
GetDlgItem.USER32(?,000003EA), ref: 007C5A6C
SetWindowTextW.USER32(00000000,?), ref: 007C5A72
GetDlgItem.USER32(?,000003E9), ref: 007C5A82
SetWindowTextW.USER32(00000000,?), ref: 007C5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 007C5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 007C5AC3
GetWindowRect.USER32(?,?), ref: 007C5ACC
_wcslen.LIBCMT ref: 007C5B33
SetWindowTextW.USER32(?,?), ref: 007C5B6F
GetDesktopWindow.USER32 ref: 007C5B75
GetWindowRect.USER32(00000000), ref: 007C5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 007C5BD3
GetClientRect.USER32(?,?), ref: 007C5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 007C5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 007C5C2F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 64e484b2ab770cdf35c7307df860bb903abf17a0fe40cde32595e60ae6b400bc
Instruction ID: a757cdf15367bba8fd7a7a74b18d1369fc8952990e3be53cb7ae4499d9a5f2b1
Opcode Fuzzy Hash: 64e484b2ab770cdf35c7307df860bb903abf17a0fe40cde32595e60ae6b400bc
Instruction Fuzzy Hash: C5714A71900A09AFDB21DFA9CE85FAEBBF5FF48704F10461CE142A25A0D779B944CB54

Function 007DFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 007DFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 007DFE32
LoadCursorW.USER32(00000000,00007F00), ref: 007DFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 007DFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 007DFE53
LoadCursorW.USER32(00000000,00007F01), ref: 007DFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 007DFE69
LoadCursorW.USER32(00000000,00007F88), ref: 007DFE74
LoadCursorW.USER32(00000000,00007F80), ref: 007DFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 007DFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 007DFE95
LoadCursorW.USER32(00000000,00007F85), ref: 007DFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 007DFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 007DFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 007DFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 007DFECC
GetCursorInfo.USER32(?), ref: 007DFEDC
GetLastError.KERNEL32 ref: 007DFF1E

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 51397e8de75be6ae8b2dd14e04727d7bd43f0fbe1fdabace00ba39bd42c6c8f6
Instruction ID: 978eafe8584baaf37d8547bee18a6e45fe34a9e0d904532c24a2f746ee7b5251
Opcode Fuzzy Hash: 51397e8de75be6ae8b2dd14e04727d7bd43f0fbe1fdabace00ba39bd42c6c8f6
Instruction Fuzzy Hash: 224124B0D04319AADB109FBA8C89C6EBFF8FF04754B54452AE51DE7281DB789901CE91

Function 007800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007800C6

Part of subcall function 007800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0083070C,00000FA0,09E877C1,?,?,?,?,007A23B3,000000FF), ref: 0078011C
Part of subcall function 007800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007A23B3,000000FF), ref: 00780127
Part of subcall function 007800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007A23B3,000000FF), ref: 00780138
Part of subcall function 007800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0078014E
Part of subcall function 007800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0078015C
Part of subcall function 007800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0078016A
Part of subcall function 007800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00780195
Part of subcall function 007800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007801A0

___scrt_fastfail.LIBCMT ref: 007800E7

Part of subcall function 007800A3: __onexit.LIBCMT ref: 007800A9

Strings

kernel32.dll, xrefs: 00780133
InitializeConditionVariable, xrefs: 00780148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00780122
WakeAllConditionVariable, xrefs: 00780162
SleepConditionVariableCS, xrefs: 00780154

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: e1e464b02618824ac9500c1223d3f65ac03174afb92702824d6c7f3fb6e5324d
Instruction ID: 482502e1b172535154e95329b980e7f3d19a96d0dfdd88fdde9c403bb2c7d5bc
Opcode Fuzzy Hash: e1e464b02618824ac9500c1223d3f65ac03174afb92702824d6c7f3fb6e5324d
Instruction Fuzzy Hash: C5210772A8070DABE7516B64AD1DB3D3394EF45BA0F004525F90192391DFAC9804CBD4

Function 007C30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007C318D
_wcslen.LIBCMT ref: 007C31F8

Strings

CLASSNN, xrefs: 007C31F3, 007C3204
REGEXPCLASS, xrefs: 007C3255, 007C3266
TEXT, xrefs: 007C347C
CLASS, xrefs: 007C3188, 007C31A5
INSTANCE, xrefs: 007C3453
NAME, xrefs: 007C3335, 007C3346

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 32f93681b2efce1c3a45721c64d5938c678ae4f129a085908617c134fdc9368d
Instruction ID: bc18df5368729ed222c56335c4b5881bf9486c8f07cc93defc1e703c08fc0451
Opcode Fuzzy Hash: 32f93681b2efce1c3a45721c64d5938c678ae4f129a085908617c134fdc9368d
Instruction Fuzzy Hash: 4CE19132A00526EBCB189FB8C455FFDBBA4BF54710F54C11EE956E7240DB38AE858B90

Function 007D44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,007FCC08), ref: 007D4527
_wcslen.LIBCMT ref: 007D453B
_wcslen.LIBCMT ref: 007D4599
_wcslen.LIBCMT ref: 007D45F4
_wcslen.LIBCMT ref: 007D463F
_wcslen.LIBCMT ref: 007D46A7

Part of subcall function 0077F9F2: _wcslen.LIBCMT ref: 0077F9FD

GetDriveTypeW.KERNEL32(?,00826BF0,00000061), ref: 007D4743

Strings

all, xrefs: 007D4531, 007D4536
removable, xrefs: 007D45EA, 007D45EF
unknown, xrefs: 007D4708
cdrom, xrefs: 007D458F, 007D4594
network, xrefs: 007D469D, 007D46A2
fixed, xrefs: 007D4635, 007D463A
ramdisk, xrefs: 007D46F1

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 73a3e093ce13f340c1c3c64c1bf4c843e399e0bdc560250283478c329ddbed86
Instruction ID: 9aca1d46f604ca73eacf9eb524350d8c75bf261a64b82e03771acb924ee5cc53
Opcode Fuzzy Hash: 73a3e093ce13f340c1c3c64c1bf4c843e399e0bdc560250283478c329ddbed86
Instruction Fuzzy Hash: 6DB1DD316083029FC710DF28D894A6AB7F5BFA5760F50491EF59AD7391E738D844CBA2

Function 007DC476 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007DC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 007DC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 007DC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007DC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 007DC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 007DC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007DC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007DC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 007DC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 007DC5F0
InternetCloseHandle.WININET(00000000), ref: 007DC5FB

Strings

, xrefs: 007DC575
InitializeCriticalSectionEx, xrefs: 007DC490

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID: $InitializeCriticalSectionEx
API String ID: 3800310941-1081632753
Opcode ID: 0d4b59703ab769b4448a86ba193cbdeb34f0d51d03222def3eb0e73c5963e056
Instruction ID: 07c6731cfc7dcad94a969e0b599c3d21a366333d71218f6069d2eb2ac051ab08
Opcode Fuzzy Hash: 0d4b59703ab769b4448a86ba193cbdeb34f0d51d03222def3eb0e73c5963e056
Instruction Fuzzy Hash: 105160B150020ABFDB229F60D948ABB7BFCFF08754F14851AF946D6250DB38E954DB60

Function 0076326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00831990), ref: 007A2F8D
GetMenuItemCount.USER32(00831990), ref: 007A303D
GetCursorPos.USER32(?), ref: 007A3081
SetForegroundWindow.USER32(00000000), ref: 007A308A
TrackPopupMenuEx.USER32(00831990,00000000,?,00000000,00000000,00000000), ref: 007A309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007A30A9

Strings

0, xrefs: 0076327D

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: cbc45bdb1697be619832d3e773fd88796f900b76dd097befcabe522e19de7a4a
Instruction ID: a956d8eaa7063e716288181e22cbd0f11255d24a8d232e611f63d4785b425124
Opcode Fuzzy Hash: cbc45bdb1697be619832d3e773fd88796f900b76dd097befcabe522e19de7a4a
Instruction Fuzzy Hash: DC714B70644209BFEB258F28CC49FAABF65FF45324F204306F925AA1E1C7B9AD54DB50

Function 007F6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 007F6DEB

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007F6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007F6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007F6E94
DestroyWindow.USER32(?), ref: 007F6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00760000,00000000), ref: 007F6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007F6EFD
GetDesktopWindow.USER32 ref: 007F6F16
GetWindowRect.USER32(00000000), ref: 007F6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007F6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007F6F4D

Part of subcall function 00779944: GetWindowLongW.USER32(?,000000EB), ref: 00779952

Strings

0, xrefs: 007F6D98
tooltips_class32, xrefs: 007F6E58, 007F6EDD

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: ee2dff219cb29b8675219472af09d590b26ba53972d1679065e413d879ad4c7c
Instruction ID: 86459960309078f97582e4e4c74e000c1a03540f0e7b35dc1733dde336afed07
Opcode Fuzzy Hash: ee2dff219cb29b8675219472af09d590b26ba53972d1679065e413d879ad4c7c
Instruction Fuzzy Hash: E9716671104248AFDB21CF18D848BBABBE9FB89704F44481DFA9987361C778ED06CB15

Function 007F911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

DragQueryPoint.SHELL32(?,?), ref: 007F9147

Part of subcall function 007F7674: ClientToScreen.USER32(?,?), ref: 007F769A
Part of subcall function 007F7674: GetWindowRect.USER32(?,?), ref: 007F7710
Part of subcall function 007F7674: PtInRect.USER32(?,?,007F8B89), ref: 007F7720

SendMessageW.USER32(?,000000B0,?,?), ref: 007F91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007F91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007F91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007F9225
SendMessageW.USER32(?,000000B0,?,?), ref: 007F923E
SendMessageW.USER32(?,000000B1,?,?), ref: 007F9255
SendMessageW.USER32(?,000000B1,?,?), ref: 007F9277
DragFinish.SHELL32(?), ref: 007F927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007F9371

Strings

@GUI_DRAGID, xrefs: 007F92E9
@GUI_DROPID, xrefs: 007F929E
@GUI_DRAGFILE, xrefs: 007F9320

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 2b20001bfab67103f29ee0df39a1e30db5368f8ba96deaf58fdbaf3fba625f47
Instruction ID: ea3681cf2b25b21df336b0c989894356df3ca58b350a89760062288c174039f7
Opcode Fuzzy Hash: 2b20001bfab67103f29ee0df39a1e30db5368f8ba96deaf58fdbaf3fba625f47
Instruction Fuzzy Hash: 84615C71108305AFC701DF64DD89DAFBBE8FF88750F00491DFA96922A1DB749A49CB52

Function 007F856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 007F8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007F85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007F85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007F85BA
GlobalLock.KERNEL32(00000000), ref: 007F85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007F85D7
GlobalUnlock.KERNEL32(00000000), ref: 007F85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007F85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007F85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,007FFC38,?), ref: 007F8611
GlobalFree.KERNEL32(00000000), ref: 007F8621
GetObjectW.GDI32(?,00000018,?), ref: 007F8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 007F8671
DeleteObject.GDI32(?), ref: 007F8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007F86AF

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 2dc84a27a137528be698d529991fc4f2ff68d5930dfc245944e50e3d9ae4d5fa
Instruction ID: 8bd78d76cca2affd9d772f6f653c065ab8ff6c6ec54447c73274e52afc18e619
Opcode Fuzzy Hash: 2dc84a27a137528be698d529991fc4f2ff68d5930dfc245944e50e3d9ae4d5fa
Instruction Fuzzy Hash: E3410775600208EFDB12DFA5CD48EBA7BB8FF89B51F108058F905EB260DB389901DB65

Function 007D14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 007D1502
VariantCopy.OLEAUT32(?,?), ref: 007D150B
VariantClear.OLEAUT32(?), ref: 007D1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007D15FB
VarR8FromDec.OLEAUT32(?,?), ref: 007D1657
VariantInit.OLEAUT32(?), ref: 007D1708
SysFreeString.OLEAUT32(?), ref: 007D178C
VariantClear.OLEAUT32(?), ref: 007D17D8
VariantClear.OLEAUT32(?), ref: 007D17E7
VariantInit.OLEAUT32(00000000), ref: 007D1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 007D1625
Default, xrefs: 007D16AF

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: f14fe3a0f56db4025e42c7ce11b7ce3c446698ef873a8354a4241e8b3ded8f8e
Instruction ID: 922aec4d8a84d966dd7e2d9dd20f086fa77e05e95f30f49512f65a4120f64062
Opcode Fuzzy Hash: f14fe3a0f56db4025e42c7ce11b7ce3c446698ef873a8354a4241e8b3ded8f8e
Instruction Fuzzy Hash: 3BD1ED72A00215FBDB109F65E889B79B7B5BF45700F94805BE847AB290DB3CEC60DB61

Function 007EB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EB6AE,?,?), ref: 007EC9B5
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007EC9F1
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007ECA68
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007EB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007EB772
RegDeleteValueW.ADVAPI32(?,?), ref: 007EB80A
RegCloseKey.ADVAPI32(?), ref: 007EB87E
RegCloseKey.ADVAPI32(?), ref: 007EB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 007EB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007EB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 007EB922
FreeLibrary.KERNEL32(00000000), ref: 007EB983
RegCloseKey.ADVAPI32(00000000), ref: 007EB994

Strings

advapi32.dll, xrefs: 007EB8ED
RegDeleteKeyExW, xrefs: 007EB8FE

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: d9aef12bedbf30e89a43891e01f4948c1d60f8d82bff637b5f542913ebe241f9
Instruction ID: 26c757eeb700d7c29a11fec2c7d9de9d98027b15b9c8269b85340cd1820c927b
Opcode Fuzzy Hash: d9aef12bedbf30e89a43891e01f4948c1d60f8d82bff637b5f542913ebe241f9
Instruction Fuzzy Hash: 2DC18D30205241EFD711DF15C498F2ABBE5BF88318F14849CE59A8B7A2CB79EC45CB91

Function 007E255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007E25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007E25E8
CreateCompatibleDC.GDI32(?), ref: 007E25F4
SelectObject.GDI32(00000000,?), ref: 007E2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 007E266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007E26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007E26D0
SelectObject.GDI32(?,?), ref: 007E26D8
DeleteObject.GDI32(?), ref: 007E26E1
DeleteDC.GDI32(?), ref: 007E26E8
ReleaseDC.USER32(00000000,?), ref: 007E26F3

Strings

(, xrefs: 007E268D

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e257653613408a09136b365fbceb762e5c940aeadd782f878c4e4905cbdffc7b
Instruction ID: 071ee65b59f139cf218ee6e66305733de3eb81cbc018f98f35365f17b217b559
Opcode Fuzzy Hash: e257653613408a09136b365fbceb762e5c940aeadd782f878c4e4905cbdffc7b
Instruction Fuzzy Hash: B66112B5D00209EFCF05CFA8C984EAEBBB9FF48310F208529E955A7250E774A951CF54

Function 0079DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0079DAA1

Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D659
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D66B
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D67D
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D68F
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D6A1
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D6B3
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D6C5
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D6D7
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D6E9
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D6FB
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D70D
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D71F
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D731

_free.LIBCMT ref: 0079DA96

Part of subcall function 007929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000), ref: 007929DE
Part of subcall function 007929C8: GetLastError.KERNEL32(00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000,00000000), ref: 007929F0

_free.LIBCMT ref: 0079DAB8
_free.LIBCMT ref: 0079DACD
_free.LIBCMT ref: 0079DAD8
_free.LIBCMT ref: 0079DAFA
_free.LIBCMT ref: 0079DB0D
_free.LIBCMT ref: 0079DB1B
_free.LIBCMT ref: 0079DB26
_free.LIBCMT ref: 0079DB5E
_free.LIBCMT ref: 0079DB65
_free.LIBCMT ref: 0079DB82
_free.LIBCMT ref: 0079DB9A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8b8e36dd604136b4cefebc853bc5151392a3852317a38da92e0a7232f3c9207e
Instruction ID: 695ca83db7fb38f09100ba9e2cc3575d935c9aaf82da4c81f362857f657ffdd8
Opcode Fuzzy Hash: 8b8e36dd604136b4cefebc853bc5151392a3852317a38da92e0a7232f3c9207e
Instruction Fuzzy Hash: 89315C71604604EFEF31AA79F849B5AB7E9FF10320F518419E448E71A2DA39BC918B60

Function 007C365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 007C369C
_wcslen.LIBCMT ref: 007C36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 007C3797
GetClassNameW.USER32(?,?,00000400), ref: 007C380C
GetDlgCtrlID.USER32(?), ref: 007C385D
GetWindowRect.USER32(?,?), ref: 007C3882
GetParent.USER32(?), ref: 007C38A0
ScreenToClient.USER32(00000000), ref: 007C38A7
GetClassNameW.USER32(?,?,00000100), ref: 007C3921
GetWindowTextW.USER32(?,?,00000400), ref: 007C395D

Strings

%s%u, xrefs: 007C3734

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: f63226b1c060d8540342c6f1b55a9dcd477e7856748d416d86e26b368ff91360
Instruction ID: 279cc37da4390fa35a5f7236ee05c130aea7b16f91ec8e2492ac2f1c4b194471
Opcode Fuzzy Hash: f63226b1c060d8540342c6f1b55a9dcd477e7856748d416d86e26b368ff91360
Instruction Fuzzy Hash: 3291AD71204606EFDB19DF24C885FAAB7A8FF44354F00C62DF999D2190DB38EA45CBA1

Function 007C4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 007C4994
GetWindowTextW.USER32(?,?,00000400), ref: 007C49DA
_wcslen.LIBCMT ref: 007C49EB
CharUpperBuffW.USER32(?,00000000), ref: 007C49F7
_wcsstr.LIBVCRUNTIME ref: 007C4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 007C4A64
GetWindowTextW.USER32(?,?,00000400), ref: 007C4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 007C4AE6
GetClassNameW.USER32(?,?,00000400), ref: 007C4B20
GetWindowRect.USER32(?,?), ref: 007C4B8B

Strings

ThumbnailClass, xrefs: 007C4A6F, 007C4AF1

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: ca92dfa92360f8d532c6512a1346f444cecad9146f7b2726230a4a73498fc40f
Instruction ID: 72213db0bc8b2b2b2e7dc3f8feae6c85dc6b3d120dd07b705fc48d9a65f8405c
Opcode Fuzzy Hash: ca92dfa92360f8d532c6512a1346f444cecad9146f7b2726230a4a73498fc40f
Instruction Fuzzy Hash: 8391BDB100820A9FDB15DF14C999FAA77E8FF84314F04846DFD869A096DB38ED45CBA1

Function 007F8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007F8D5A
GetFocus.USER32 ref: 007F8D6A
GetDlgCtrlID.USER32(00000000), ref: 007F8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 007F8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007F8ECF
GetMenuItemCount.USER32(?), ref: 007F8EEC
GetMenuItemID.USER32(?,00000000), ref: 007F8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007F8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007F8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007F8FA1

Strings

0, xrefs: 007F8E9F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: f9bcec95a7787afc84c50725b94610d77424fbb0710bc6d64a60878e1929a02f
Instruction ID: b14747b59efded2bd21e50c1f13e4491d8d753b676cd27e55e7204aa8644866e
Opcode Fuzzy Hash: f9bcec95a7787afc84c50725b94610d77424fbb0710bc6d64a60878e1929a02f
Instruction Fuzzy Hash: 7481AD715083099FDB50CF24C888ABB7BE9FF88754F144959FA9497391DB38D900CB62

Function 007CDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 007CDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 007CDC46
_wcslen.LIBCMT ref: 007CDC50
_wcsstr.LIBVCRUNTIME ref: 007CDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 007CDCBC

Strings

%u.%u.%u.%u, xrefs: 007CDD9A
StringFileInfo\, xrefs: 007CDC8F
04090000, xrefs: 007CDCF2
\VarFileInfo\Translation, xrefs: 007CDCB4
DefaultLangCodepage, xrefs: 007CDD1F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 090903a6a1f16eccbb108d5b0b1bd88d5ddeab7a2ec118a03c2f44803bf174b8
Instruction ID: e1c2f4a991774a9df6608ab91a3702dc09b61dc120d05234cdaf1772446a6c6a
Opcode Fuzzy Hash: 090903a6a1f16eccbb108d5b0b1bd88d5ddeab7a2ec118a03c2f44803bf174b8
Instruction Fuzzy Hash: A0411372A80205BADB21B6749D4BFBF37ACEF41750F10406EFA05A6182EB7C9D0197B5

Function 007ECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 007ECC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 007ECC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 007ECD48

Part of subcall function 007ECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 007ECCAA
Part of subcall function 007ECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 007ECCBD
Part of subcall function 007ECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007ECCCF
Part of subcall function 007ECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 007ECD05
Part of subcall function 007ECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 007ECD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 007ECCF3

Strings

advapi32.dll, xrefs: 007ECCB8
RegDeleteKeyExW, xrefs: 007ECCC9

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: eb2a78086889e77c9a6d0340c4a1567c96b699b7f0bcfb933ed6235375780d33
Instruction ID: dadbe4bcd94ec63fa69028a6fe0d26d88e815767212512ae30f0d5e05fc866f7
Opcode Fuzzy Hash: eb2a78086889e77c9a6d0340c4a1567c96b699b7f0bcfb933ed6235375780d33
Instruction Fuzzy Hash: 7031A175A0212CBBD722CB56DC88EFFBB7CEF09750F004065B905E2210DB388A46DAB4

Function 007D3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007D3D40
_wcslen.LIBCMT ref: 007D3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 007D3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007D3DBE
RemoveDirectoryW.KERNEL32(?), ref: 007D3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007D3E55
CloseHandle.KERNEL32(00000000), ref: 007D3E60
CloseHandle.KERNEL32(00000000), ref: 007D3E6B

Strings

\, xrefs: 007D3D77
\??\%s, xrefs: 007D3D5B
:, xrefs: 007D3D82

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: ba3dd54233677ef9d87974642f4dbcf24ddc461e47cfa5f000b116df8727a50f
Instruction ID: 5083b9f901cdc85fa7fa852bd7168ee349ec0395f83f5bb0dedc50cb269915e4
Opcode Fuzzy Hash: ba3dd54233677ef9d87974642f4dbcf24ddc461e47cfa5f000b116df8727a50f
Instruction Fuzzy Hash: 6631B271A00209ABDB219BA0DC49FEF37BDEF88740F1041B6F509D6160E7789744CB25

Function 007CE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 007CE6B4

Part of subcall function 0077E551: timeGetTime.WINMM(?,?,007CE6D4), ref: 0077E555

Sleep.KERNEL32(0000000A), ref: 007CE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 007CE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 007CE727
SetActiveWindow.USER32 ref: 007CE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007CE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 007CE773
Sleep.KERNEL32(000000FA), ref: 007CE77E
IsWindow.USER32 ref: 007CE78A
EndDialog.USER32(00000000), ref: 007CE79B

Strings

BUTTON, xrefs: 007CE719

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f0752126b0bc207c65d1fd7f7181a3a0678b3ae7f9c44f8cf1e43397362e024d
Instruction ID: 15b8a345257d2f4dbd280e2c4bd4984e90d4a436795e476f3312e99ec55df8ac
Opcode Fuzzy Hash: f0752126b0bc207c65d1fd7f7181a3a0678b3ae7f9c44f8cf1e43397362e024d
Instruction Fuzzy Hash: DC2157B1200609AFEB019F61ED8EF353B69FB94749B109C2DF515D2161EB7DAC10CB18

Function 007CE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007CEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007CEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007CEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007CEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007CEAA7

Strings

open , xrefs: 007CEA0C
alias PlayMe, xrefs: 007CEA36
play PlayMe wait, xrefs: 007CEA91
play PlayMe, xrefs: 007CEAA2
close PlayMe, xrefs: 007CEA6E, 007CEA9B
status PlayMe mode, xrefs: 007CEA58

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 4ab48fb17022084f00f04985370279c8daa1aabd4f5e1c8e1f8656d9fd8fa941
Instruction ID: 3a641068f4295aca0e474e9efc76e0fca20502e4d459bcc9f358a8d5aecd3e65
Opcode Fuzzy Hash: 4ab48fb17022084f00f04985370279c8daa1aabd4f5e1c8e1f8656d9fd8fa941
Instruction Fuzzy Hash: 98112431690269BED710A761ED4AEFF6B7CFBD1B00F40442D7811E21D1EE785995C9B0

Function 007C5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 007C5CE2
GetWindowRect.USER32(00000000,?), ref: 007C5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 007C5D59
GetDlgItem.USER32(?,00000002), ref: 007C5D69
GetWindowRect.USER32(00000000,?), ref: 007C5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 007C5DCF
GetDlgItem.USER32(?,000003E9), ref: 007C5DDD
GetWindowRect.USER32(00000000,?), ref: 007C5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 007C5E31
GetDlgItem.USER32(?,000003EA), ref: 007C5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007C5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 007C5E67

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 08566872d5c202ce485f2519e8fa6f1b0cc587669bc149d59c140aea7495abe6
Instruction ID: 3bc311f70ac9dba69760d3020fa0d2052b669e3fdb179282daf47e495bd4c650
Opcode Fuzzy Hash: 08566872d5c202ce485f2519e8fa6f1b0cc587669bc149d59c140aea7495abe6
Instruction Fuzzy Hash: BE510F71B00609AFDF18DF68DD89EAE7BB5EB48300F14812DF516E6290D775AE40CB60

Function 00778BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00778F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00778BE8,?,00000000,?,?,?,?,00778BBA,00000000,?), ref: 00778FC5

DestroyWindow.USER32(?), ref: 00778C81
KillTimer.USER32(00000000,?,?,?,?,00778BBA,00000000,?), ref: 00778D1B
DestroyAcceleratorTable.USER32(00000000), ref: 007B6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00778BBA,00000000,?), ref: 007B69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00778BBA,00000000,?), ref: 007B69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00778BBA,00000000), ref: 007B69D4
DeleteObject.GDI32(00000000), ref: 007B69E6

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 75aa598958f31964c4e2f659410eda38383b411c5f13d8df1eaddee3789b6d03
Instruction ID: 441c9ba0119b6c5a7451cac648945930ea4e1169245cf7c794743a4aff8f529f
Opcode Fuzzy Hash: 75aa598958f31964c4e2f659410eda38383b411c5f13d8df1eaddee3789b6d03
Instruction Fuzzy Hash: 8F617B30102604DFCF629F14CA4CB65BBB1FB80752F14C96CE5469AA60CB7DA990CFA6

Function 00779838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00779944: GetWindowLongW.USER32(?,000000EB), ref: 00779952

GetSysColor.USER32(0000000F), ref: 00779862

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: cabb0abb3a129567ec4a5fb38ad21e233d2050512b3629d631e91817d37ea205
Instruction ID: d2c41ea0b606e3a3cf4f05de8fbcb612c883e34ff0d80673048c93d761734dec
Opcode Fuzzy Hash: cabb0abb3a129567ec4a5fb38ad21e233d2050512b3629d631e91817d37ea205
Instruction Fuzzy Hash: 0B41F4311057089FDF218F389C88BB93B65EB473B0F248645FAA68B2E1D3389C51DB11

Function 00798D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.x, xrefs: 0079903A, 00798FD0, 00798FF2

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: .x
API String ID: 0-4151879616
Opcode ID: cf3ef319aa1dee5a175fa14344cce499e01cee8c9b49fdcc6b2dd34b97f62fab
Instruction ID: a65b63078e2387ffc244b2669ffcf313173616f9e49547a29134a2c4571d4702
Opcode Fuzzy Hash: cf3ef319aa1dee5a175fa14344cce499e01cee8c9b49fdcc6b2dd34b97f62fab
Instruction Fuzzy Hash: B8C1E475D0424AEFDF11EFACE845BADBBB0BF4A310F044059E524A7392DB389941CB61

Function 007C96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,007AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 007C9717
LoadStringW.USER32(00000000,?,007AF7F8,00000001), ref: 007C9720

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,007AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 007C9742
LoadStringW.USER32(00000000,?,007AF7F8,00000001), ref: 007C9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 007C9866

Strings

Line %d:, xrefs: 007C97A0
^ ERROR, xrefs: 007C97FB
Line %d (File "%s"):, xrefs: 007C978F
%s (%d) : ==> %s: %s %s, xrefs: 007C984A
Error: , xrefs: 007C981D

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: ec79707935af755d8a6b93fcd83cb0d85f19c07bd1a15c24cb84f60673ec400e
Instruction ID: 0b837e2c587bdbcd15098e3389eeef780f1b2198877ce77955ea18d565ef0ba2
Opcode Fuzzy Hash: ec79707935af755d8a6b93fcd83cb0d85f19c07bd1a15c24cb84f60673ec400e
Instruction Fuzzy Hash: 87410F72800219EBDB05EBE0DE4AEEEB778AF55340F504069F60672191EA396F48CB61

Function 007C06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007C07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007C07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007C07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 007C0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 007C082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007C0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007C083C

Strings

\CLSID, xrefs: 007C0724
\IPC$, xrefs: 007C0784
SOFTWARE\Classes\, xrefs: 007C070E

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 2bae040a0e278d0c99887e59a0d5d4956b79a89b2406a188b9a2dfac83ba1e81
Instruction ID: 827f16c01abcf6416d3f27aadb0b3a6028c27a56d248931c78b6993d131e10fa
Opcode Fuzzy Hash: 2bae040a0e278d0c99887e59a0d5d4956b79a89b2406a188b9a2dfac83ba1e81
Instruction Fuzzy Hash: FD410772810229EADF15EBA4DC89DEDB778BF04750B144129E906B3161EB386E44CFA0

Function 007E3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007E3C5C
CoInitialize.OLE32(00000000), ref: 007E3C8A
CoUninitialize.OLE32 ref: 007E3C94
_wcslen.LIBCMT ref: 007E3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 007E3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 007E3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 007E3F0E
CoGetObject.OLE32(?,00000000,007FFB98,?), ref: 007E3F2D
SetErrorMode.KERNEL32(00000000), ref: 007E3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007E3FC4
VariantClear.OLEAUT32(?), ref: 007E3FD8

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 77ae205a96bc98e889a19b0b2df52a9bc8f65aa671c3c7cb7512923befcc9a14
Instruction ID: 522e71081e5fee14574d3506d893fa00a46f060e1a36f3930be9ab25f6d27180
Opcode Fuzzy Hash: 77ae205a96bc98e889a19b0b2df52a9bc8f65aa671c3c7cb7512923befcc9a14
Instruction Fuzzy Hash: 41C15571608245DFC700DF29C88892BBBE9FF89744F10491DF98A9B250DB34EE05CB92

Function 007D7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007D7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007D7B8F
SHGetDesktopFolder.SHELL32(?), ref: 007D7BA3
CoCreateInstance.OLE32(007FFD08,00000000,00000001,00826E6C,?), ref: 007D7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007D7C74
CoTaskMemFree.OLE32(?,?), ref: 007D7CCC
SHBrowseForFolderW.SHELL32(?), ref: 007D7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007D7D7A
CoTaskMemFree.OLE32(00000000), ref: 007D7D81
CoTaskMemFree.OLE32(00000000), ref: 007D7DD6
CoUninitialize.OLE32 ref: 007D7DDC

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 192a89f1a84fcbaa3584bfb06bdea2bb2f0c0935d39a27ebd858073e08ebcaec
Instruction ID: 689f964229fa4bcae54388ac27d341ea254d5b5057cd65c6ed42078de24c5ee1
Opcode Fuzzy Hash: 192a89f1a84fcbaa3584bfb06bdea2bb2f0c0935d39a27ebd858073e08ebcaec
Instruction Fuzzy Hash: 2CC1F975A04109EFCB14DFA4C888DAEBBB9FF48314B148499E91AEB361D734ED45CB90

Function 007F541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007F5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F5515
CharNextW.USER32(00000158), ref: 007F5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007F5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007F559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F55AC

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: f39aab52262a5b4f8af9596e6cfd826d3c7013ae511aedb6f0a7faf7091004c1
Instruction ID: 8640f485bfc11d33cd605d17b6969d3d3cf4f104704ddab29879b293d21a7c9c
Opcode Fuzzy Hash: f39aab52262a5b4f8af9596e6cfd826d3c7013ae511aedb6f0a7faf7091004c1
Instruction Fuzzy Hash: 3261497490460CEBDF11DF64CC84AFE7BB9AB09721F108149FB25AB390D7789A81DB60

Function 007BFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 007BFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 007BFB08
VariantInit.OLEAUT32(?), ref: 007BFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 007BFB3A
VariantCopy.OLEAUT32(?,?), ref: 007BFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 007BFBA1
VariantClear.OLEAUT32(?), ref: 007BFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 007BFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007BFBCC
VariantClear.OLEAUT32(?), ref: 007BFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007BFBE9

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9fccfedd496ccd2978efe182fa2905a03889bc669ae8116de2ec6d466cabfee1
Instruction ID: d6f6225de0e917cfcb09d0bf3eeb02fe5df228d60e92b391425fb1d4e35173a7
Opcode Fuzzy Hash: 9fccfedd496ccd2978efe182fa2905a03889bc669ae8116de2ec6d466cabfee1
Instruction Fuzzy Hash: 39416075A00219DFCB05DF64CC58AFEBBB9FF08754F00C469E946A7261CB38A945CBA0

Function 007C9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007C9CA1
GetAsyncKeyState.USER32(000000A0), ref: 007C9D22
GetKeyState.USER32(000000A0), ref: 007C9D3D
GetAsyncKeyState.USER32(000000A1), ref: 007C9D57
GetKeyState.USER32(000000A1), ref: 007C9D6C
GetAsyncKeyState.USER32(00000011), ref: 007C9D84
GetKeyState.USER32(00000011), ref: 007C9D96
GetAsyncKeyState.USER32(00000012), ref: 007C9DAE
GetKeyState.USER32(00000012), ref: 007C9DC0
GetAsyncKeyState.USER32(0000005B), ref: 007C9DD8
GetKeyState.USER32(0000005B), ref: 007C9DEA

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 46cfca32a9284d0d237edaf0d6a734ab0eaf3fe80416ef0f531d6dda62c4a0f6
Instruction ID: 72a29f1c7a3c6169a04fa01b29048ef0ff83dde40916a45ed5885d227dfe3d5d
Opcode Fuzzy Hash: 46cfca32a9284d0d237edaf0d6a734ab0eaf3fe80416ef0f531d6dda62c4a0f6
Instruction Fuzzy Hash: A141D8746047C969FFB18670940CBB5BFA06B21344F04805ED7C7675C2EBAC99C8C7A2

Function 007E055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007E05BC
inet_addr.WSOCK32(?), ref: 007E061C
gethostbyname.WSOCK32(?), ref: 007E0628
IcmpCreateFile.IPHLPAPI ref: 007E0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007E06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007E06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007E07B9
WSACleanup.WSOCK32 ref: 007E07BF

Strings

Ping, xrefs: 007E0676

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e8efb0cff173ac068138ce613f34811b91da774346bb238894ebeb68ec836101
Instruction ID: 53354cfe0bad919fb4ecfab269b971ae4676011e59e0c1a89958fd712bdbd077
Opcode Fuzzy Hash: e8efb0cff173ac068138ce613f34811b91da774346bb238894ebeb68ec836101
Instruction Fuzzy Hash: 5D91AF75605241DFD720DF16C588F1ABBE0AF48318F1485A9F46A8B6A2C7B8EC85CFD1

Function 007E8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 007E8CF3

Part of subcall function 007C8E54: _wcslen.LIBCMT ref: 007C8E77

_wcslen.LIBCMT ref: 007E8D4E
_wcslen.LIBCMT ref: 007E8D9C
_wcslen.LIBCMT ref: 007E8DDC
_wcslen.LIBCMT ref: 007E8E6E

Strings

stdcall, xrefs: 007E8DD6, 007E8DDB
winapi, xrefs: 007E8D96, 007E8D9B
cdecl, xrefs: 007E8D48, 007E8D4D
none, xrefs: 007E8E65, 007E8E6A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: adf6f80bcb7c006f7c87403f48a54cef67451d34052e0d261e98622364d194b2
Instruction ID: 079024be08d857d5865ab7314389804348522270b4638d8e1625cabc20177e30
Opcode Fuzzy Hash: adf6f80bcb7c006f7c87403f48a54cef67451d34052e0d261e98622364d194b2
Instruction Fuzzy Hash: CC51C231A015569BCF64DFADC9409BEB3A5BF68320B204229E92AE72C4DB39DD40C791

Function 007E372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 007E3774
CoUninitialize.OLE32 ref: 007E377F
CoCreateInstance.OLE32(?,00000000,00000017,007FFB78,?), ref: 007E37D9
IIDFromString.OLE32(?,?), ref: 007E384C
VariantInit.OLEAUT32(?), ref: 007E38E4
VariantClear.OLEAUT32(?), ref: 007E3936

Strings

NULL Pointer assignment, xrefs: 007E381E
Invalid parameter, xrefs: 007E3865
Failed to create object, xrefs: 007E37E4, 007E389A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 8fcc571c250546afe61bb153a4942cd5c08bdd0aaaecb8aa4967d336ad1bb765
Instruction ID: c9647a81f702948222876715469a0182885bf3d89d578ea28b47ea27347f0c52
Opcode Fuzzy Hash: 8fcc571c250546afe61bb153a4942cd5c08bdd0aaaecb8aa4967d336ad1bb765
Instruction Fuzzy Hash: 77618C70609341EFD311DF56C88DB6ABBE8EF48754F004909F9859B291C778EE48CBA2

Function 007D8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007D8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 007D8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 007D8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007D8310
SetCurrentDirectoryW.KERNEL32(?), ref: 007D8324
SetCurrentDirectoryW.KERNEL32(?), ref: 007D8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007D838C
SetCurrentDirectoryW.KERNEL32(?), ref: 007D8395

Strings

*.*, xrefs: 007D839B

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 2bffbe92140abec0181637778027ca2d274a4a0895c48493929901d360b6c86b
Instruction ID: 98b6a7aba61db5c40d962389ebacc2cab68448069a943d22bff719750977967e
Opcode Fuzzy Hash: 2bffbe92140abec0181637778027ca2d274a4a0895c48493929901d360b6c86b
Instruction Fuzzy Hash: A56138725043459FCB10EF64C8449AEB3F8FF89324F04891EF99A97251EB39E945CB92

Function 007D3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007D33CF

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007D33F0

Strings

Incorrect parameters to object property !, xrefs: 007D34AB
"%s" (%d) : ==> %s:%s%s, xrefs: 007D3504
Line %d (File "%s"):, xrefs: 007D3443, 007D345C
"%s" (%d) : ==> %s:, xrefs: 007D3522
Error: , xrefs: 007D34D1
^ ERROR , xrefs: 007D349E

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 110bfb70ce947272de49c28ea191c2072f2b20dc355fadff68a326b22caa1b80
Instruction ID: c871767e67ebf0095ff7d22e1af55ef650de8075dc11e02aeac12457480e3f0d
Opcode Fuzzy Hash: 110bfb70ce947272de49c28ea191c2072f2b20dc355fadff68a326b22caa1b80
Instruction Fuzzy Hash: 54515C71900219EADF15EBA0DE4AEEEB778BF14740F104065F90672291EB3D2F58DB61

Function 007CB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007CB5FC
_wcslen.LIBCMT ref: 007CB608
_wcslen.LIBCMT ref: 007CB64D
_wcslen.LIBCMT ref: 007CB68C
_wcslen.LIBCMT ref: 007CB6C7

Strings

APPEND, xrefs: 007CB6C1, 007CB6C6
EXISTS, xrefs: 007CB686, 007CB68B
REMOVE, xrefs: 007CB602, 007CB607
KEYS, xrefs: 007CB647, 007CB64C

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 8a6c661f0db6954f2cfd9f18997a415263d1edafb7de60a5e3b8d0273d84f5d5
Instruction ID: 8354b32bcbe5f1665165276217007a045826bcc1c17233ac1ac16e134eb80876
Opcode Fuzzy Hash: 8a6c661f0db6954f2cfd9f18997a415263d1edafb7de60a5e3b8d0273d84f5d5
Instruction Fuzzy Hash: 5241B932A00027DBCB205F7DC992ABE77A5BB60754F24412EF965E7284E739DD81C790

Function 007D5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007D53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007D5416
GetLastError.KERNEL32 ref: 007D5420
SetErrorMode.KERNEL32(00000000,READY), ref: 007D54A7

Strings

UNKNOWN, xrefs: 007D5444
READONLY, xrefs: 007D5452
READY, xrefs: 007D5460, 007D5468
NOTREADY, xrefs: 007D544B
INVALID, xrefs: 007D5459

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: c5df35f2ebf64836ab3c9b2d9737749ab2746c0e9573b0a09fb4097e200997c8
Instruction ID: 295890fa1ec0d7acef396f21aa4076f91a3147049822cb9ccf25289be3d443e6
Opcode Fuzzy Hash: c5df35f2ebf64836ab3c9b2d9737749ab2746c0e9573b0a09fb4097e200997c8
Instruction Fuzzy Hash: E431C375A00548DFC711DF68C488EAABBB4FF05305F14806AE906DB392E779DD86CB92

Function 007F3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 007F3C79
SetMenu.USER32(?,00000000), ref: 007F3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007F3D10
IsMenu.USER32(?), ref: 007F3D24
CreatePopupMenu.USER32 ref: 007F3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007F3D5B
DrawMenuBar.USER32 ref: 007F3D63

Strings

0, xrefs: 007F3C54
F, xrefs: 007F3D4E

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 8897126496c49f430cec6eef9534d69af9ab1244f97830f36b5272e91432d55c
Instruction ID: 66a81b9ed2d499aca604443832cc57c143e19edacebea491255999fecea2db99
Opcode Fuzzy Hash: 8897126496c49f430cec6eef9534d69af9ab1244f97830f36b5272e91432d55c
Instruction Fuzzy Hash: 45416975A01209EFDF14DF64D844AAABBB5FF49351F144028FA46A7360D738AA14CF94

Function 007C1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007C3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 007C1F64
GetDlgCtrlID.USER32 ref: 007C1F6F
GetParent.USER32 ref: 007C1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 007C1F8E
GetDlgCtrlID.USER32(?), ref: 007C1F97
GetParent.USER32(?), ref: 007C1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 007C1FAE

Strings

ComboBox, xrefs: 007C1EEC
ListBox, xrefs: 007C1F21

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: b9154f75761441b74f8fd406a9825f3bf491f3c5e2e07db90a7e2522601bd805
Instruction ID: c30effaa3fad89b72060c383de0d0027f98c6edc4e3e2074c436e8ce97d131fa
Opcode Fuzzy Hash: b9154f75761441b74f8fd406a9825f3bf491f3c5e2e07db90a7e2522601bd805
Instruction Fuzzy Hash: 5921B070900218BBCF05AFA0DD89EFEBBB8EF16310B40419DB961A72D1CB3C5918DB64

Function 007F3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007F3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007F3AA0
GetWindowLongW.USER32(?,000000F0), ref: 007F3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007F3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007F3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 007F3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 007F3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 007F3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 007F3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 007F3C13

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 99e680d95bbd07a136150ec9f7324a4c025f9d5e163e752e5e5d62e38334dc69
Instruction ID: c1683f5126b0e00436c754243d826d8768654405ce331f4f54eef64a9ea9f3b8
Opcode Fuzzy Hash: 99e680d95bbd07a136150ec9f7324a4c025f9d5e163e752e5e5d62e38334dc69
Instruction Fuzzy Hash: 2C616975900248AFDB10DFA8CC85EFEB7B8EB49710F104199FA15E73A1C778AA45DB60

Function 00792C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00792C94

Part of subcall function 007929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000), ref: 007929DE
Part of subcall function 007929C8: GetLastError.KERNEL32(00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000,00000000), ref: 007929F0

_free.LIBCMT ref: 00792CA0
_free.LIBCMT ref: 00792CAB
_free.LIBCMT ref: 00792CB6
_free.LIBCMT ref: 00792CC1
_free.LIBCMT ref: 00792CCC
_free.LIBCMT ref: 00792CD7
_free.LIBCMT ref: 00792CE2
_free.LIBCMT ref: 00792CED
_free.LIBCMT ref: 00792CFB

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 87021e8950783156a956f0ce464418b1cc682f994ca9065442b2c32cbbbada8b
Instruction ID: 10c9fd4b33f4b8705abeb760f8cb22df855d9478d7d198fc0990a589011a9186
Opcode Fuzzy Hash: 87021e8950783156a956f0ce464418b1cc682f994ca9065442b2c32cbbbada8b
Instruction Fuzzy Hash: A9115076500108FFCF02FF94E986C9D3BA5BF05360F5145A5FA48AB232DA35EA519F90

Function 007D7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007D7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 007D7FC1
GetFileAttributesW.KERNEL32(?), ref: 007D7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 007D8005
SetCurrentDirectoryW.KERNEL32(?), ref: 007D8017
SetCurrentDirectoryW.KERNEL32(?), ref: 007D8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007D80B0

Strings

*.*, xrefs: 007D8066

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: c505deb2b320c9a78fa7bcab271d51d79b5e47fa927f3268debc14736decea99
Instruction ID: 9c6bb14f110768f533ebf56f2a620710af39f3253ce424e67feca24055841bbe
Opcode Fuzzy Hash: c505deb2b320c9a78fa7bcab271d51d79b5e47fa927f3268debc14736decea99
Instruction Fuzzy Hash: 87818E725082459BCB28EF54C844AAAB3F8BF89314F58485FF885D7351EB38DD49CB92

Function 00765BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00765C7A

Part of subcall function 00765D0A: GetClientRect.USER32(?,?), ref: 00765D30
Part of subcall function 00765D0A: GetWindowRect.USER32(?,?), ref: 00765D71
Part of subcall function 00765D0A: ScreenToClient.USER32(?,?), ref: 00765D99

GetDC.USER32 ref: 007A46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 007A4708
SelectObject.GDI32(00000000,00000000), ref: 007A4716
SelectObject.GDI32(00000000,00000000), ref: 007A472B
ReleaseDC.USER32(?,00000000), ref: 007A4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007A47C4

Strings

U, xrefs: 007A4693

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 37de97ffbf5dc0846cc19e2793f94fe90ea88c6358701c85eb9b0a187402301c
Instruction ID: 6805b5c3a7d5bc5a3169cf49616179a5027952a56893fd66f61ba5270db061dc
Opcode Fuzzy Hash: 37de97ffbf5dc0846cc19e2793f94fe90ea88c6358701c85eb9b0a187402301c
Instruction Fuzzy Hash: CF71E131500249DFCF218F64C988ABA7BB5FFCA360F144369ED565A266C77A8841DF60

Function 007D359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007D35E4

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

LoadStringW.USER32(00832390,?,00000FFF,?), ref: 007D360A

Strings

^ ERROR, xrefs: 007D36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 007D3724
Line %d (File "%s"):, xrefs: 007D366B
"%s" (%d) : ==> %s:, xrefs: 007D3742
Error: , xrefs: 007D36EF

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: ace799474b28b79587798c37aa826e90204d424a10db595d14c09ca30ba88552
Instruction ID: 4b85a7487bec598291b302498ab31b6a0dc6a673e20d9e1960d5274e693c73bf
Opcode Fuzzy Hash: ace799474b28b79587798c37aa826e90204d424a10db595d14c09ca30ba88552
Instruction Fuzzy Hash: 96517071800219FBDF15EBA0DD4AEEDBB78EF14710F144125F606722A1EB385A98DF61

Function 007F8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

Part of subcall function 0077912D: GetCursorPos.USER32(?), ref: 00779141
Part of subcall function 0077912D: ScreenToClient.USER32(00000000,?), ref: 0077915E
Part of subcall function 0077912D: GetAsyncKeyState.USER32(00000001), ref: 00779183
Part of subcall function 0077912D: GetAsyncKeyState.USER32(00000002), ref: 0077919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 007F8B6B
ImageList_EndDrag.COMCTL32 ref: 007F8B71
ReleaseCapture.USER32 ref: 007F8B77
SetWindowTextW.USER32(?,00000000), ref: 007F8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007F8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 007F8CFF

Strings

@GUI_DROPID, xrefs: 007F8C51
@GUI_DRAGFILE, xrefs: 007F8C9A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 1edd5fa13e6bba5a11f244e2cea3367486c005087092ddbf6f4c359c9c5926a9
Instruction ID: 024520d26143f18fa1e1015040fb3fd29cb6e7a653862ed200132026343a0cf0
Opcode Fuzzy Hash: 1edd5fa13e6bba5a11f244e2cea3367486c005087092ddbf6f4c359c9c5926a9
Instruction Fuzzy Hash: 45518C71204308AFDB00DF24DD5AFBA77E4FB88750F400A29FA56972E1CB789944CB62

Function 007DC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007DC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007DC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007DC2CA
GetLastError.KERNEL32 ref: 007DC322
SetEvent.KERNEL32(?), ref: 007DC336
InternetCloseHandle.WININET(00000000), ref: 007DC341

Strings

, xrefs: 007DC2BB

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 0dfb7e2ec839fb3e8ae051e362875e70fdc8b902227c7c568b7e81f1969b2dbc
Instruction ID: 60fc3cf17fc9631c6f8e4508c4e234a419bd6c67648c6b262375df9dd9c843c8
Opcode Fuzzy Hash: 0dfb7e2ec839fb3e8ae051e362875e70fdc8b902227c7c568b7e81f1969b2dbc
Instruction Fuzzy Hash: 49316BB1600209AFDB22AF658D88ABB7BFCEB49744B14851EF446D2300DB38ED04DB75

Function 007C989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,007A3AAF,?,?,Bad directive syntax error,007FCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007C98BC
LoadStringW.USER32(00000000,?,007A3AAF,?), ref: 007C98C3

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 007C9987

Strings

Line %d:, xrefs: 007C9912
%s (%d) : ==> %s.: %s %s, xrefs: 007C98F1
Line %d (File "%s"):, xrefs: 007C992D
., xrefs: 007C996D
Error: , xrefs: 007C9955

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 3b4beb43ef983ae0c86368fc3b1ab03aaf4ca4515572b84db493e651a178c8c1
Instruction ID: e4ed83947c8c43a8e8581d99cc450e224f2d702e74b498a4fba71e8a0c0a6c57
Opcode Fuzzy Hash: 3b4beb43ef983ae0c86368fc3b1ab03aaf4ca4515572b84db493e651a178c8c1
Instruction Fuzzy Hash: E5216F3180021EEBCF11AF90CC0AEEE7739FF18700F044459F61A621A1EB39A668DB10

Function 007C209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007C20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007C20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007C214D

Strings

smallicons, xrefs: 007C2115
SHELLDLL_DefView, xrefs: 007C20CC
details, xrefs: 007C20FB
largeicons, xrefs: 007C20E1
list, xrefs: 007C212F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 44678ebcea71f7af6e91efd185fe34878df11c9bf34bcec5b5fd47cf503f6316
Instruction ID: cd796dc548dee8d75207cf061671c8b2f23648f53eb178b313818b68957ef13c
Opcode Fuzzy Hash: 44678ebcea71f7af6e91efd185fe34878df11c9bf34bcec5b5fd47cf503f6316
Instruction Fuzzy Hash: 1511A7766C871BFAF6056624AC0AEA6379CEB05724B20412EF604F51D2FABD58425A14

Function 0079CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0079CEB7
_free.LIBCMT ref: 0079CF22
_free.LIBCMT ref: 0079CF48
_free.LIBCMT ref: 0079CF71
_free.LIBCMT ref: 0079CFA9
_free.LIBCMT ref: 0079CFDA
_free.LIBCMT ref: 0079D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0079D09C
_free.LIBCMT ref: 0079D0B5

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 14cb87f2d7e6913b83a472b6f0fc1a799129135e51108afe8eb78227b4b834d7
Instruction ID: 68ff80024a208b61feedbc177adab2dc69aeaf3ed1f88ddd0ccc15f93e860cdf
Opcode Fuzzy Hash: 14cb87f2d7e6913b83a472b6f0fc1a799129135e51108afe8eb78227b4b834d7
Instruction Fuzzy Hash: 64612772904200AFDF22AFB4F899A697BA6FF05360F04466DF945A7282D63D9D019B90

Function 007F50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 007F5186
ShowWindow.USER32(?,00000000), ref: 007F51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007F51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007F51D1

Part of subcall function 007F6FBA: DeleteObject.GDI32(00000000), ref: 007F6FE6

GetWindowLongW.USER32(?,000000F0), ref: 007F520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007F521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007F524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 007F5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 007F5296

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 81f570d3a508ceb6cad69e56e606b28803e46f9b5f70f382f1e45a168a7d241a
Instruction ID: 06f4db573663f13359313022c55ad8861b99efed016e5f67a169bd7b990290ec
Opcode Fuzzy Hash: 81f570d3a508ceb6cad69e56e606b28803e46f9b5f70f382f1e45a168a7d241a
Instruction Fuzzy Hash: 27516B70A51A0CFEEF249F28CC4ABB93B65BB05361F148211FB15963E0C77DA990DB41

Function 00778B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 007B6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007B68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007B68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007B68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007B68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00778874,00000000,00000000,00000000,000000FF,00000000), ref: 007B6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 007B691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00778874,00000000,00000000,00000000,000000FF,00000000), ref: 007B692D

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: e41a2c1c79cbb6eff9d40b97e96622736f51d213d1fba6236ab0cd2f1dd33a4f
Instruction ID: dad544888e883891e044bef279f082f9bf77697f8991d6ec89283455aa7ecd4d
Opcode Fuzzy Hash: e41a2c1c79cbb6eff9d40b97e96622736f51d213d1fba6236ab0cd2f1dd33a4f
Instruction Fuzzy Hash: F9515CB0640209EFDF20CF25CC59FAA7BB5FB48750F108528FA5A972A0DB78E950DB50

Function 007DC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007DC182
GetLastError.KERNEL32 ref: 007DC195
SetEvent.KERNEL32(?), ref: 007DC1A9

Part of subcall function 007DC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007DC272
Part of subcall function 007DC253: GetLastError.KERNEL32 ref: 007DC322
Part of subcall function 007DC253: SetEvent.KERNEL32(?), ref: 007DC336
Part of subcall function 007DC253: InternetCloseHandle.WININET(00000000), ref: 007DC341

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 83f7e34b86c83a72c001c39b7b0efef1abae544a14aedbbabf6ef1f5e887aa7d
Instruction ID: 379281988078b1734166f06b258cfce5dcf8ae6978488a57bca4d2fdec939ad3
Opcode Fuzzy Hash: 83f7e34b86c83a72c001c39b7b0efef1abae544a14aedbbabf6ef1f5e887aa7d
Instruction Fuzzy Hash: 19316D7160060AEFDB229FA5DD48A76BBF9FF18300B14841EF95686710D739E814EBA0

Function 007C25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007C3A57
Part of subcall function 007C3A3D: GetCurrentThreadId.KERNEL32 ref: 007C3A5E
Part of subcall function 007C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007C25B3), ref: 007C3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007C25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007C25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007C25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007C25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007C2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 007C2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 007C260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007C2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 007C2627

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 276ea547d6f2887659cc4fc846695e888215918ef733ecac7ed72de0aa0ffc2c
Instruction ID: a3f3018f7febcc3a6b68fc7432ee212a82f89216e6cb0a7c780a9cdf54ab8948
Opcode Fuzzy Hash: 276ea547d6f2887659cc4fc846695e888215918ef733ecac7ed72de0aa0ffc2c
Instruction Fuzzy Hash: BF01D470394218BBFB1067689C8EF693F59DF4EB12F108049F318AE0D1C9FA6855CA6D

Function 007C1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,007C1449,?,?,00000000), ref: 007C180C
HeapAlloc.KERNEL32(00000000,?,007C1449,?,?,00000000), ref: 007C1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007C1449,?,?,00000000), ref: 007C1828
GetCurrentProcess.KERNEL32(?,00000000,?,007C1449,?,?,00000000), ref: 007C1830
DuplicateHandle.KERNEL32(00000000,?,007C1449,?,?,00000000), ref: 007C1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007C1449,?,?,00000000), ref: 007C1843
GetCurrentProcess.KERNEL32(007C1449,00000000,?,007C1449,?,?,00000000), ref: 007C184B
DuplicateHandle.KERNEL32(00000000,?,007C1449,?,?,00000000), ref: 007C184E
CreateThread.KERNEL32(00000000,00000000,007C1874,00000000,00000000,00000000), ref: 007C1868

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 42e47ce3ad19e2e6a1646fa3f012049108431d2e98b031f219a87f04dc60c35b
Instruction ID: 89c61962da8e709d9a0ebdab942e464acbabaae981c6dfb5d5a9baeaeb8f8dbb
Opcode Fuzzy Hash: 42e47ce3ad19e2e6a1646fa3f012049108431d2e98b031f219a87f04dc60c35b
Instruction Fuzzy Hash: 9901A8B524030CBFE611ABA5DD4AF6B3BACEB89B11F418411FA05DB1A2CA749810DB64

Function 007EA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 007CD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 007CD501
Part of subcall function 007CD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 007CD50F
Part of subcall function 007CD4DC: CloseHandle.KERNEL32(00000000), ref: 007CD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 007EA16D
GetLastError.KERNEL32 ref: 007EA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 007EA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 007EA268
GetLastError.KERNEL32(00000000), ref: 007EA273
CloseHandle.KERNEL32(00000000), ref: 007EA2C4

Strings

SeDebugPrivilege, xrefs: 007EA18F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 3b94af45ff40057d2c5aa6bfebf48035a9067c2ce6fcfea4f1a09d9239507a35
Instruction ID: 46f845324cdcbe3b5d3196b5eda1a7447b6d4b954ad404f7cbebc56b6668c29e
Opcode Fuzzy Hash: 3b94af45ff40057d2c5aa6bfebf48035a9067c2ce6fcfea4f1a09d9239507a35
Instruction Fuzzy Hash: FB618E31205281AFD711DF15C498F25BBE5AF88318F18849CE5568B793C77AEC45CB92

Function 007F3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007F3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 007F393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007F3954
_wcslen.LIBCMT ref: 007F3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007F39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007F39F4

Strings

SysListView32, xrefs: 007F38F7

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 113d1059b24c16a5334a294643a02c10ab308bae8fe220bde888206af67fc90b
Instruction ID: 032dfb30deaba20727b2f40ac109ec4aea34ba46191c3138d867d6c534feb9c4
Opcode Fuzzy Hash: 113d1059b24c16a5334a294643a02c10ab308bae8fe220bde888206af67fc90b
Instruction Fuzzy Hash: 6541A471A0021DABEF21DF64CC49BFA77A9FF08354F100566FA58E7281D7B99980CB90

Function 007CBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007CBCFD
IsMenu.USER32(00000000), ref: 007CBD1D
CreatePopupMenu.USER32 ref: 007CBD53
GetMenuItemCount.USER32(010E5840), ref: 007CBDA4
InsertMenuItemW.USER32(010E5840,?,00000001,00000030), ref: 007CBDCC

Strings

2, xrefs: 007CBD37
0, xrefs: 007CBCA8

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 5241edada0d02934f50cb0a7da7900b3396be5c60bd039c661ef37eb59a6ae27
Instruction ID: 433850d92ee33d90bfb17f0a2838b623cbed7b61f9a184dad45edcf633e08c56
Opcode Fuzzy Hash: 5241edada0d02934f50cb0a7da7900b3396be5c60bd039c661ef37eb59a6ae27
Instruction Fuzzy Hash: A851BF70B00209DBDB21CFA8D88AFAEBBF8BF45314F24815DF40297290D778A945CB61

Function 00782D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00782D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00782D53
_ValidateLocalCookies.LIBCMT ref: 00782DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00782E0C
_ValidateLocalCookies.LIBCMT ref: 00782E61

Strings

csm, xrefs: 00782DF6
&Hx, xrefs: 00782DFE, 00782E07, 00782E18

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hx$csm
API String ID: 1170836740-229183418
Opcode ID: af3ea5d0003fbdff11d690caaf38200209aa59d3ebf016ca94caba033420a1f6
Instruction ID: d8738822a41158cde436697aeb4c925b1520debc70d3d4980b5c1745ac33101f
Opcode Fuzzy Hash: af3ea5d0003fbdff11d690caaf38200209aa59d3ebf016ca94caba033420a1f6
Instruction Fuzzy Hash: 77419634A40209EBCF10EF68C849A9EBFB5BF44325F148155E814AB353D7399A06CBE0

Function 007CC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 007CC913

Strings

stop, xrefs: 007CC8E4
blank, xrefs: 007CC895
question, xrefs: 007CC8CC
info, xrefs: 007CC8B4
warning, xrefs: 007CC8FC

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 943ddb10dfce1dcda9ff7415e6006f848fb61ce09bd5d277749e6aad124d25ad
Instruction ID: 9b36effb2780eb796a24b565e79da835f3ad054dc4e872de61f82ee1e721de21
Opcode Fuzzy Hash: 943ddb10dfce1dcda9ff7415e6006f848fb61ce09bd5d277749e6aad124d25ad
Instruction Fuzzy Hash: 2B11BB31689317FEE706AB54AC82EAB67ECDF15354B50402EF508E6282E7BCAD405369

Function 007CED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 007CED2A
_wcslen.LIBCMT ref: 007CED3B
_wcslen.LIBCMT ref: 007CED79
_wcslen.LIBCMT ref: 007CEDAF
_wcslen.LIBCMT ref: 007CEDDF
_wcslen.LIBCMT ref: 007CEDEF
_wcslen.LIBCMT ref: 007CEE2B
_wcslen.LIBCMT ref: 007CEE5A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: dd23cbcf3b4cda897a4591945c36167eda4aa73acc1149ccc9c12e71d1a4ec1b
Instruction ID: 795fb16889966005cbacfbc896c4574b197a4bf6ad1b8254614f1a20e60ce2e7
Opcode Fuzzy Hash: dd23cbcf3b4cda897a4591945c36167eda4aa73acc1149ccc9c12e71d1a4ec1b
Instruction Fuzzy Hash: 7C41B666C50118B6DB21FBF4888EECF77A8AF45310F50846AE518E3162FB38E645C3A5

Function 0077F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,007B682C,00000004,00000000,00000000), ref: 0077F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,007B682C,00000004,00000000,00000000), ref: 007BF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,007B682C,00000004,00000000,00000000), ref: 007BF454

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 51e23011ef3d9a94418acf66672a066fb849f559b2fe0c6d1af98a5151ae2515
Instruction ID: 6b3008912d126fe86746e00076e1a39dd88f0ccae1598fae5480914c2e147300
Opcode Fuzzy Hash: 51e23011ef3d9a94418acf66672a066fb849f559b2fe0c6d1af98a5151ae2515
Instruction Fuzzy Hash: F241E931608680BACF359B2D8E887BA7B91AB56794F14C43CE25FD7561D63DB880CF11

Function 007F2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007F2D1B
GetDC.USER32(00000000), ref: 007F2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007F2D2E
ReleaseDC.USER32(00000000,00000000), ref: 007F2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007F2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007F2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007F5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 007F2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007F2DE1

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: f61b6710d1980d3bfd14a031b28d68210d24cc4798ef078fd33c9e47c5e151c4
Instruction ID: 66f503172628e6876d2fdd5c080d1a070d9634820ce2da666f71f832a4c085b7
Opcode Fuzzy Hash: f61b6710d1980d3bfd14a031b28d68210d24cc4798ef078fd33c9e47c5e151c4
Instruction Fuzzy Hash: 04316B72201618BBEB158F50CD8AFFB3BA9EF09715F048055FE08DA291C6799C51CBA5

Function 007C5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 007C5637
_memcmp.LIBVCRUNTIME ref: 007C5659
_memcmp.LIBVCRUNTIME ref: 007C5671
_memcmp.LIBVCRUNTIME ref: 007C5684
_memcmp.LIBVCRUNTIME ref: 007C569E
_memcmp.LIBVCRUNTIME ref: 007C56B1
_memcmp.LIBVCRUNTIME ref: 007C56C9
_memcmp.LIBVCRUNTIME ref: 007C56E4

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 3baa8885eed38e4a4cda5f820cbd427bb85a1277ce88a0e3c974aec7389827ab
Instruction ID: 681384aca113ac9914fb24cb3ec7138d91158d3788d60b3500602ee53a9844e1
Opcode Fuzzy Hash: 3baa8885eed38e4a4cda5f820cbd427bb85a1277ce88a0e3c974aec7389827ab
Instruction Fuzzy Hash: F221CCA1690919B7D61465208D86FFB335CAF11784F84002CFE046AA41FB2EFD91C3B9

Function 007E4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 007E5007
NULL Pointer assignment, xrefs: 007E502E, 007E5383

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 454752f9c9a1b996a709f9de62d055bb124c377c65489922eb3856c8cce0d034
Instruction ID: 84b2f9433f13d8c208028024fa5414205e6b69c3695ad7c71f80a1875aa85d41
Opcode Fuzzy Hash: 454752f9c9a1b996a709f9de62d055bb124c377c65489922eb3856c8cce0d034
Instruction Fuzzy Hash: 8AD1D171A0164E9FDF10CFA9C881BAEB7B5BF48358F148069E915AB281E774DD41CBA0

Function 007A1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,007A17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 007A15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007A1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,007A17FB,?,007A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007A16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007A16FB

Part of subcall function 00793820: RtlAllocateHeap.NTDLL(00000000,?,00831444,?,0077FDF5,?,?,0076A976,00000010,00831440,007613FC,?,007613C6,?,00761129), ref: 00793852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,007A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007A1777
__freea.LIBCMT ref: 007A17A2
__freea.LIBCMT ref: 007A17AE

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: b818c4d6e12a4905f88ab76c3ea1459fb8418a742d6a4853a327671966d32107
Instruction ID: db98965d904332e8aaf88e8724d6452360251f554824616b765237b79715bbb7
Opcode Fuzzy Hash: b818c4d6e12a4905f88ab76c3ea1459fb8418a742d6a4853a327671966d32107
Instruction Fuzzy Hash: 8D91B571E002169AEF248E74C945EEE7BB5AFC6310F984759E802E7181EB3DDD50CB60

Function 007E4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007E4648
VariantInit.OLEAUT32(?), ref: 007E4749
VariantClear.OLEAUT32(?), ref: 007E4753
VariantClear.OLEAUT32(?), ref: 007E47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 007E472C
Null Object assignment in FOR..IN loop, xrefs: 007E45D8, 007E4706, 007E47BE

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: f138e3b3d78fa9434eca672efb109d5671ac77220f41f9d58a43d5f4422dfef7
Instruction ID: cb4ea593dff72e7fcffe25d5167dec802880b178109953ce800baf95b57da46e
Opcode Fuzzy Hash: f138e3b3d78fa9434eca672efb109d5671ac77220f41f9d58a43d5f4422dfef7
Instruction Fuzzy Hash: D191B471A01259EBDF20CFA6CC48FAEBBB8EF49710F108559F515AB280D7789941CFA0

Function 007D1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 007D125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 007D1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007D12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007D12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007D135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007D13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007D1430

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 7e2dfca5b27991db53afa98942280e8565342e63138ce82d6791fc2f11a73d62
Instruction ID: a29c4663f48b46aec1e5cd1587e034dad810a9c4c159060987c8f9dd6a7cc154
Opcode Fuzzy Hash: 7e2dfca5b27991db53afa98942280e8565342e63138ce82d6791fc2f11a73d62
Instruction Fuzzy Hash: 1C91BF71A00208AFDB01DFA8C888BBE77B5FF45325F54802AE901EB391D77DA941CB90

Function 0077948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e424528bb4901874b8f5228c1fa3b6c26d90d75243959fb57f49aab7221a8683
Instruction ID: c1075550566b57c6ea1f02a6cf4b38faf2f359971204635cb47dde2c0300507c
Opcode Fuzzy Hash: e424528bb4901874b8f5228c1fa3b6c26d90d75243959fb57f49aab7221a8683
Instruction Fuzzy Hash: DB913671901219EFCF15CFA9CC88AEEBBB8FF49320F148145E615B7291D778A952CB60

Function 007E3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007E396B
CharUpperBuffW.USER32(?,?), ref: 007E3A7A
_wcslen.LIBCMT ref: 007E3A8A
VariantClear.OLEAUT32(?), ref: 007E3C1F

Part of subcall function 007D0CDF: VariantInit.OLEAUT32(00000000), ref: 007D0D1F
Part of subcall function 007D0CDF: VariantCopy.OLEAUT32(?,?), ref: 007D0D28
Part of subcall function 007D0CDF: VariantClear.OLEAUT32(?), ref: 007D0D34

Strings

Incorrect Parameter format, xrefs: 007E39A6, 007E3BA1
AUTOIT.ERROR, xrefs: 007E3A80, 007E3A85

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: e1cc60fb762ee07ab69fd2fc9148a4fcd06e7590986a53a377a4e4eacf08f566
Instruction ID: 2df255e46177bc923a47e5852a333e68122658bcf5af6c575ecb2951cf23201d
Opcode Fuzzy Hash: e1cc60fb762ee07ab69fd2fc9148a4fcd06e7590986a53a377a4e4eacf08f566
Instruction Fuzzy Hash: 6D915574608345DFCB04DF25C48896AB7E4BF88314F14886EF88A9B351DB39EE45CB92

Function 007E4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 007C000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?,?,?,007C035E), ref: 007C002B
Part of subcall function 007C000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?,?), ref: 007C0046
Part of subcall function 007C000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?,?), ref: 007C0054
Part of subcall function 007C000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?), ref: 007C0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 007E4C51
_wcslen.LIBCMT ref: 007E4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 007E4DCF
CoTaskMemFree.OLE32(?), ref: 007E4DDA

Strings

NULL Pointer assignment, xrefs: 007E4E23, 007E4E52

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 12acbd9270180a06e4d2c8e7fbfcda18e129b8f7d48ea982472ad79b50ba5a16
Instruction ID: f1b2fbc7974b4cc5aad9b84dfd4c6c3d69050195b82899f45643120295f2a4c9
Opcode Fuzzy Hash: 12acbd9270180a06e4d2c8e7fbfcda18e129b8f7d48ea982472ad79b50ba5a16
Instruction Fuzzy Hash: D6912571D0125DEBDF15DFA5C885AEEB7B8BF08310F108169E916B7251DB389A44CFA0

Function 007F20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007F2183
GetMenuItemCount.USER32(00000000), ref: 007F21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007F21DD
_wcslen.LIBCMT ref: 007F2213
GetMenuItemID.USER32(?,?), ref: 007F224D
GetSubMenu.USER32(?,?), ref: 007F225B

Part of subcall function 007C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007C3A57
Part of subcall function 007C3A3D: GetCurrentThreadId.KERNEL32 ref: 007C3A5E
Part of subcall function 007C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007C25B3), ref: 007C3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007F22E3

Part of subcall function 007CE97B: Sleep.KERNEL32 ref: 007CE9F3

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 2405c7b2918f6605506b29c247260292135ed30961e96d91334adf166ebe0e24
Instruction ID: 883e40791469eb38d73294fb428b7b907dc7b274f41298ba0dfa3ba4dfdcd537
Opcode Fuzzy Hash: 2405c7b2918f6605506b29c247260292135ed30961e96d91334adf166ebe0e24
Instruction Fuzzy Hash: 6F716E75A00209EFCB11DFA4C845ABEB7B5FF48320F158459E916EB352DB38AD42CB90

Function 007CAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 007CAEF9
GetKeyboardState.USER32(?), ref: 007CAF0E
SetKeyboardState.USER32(?), ref: 007CAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 007CAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 007CAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 007CAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 007CB020

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8ac60a661105fa30837371c6ab7298d2b5e4304575505cd3d56ec418ae1e0afb
Instruction ID: 511260098aef587e4d173eee4010024c588df1966b16e681d619bd6895458dfa
Opcode Fuzzy Hash: 8ac60a661105fa30837371c6ab7298d2b5e4304575505cd3d56ec418ae1e0afb
Instruction Fuzzy Hash: 235191A0A046D93DFB365234884AFBA7FA95B06309F08858DF1D5954C2D3ADE8C4D752

Function 007CACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 007CAD19
GetKeyboardState.USER32(?), ref: 007CAD2E
SetKeyboardState.USER32(?), ref: 007CAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007CADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007CADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007CAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007CAE38

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b60816ef7141ff6ad96cd23368e389fadfa595c9e68faa50533afba08f78f5ec
Instruction ID: 38d49f3bd522b58cb5fe50994f1a38da6913c5357478248d68c81b081741b93f
Opcode Fuzzy Hash: b60816ef7141ff6ad96cd23368e389fadfa595c9e68faa50533afba08f78f5ec
Instruction Fuzzy Hash: 4151C6A16047D93DFB3742348C56F7A7F986B4530AF08858CE1D6468C3D29CEC84D792

Function 0079542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(007A3CD6,?,?,?,?,?,?,?,?,00795BA3,?,?,007A3CD6,?,?), ref: 00795470
__fassign.LIBCMT ref: 007954EB
__fassign.LIBCMT ref: 00795506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,007A3CD6,00000005,00000000,00000000), ref: 0079552C
WriteFile.KERNEL32(?,007A3CD6,00000000,00795BA3,00000000,?,?,?,?,?,?,?,?,?,00795BA3,?), ref: 0079554B
WriteFile.KERNEL32(?,?,00000001,00795BA3,00000000,?,?,?,?,?,?,?,?,?,00795BA3,?), ref: 00795584

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e1887ba2a1e73f4e284c4ca1351c969aac225d577cba5a9bee3d40d6946000f3
Instruction ID: 4e3b4bf6158d6c35d114f0106ecb82712a87dae341d376371fb18083ba175651
Opcode Fuzzy Hash: e1887ba2a1e73f4e284c4ca1351c969aac225d577cba5a9bee3d40d6946000f3
Instruction Fuzzy Hash: BB51F5B09006499FCF11CFA8E845AEEBBFAEF08300F15401AF545E3292E734AA51CB60

Function 007E10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007E304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007E307A
Part of subcall function 007E304E: _wcslen.LIBCMT ref: 007E309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007E1112
WSAGetLastError.WSOCK32 ref: 007E1121
WSAGetLastError.WSOCK32 ref: 007E11C9
closesocket.WSOCK32(00000000), ref: 007E11F9

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 9e904928f5d67c3021929be23378ac463fb9eb252eb809e84c5c0b4334a9d2e8
Instruction ID: 905a3faf485d2de2e03d1e834ef27beeeb051e9e400049ceef3c995e0ad8e779
Opcode Fuzzy Hash: 9e904928f5d67c3021929be23378ac463fb9eb252eb809e84c5c0b4334a9d2e8
Instruction Fuzzy Hash: 3A411231200248EFDB119F55C889BAABBE9EF49364F148059FD069B292C778AD41CBA1

Function 007CCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007CCF22,?), ref: 007CDDFD

Part of subcall function 007CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007CCF22,?), ref: 007CDE16

lstrcmpiW.KERNEL32(?,?), ref: 007CCF45
MoveFileW.KERNEL32(?,?), ref: 007CCF7F
_wcslen.LIBCMT ref: 007CD005
_wcslen.LIBCMT ref: 007CD01B
SHFileOperationW.SHELL32(?), ref: 007CD061

Strings

\*.*, xrefs: 007CCFF3

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 70b0b18d9a785496834b0837689dbf7e368fb8162a634bc581940969d43adc75
Instruction ID: fa3b09f40fe7a49826eabf28e326c10d7dbdc55f7ffef71ca7b9fb8359fc8944
Opcode Fuzzy Hash: 70b0b18d9a785496834b0837689dbf7e368fb8162a634bc581940969d43adc75
Instruction Fuzzy Hash: 1041487294521D9FDF13EBA4D985FDDB7B9AF08340F1400EEE509E7141EA38AA85CB50

Function 007F2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 007F2E1C
GetWindowLongW.USER32(?,000000F0), ref: 007F2E4F
GetWindowLongW.USER32(?,000000F0), ref: 007F2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 007F2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 007F2EE0
GetWindowLongW.USER32(?,000000F0), ref: 007F2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007F2F0B

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5fdc226b429a4507ee581dd0535c0dfa0e7f3683e924ed53ad05fa913e59503e
Instruction ID: b4afdb65c5cdea440f6502a024a20c1728e896ef300de033624600462392d01b
Opcode Fuzzy Hash: 5fdc226b429a4507ee581dd0535c0dfa0e7f3683e924ed53ad05fa913e59503e
Instruction Fuzzy Hash: 9531F630644158DFDB218F58DD88F653BE1FB9AB10F2541A4FA00CF2B2CB75A842DB45

Function 007C7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007C7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007C778F
SysAllocString.OLEAUT32(00000000), ref: 007C7792
SysAllocString.OLEAUT32(?), ref: 007C77B0
SysFreeString.OLEAUT32(?), ref: 007C77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007C77DE
SysAllocString.OLEAUT32(?), ref: 007C77EC

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 16ccf0b5fc84ad968ce68049f545c0234d0928badd1aa3f40e88a351726b8c1a
Instruction ID: 8e749c59bd0651ed42a1395455394ecee852d14b276605b4b2028e5bb4a6aa43
Opcode Fuzzy Hash: 16ccf0b5fc84ad968ce68049f545c0234d0928badd1aa3f40e88a351726b8c1a
Instruction Fuzzy Hash: 0F21B27660821DAFDF14DFA8CD88DBB77ACEB093647008029F914DB150DA78DC45CB64

Function 007C77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007C7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007C7868
SysAllocString.OLEAUT32(00000000), ref: 007C786B
SysAllocString.OLEAUT32 ref: 007C788C
SysFreeString.OLEAUT32 ref: 007C7895
StringFromGUID2.OLE32(?,?,00000028), ref: 007C78AF
SysAllocString.OLEAUT32(?), ref: 007C78BD

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: de3656c94398551e2a1a370a56476a51157f08c7af8ddad86df12043de9ce4c0
Instruction ID: 5e6e286ea235e9ff543546201529dcc4d14f3a8d8e0c136abea54292afff1c43
Opcode Fuzzy Hash: de3656c94398551e2a1a370a56476a51157f08c7af8ddad86df12043de9ce4c0
Instruction Fuzzy Hash: F5217771608208AFDF149FA8DC8DEBA77ECEB097607108129FA15CB1A1DA78DC41CB64

Function 007D04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007D04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007D052E

Strings

nul, xrefs: 007D0567

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3b103bb89bb5378c55324e40030b6f0a1c34e4d1c996ee9814d53104923a7491
Instruction ID: 7d16916d226318b0d0f3f64ea220e1d17aae8ea41b9f42b916b503b656c7d6e1
Opcode Fuzzy Hash: 3b103bb89bb5378c55324e40030b6f0a1c34e4d1c996ee9814d53104923a7491
Instruction Fuzzy Hash: CF214F75500205DBDB209F29E849F5A77B4BF45724F204A1AECA2D72E0D7749960DFA0

Function 007D05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007D05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007D0601

Strings

nul, xrefs: 007D0639

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 658d1a1f82c654d96801e5ba812c4bf8a91496b6a09deb02cb8e1dc060c32027
Instruction ID: 4ec2d80e92878d0087e622ca05248f46789aa7264772030b1677d78c50b047cc
Opcode Fuzzy Hash: 658d1a1f82c654d96801e5ba812c4bf8a91496b6a09deb02cb8e1dc060c32027
Instruction Fuzzy Hash: 5E217F75500305DBDB209F799C08BAA77B4BF95720F204A1AE8A1E73E0D774D860CBA4

Function 007F40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0076600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0076604C
Part of subcall function 0076600E: GetStockObject.GDI32(00000011), ref: 00766060
Part of subcall function 0076600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0076606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007F4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007F411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007F412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007F4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007F4145

Strings

Msctls_Progress32, xrefs: 007F40E3

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 05d414ec003576edbdcb3073769ef6bf9c3cde5d02e9da61900eaf148bf237e9
Instruction ID: 5a30e52f7edbb181e58447be12583d226a865bf028d6a3fcce4746a65dcb2030
Opcode Fuzzy Hash: 05d414ec003576edbdcb3073769ef6bf9c3cde5d02e9da61900eaf148bf237e9
Instruction Fuzzy Hash: 78115EB215021DBEEF119E64CC85EE77F9DEF08798F014111BB18A6150CA769C61DBA4

Function 0079D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0079D7A3: _free.LIBCMT ref: 0079D7CC

_free.LIBCMT ref: 0079D82D

Part of subcall function 007929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000), ref: 007929DE
Part of subcall function 007929C8: GetLastError.KERNEL32(00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000,00000000), ref: 007929F0

_free.LIBCMT ref: 0079D838
_free.LIBCMT ref: 0079D843
_free.LIBCMT ref: 0079D897
_free.LIBCMT ref: 0079D8A2
_free.LIBCMT ref: 0079D8AD
_free.LIBCMT ref: 0079D8B8

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 6b11a2716bc8512c6ca70ec62132eda6835277423126fcbd800a157c20a4b442
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: CF11CC71541B04FADE31BFF0EC4AFCB7B9C6F05710F404825B29DA65A2DA69B9064AA0

Function 007CDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007CDA74
LoadStringW.USER32(00000000), ref: 007CDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007CDA91
LoadStringW.USER32(00000000), ref: 007CDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007CDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 007CDAB9

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 08e71455ec7591f1cfcaac7377abc01b6a82d1bfad76ff1cdc9c62f840b44fad
Instruction ID: a59411001edfb2392be26d10ae119a077cd91f34af7066f627a6b72c3b605dfa
Opcode Fuzzy Hash: 08e71455ec7591f1cfcaac7377abc01b6a82d1bfad76ff1cdc9c62f840b44fad
Instruction Fuzzy Hash: 380186F250020C7FE711ABA49E89EFB736CE708701F4084A5B746E2041E6789E848F78

Function 007D096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(010DE250,010DE250), ref: 007D097B
EnterCriticalSection.KERNEL32(010DE230,00000000), ref: 007D098D
TerminateThread.KERNEL32(?,000001F6), ref: 007D099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007D09A9
CloseHandle.KERNEL32(?), ref: 007D09B8
InterlockedExchange.KERNEL32(010DE250,000001F6), ref: 007D09C8
LeaveCriticalSection.KERNEL32(010DE230), ref: 007D09CF

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 78a8e1812ff75cc167c26a145070f1a2253dbcd169c8a572b32063f183f70c63
Instruction ID: 895fb2c24da9526686ce4e1c57b3b1053244708a0fc33ee8f678a273516a24c7
Opcode Fuzzy Hash: 78a8e1812ff75cc167c26a145070f1a2253dbcd169c8a572b32063f183f70c63
Instruction Fuzzy Hash: CBF01D31442506EBD7425B94EF8DBE67B35FF01702F446016F101908A0C778A465DF94

Function 007E1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 007E1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007E1DE1
WSAGetLastError.WSOCK32 ref: 007E1DF2
htons.WSOCK32(?,?,?,?,?), ref: 007E1EDB
inet_ntoa.WSOCK32(?), ref: 007E1E8C

Part of subcall function 007C39E8: _strlen.LIBCMT ref: 007C39F2

Part of subcall function 007E3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,007DEC0C), ref: 007E3240

_strlen.LIBCMT ref: 007E1F35

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 136d9dc26d7093af1131025c1cb56df61f5d605230cc706c453a5b002cb27565
Instruction ID: 9ccf83041e6bd83cc29191e87c6004e859a6dd0e6d3a559c617aa29d3a9417f7
Opcode Fuzzy Hash: 136d9dc26d7093af1131025c1cb56df61f5d605230cc706c453a5b002cb27565
Instruction Fuzzy Hash: 3CB1F530205380EFC724DF25C89AE2A77E5AF89318F94854CF4569B2E2DB39ED41CB91

Function 00765D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00765D30
GetWindowRect.USER32(?,?), ref: 00765D71
ScreenToClient.USER32(?,?), ref: 00765D99
GetClientRect.USER32(?,?), ref: 00765ED7
GetWindowRect.USER32(?,?), ref: 00765EF8

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 898d01ed086bc24e8d2570b4180cbdc770d651c17a26390328f067764be7eba7
Instruction ID: fa6b00617db4e4d2a99dc4379599f49b62951393f00328718732258676bd90cf
Opcode Fuzzy Hash: 898d01ed086bc24e8d2570b4180cbdc770d651c17a26390328f067764be7eba7
Instruction Fuzzy Hash: 69B17B35A0074ADBDB14CFA8C4807EEB7F1FF98310F14851AE8AAD7250DB39AA51DB54

Function 007901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007900BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007900D6
__allrem.LIBCMT ref: 007900ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0079010B
__allrem.LIBCMT ref: 00790122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00790140

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: aa5c8a94b4d0489d0fe1dc96e191247efa934f354d7d1c78df726465055833b5
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: BF811976640B06EFEB20AF69EC49B6F73E8AF41724F24413AF511D7681E778D9008790

Function 007961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007882D9,007882D9,?,?,?,0079644F,00000001,00000001,8BE85006), ref: 00796258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0079644F,00000001,00000001,8BE85006,?,?,?), ref: 007962DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007963D8
__freea.LIBCMT ref: 007963E5

Part of subcall function 00793820: RtlAllocateHeap.NTDLL(00000000,?,00831444,?,0077FDF5,?,?,0076A976,00000010,00831440,007613FC,?,007613C6,?,00761129), ref: 00793852

__freea.LIBCMT ref: 007963EE
__freea.LIBCMT ref: 00796413

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: cec8ba7422b2327f5984a2b75a8968458b31cf8e17d693f0b3f0e9f2217af258
Instruction ID: a64d71ae662ec32ff4906f71ea476b11107609bfb148b8cff04e69934e720a70
Opcode Fuzzy Hash: cec8ba7422b2327f5984a2b75a8968458b31cf8e17d693f0b3f0e9f2217af258
Instruction Fuzzy Hash: F151D072A00216ABEF268F64ED85EBF77AAEB44750F154729FC05D6190EB3CDC50C6A0

Function 007EBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EB6AE,?,?), ref: 007EC9B5
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007EC9F1
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007ECA68
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007EBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007EBD25
RegCloseKey.ADVAPI32(00000000), ref: 007EBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007EBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007EBDF3
RegCloseKey.ADVAPI32(?), ref: 007EBDFF

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 1d60c54f106f8f8a141832c6e964a45afc6f8926de2cfe044100757ae855f5f6
Instruction ID: e2435d1221747e27abad3818c6f6d59b2f8bc51ec9c931525be6f104e912bc3f
Opcode Fuzzy Hash: 1d60c54f106f8f8a141832c6e964a45afc6f8926de2cfe044100757ae855f5f6
Instruction Fuzzy Hash: 03816E30209241EFD714DF25C895E2ABBE5FF88308F14855CF55A8B2A2DB35ED45CB92

Function 007BF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 007BF7B9
SysAllocString.OLEAUT32(00000001), ref: 007BF860
VariantCopy.OLEAUT32(007BFA64,00000000), ref: 007BF889
VariantClear.OLEAUT32(007BFA64), ref: 007BF8AD
VariantCopy.OLEAUT32(007BFA64,00000000), ref: 007BF8B1
VariantClear.OLEAUT32(?), ref: 007BF8BB

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: ab112e813504bfbfd371e907cf68a144f9355d836162e2c7a4a3ba2a26eda4fc
Instruction ID: 71fcf20c8f6bea1a6e4cca47b192bc2976718273ad4436b5f102463fc57b84da
Opcode Fuzzy Hash: ab112e813504bfbfd371e907cf68a144f9355d836162e2c7a4a3ba2a26eda4fc
Instruction Fuzzy Hash: 8751E631601310FACF24AB65DC99BB9B3A8EF45B10B209477E906DF291DB789C40C796

Function 007D910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00767620: _wcslen.LIBCMT ref: 00767625

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007D94E5
_wcslen.LIBCMT ref: 007D9506
_wcslen.LIBCMT ref: 007D952D
GetSaveFileNameW.COMDLG32(00000058), ref: 007D9585

Strings

X, xrefs: 007D9412

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: e6a4fde304b081d4823d970b791a3aca4d165dd5c8c75477837efc24a54b669b
Instruction ID: 3ac951ac49c2b037c074548401518ba3c0814b97eb59ab49474d661eca98f780
Opcode Fuzzy Hash: e6a4fde304b081d4823d970b791a3aca4d165dd5c8c75477837efc24a54b669b
Instruction Fuzzy Hash: 0EE18131604340DFD724DF24C885A6AB7F4BF85314F14896DE98A9B3A2DB39ED05CB91

Function 0077920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

BeginPaint.USER32(?,?,?), ref: 00779241
GetWindowRect.USER32(?,?), ref: 007792A5
ScreenToClient.USER32(?,?), ref: 007792C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007792D3
EndPaint.USER32(?,?,?,?,?), ref: 00779321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007B71EA

Part of subcall function 00779339: BeginPath.GDI32(00000000), ref: 00779357

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 50f83f5b171426c50b2cb0d9f8669c25cc56c9adb39a566c1626e89dd224601a
Instruction ID: b25110fc1aeb8b6f90fba8b50fc65cd9c493f347f8ae110ac5e0f4268fe35834
Opcode Fuzzy Hash: 50f83f5b171426c50b2cb0d9f8669c25cc56c9adb39a566c1626e89dd224601a
Instruction Fuzzy Hash: 5641A170105204EFDB11DF24CC88FBA7BA8FB85760F144669FA59872A1C7399845DB61

Function 007D07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 007D080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 007D0847
EnterCriticalSection.KERNEL32(?), ref: 007D0863
LeaveCriticalSection.KERNEL32(?), ref: 007D08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007D08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 007D0921

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 6ed4c497d67e78a2873d583b0ec4f4de202d69342631fe7596d48093fe6673aa
Instruction ID: 806f4cbcc92111b578bd397df78515ada89947d7d68b95bf3c2c6bf4b43489ea
Opcode Fuzzy Hash: 6ed4c497d67e78a2873d583b0ec4f4de202d69342631fe7596d48093fe6673aa
Instruction Fuzzy Hash: 7241BD71900209EFDF15EF64DC85A6A7778FF04300F1080A9ED04AA297D738EE61DBA4

Function 007F81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,007BF3AB,00000000,?,?,00000000,?,007B682C,00000004,00000000,00000000), ref: 007F824C
EnableWindow.USER32(?,00000000), ref: 007F8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007F82D1
ShowWindow.USER32(?,00000004), ref: 007F82E5
EnableWindow.USER32(?,00000001), ref: 007F830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 007F832F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: c89288c946e10d25c465b896194fc514dd3ea8b529f5411f4f4c1e63482fe000
Instruction ID: 69de5df74a7f24cf69c1447b9bfa165c89b49ba974a19863cb7ec22289e22ad3
Opcode Fuzzy Hash: c89288c946e10d25c465b896194fc514dd3ea8b529f5411f4f4c1e63482fe000
Instruction Fuzzy Hash: B8418334601648EFDF51CF25C999BF87BE0FB45B14F1841A9EA088B372CB35A845CB51

Function 007C4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 007C4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007C4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007C4CEA
_wcslen.LIBCMT ref: 007C4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 007C4D10
_wcsstr.LIBVCRUNTIME ref: 007C4D1A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: b23fb34528de1766d49d8e3880dc1e9dc02f8c7bfe9eb0c98cc33a686afda0aa
Instruction ID: 664c3d8f804d018260c588ff3e1624b7d7ccaffaafef33b45338cb25cd148403
Opcode Fuzzy Hash: b23fb34528de1766d49d8e3880dc1e9dc02f8c7bfe9eb0c98cc33a686afda0aa
Instruction Fuzzy Hash: 8E21F932604204BBEB256B399D59F7B7BACDF45750F10806DF90ACA1A1EAA9DC01D7A0

Function 007D581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00763AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00763A97,?,?,00762E7F,?,?,?,00000000), ref: 00763AC2

_wcslen.LIBCMT ref: 007D587B
CoInitialize.OLE32(00000000), ref: 007D5995
CoCreateInstance.OLE32(007FFCF8,00000000,00000001,007FFB68,?), ref: 007D59AE
CoUninitialize.OLE32 ref: 007D59CC

Strings

.lnk, xrefs: 007D5876, 007D58C1, 007D5985

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 113bfea9ae8276177a46a3a866d4b032e8b77a22509b42df664570e45eed6e06
Instruction ID: 635d3c6c9f0b2bfa29ab48776c7a683fca9416923f7c4556f19184d58ffe8725
Opcode Fuzzy Hash: 113bfea9ae8276177a46a3a866d4b032e8b77a22509b42df664570e45eed6e06
Instruction Fuzzy Hash: 9DD153B1604601DFC714DF24C49492ABBF5EF89724F14885EF88A9B361DB39EC45CB92

Function 007C175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007C0FCA
Part of subcall function 007C0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007C0FD6
Part of subcall function 007C0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007C0FE5
Part of subcall function 007C0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007C0FEC
Part of subcall function 007C0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007C1002

GetLengthSid.ADVAPI32(?,00000000,007C1335), ref: 007C17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007C17BA
HeapAlloc.KERNEL32(00000000), ref: 007C17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007C17DA
GetProcessHeap.KERNEL32(00000000,00000000,007C1335), ref: 007C17EE
HeapFree.KERNEL32(00000000), ref: 007C17F5

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 6fc6eecb2b011273b0ecca46ae829338f700e9875ca7b9a067e7f24b781d6f8b
Instruction ID: c3742bc3024b13357ef82147b965a2d181941df57b4b9e04c093d13fe1ca9506
Opcode Fuzzy Hash: 6fc6eecb2b011273b0ecca46ae829338f700e9875ca7b9a067e7f24b781d6f8b
Instruction Fuzzy Hash: 73119772610209EFDB119FA4CD49FBE7BA9EF42355F50802CF881A7212D73AAD55CB60

Function 007C14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007C14FF
OpenProcessToken.ADVAPI32(00000000), ref: 007C1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007C1515
CloseHandle.KERNEL32(00000004), ref: 007C1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007C154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 007C1563

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: a29b6365fff2119f1653166e981f9a8e576d475c28c178d3f7f83202b6a35c8c
Instruction ID: 47c5dcb84ecb11da001f2394a9ff483d73ec2898e614244f4df2225036d09f46
Opcode Fuzzy Hash: a29b6365fff2119f1653166e981f9a8e576d475c28c178d3f7f83202b6a35c8c
Instruction Fuzzy Hash: E511607250024DEBDF128F94DE49FDE7BA9EF45744F048068FA05A2160C379CE65EB60

Function 00783382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00783379,00782FE5), ref: 00783390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0078339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007833B7
SetLastError.KERNEL32(00000000,?,00783379,00782FE5), ref: 00783409

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f2caba0c8b77c3628ba55a880b811bb379a3839811aceab60cd9afae47471dd1
Instruction ID: b00d30194383aadcb1fd40753bcf30ef36d63b8f11f4b12986d9397a1a8c92b7
Opcode Fuzzy Hash: f2caba0c8b77c3628ba55a880b811bb379a3839811aceab60cd9afae47471dd1
Instruction Fuzzy Hash: C301D432789711FEAA25377CBC89A7A2A94FB05B79720422AF414851F1EF1D4E029785

Function 00792D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00795686,007A3CD6,?,00000000,?,00795B6A,?,?,?,?,?,0078E6D1,?,00828A48), ref: 00792D78
_free.LIBCMT ref: 00792DAB
_free.LIBCMT ref: 00792DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0078E6D1,?,00828A48,00000010,00764F4A,?,?,00000000,007A3CD6), ref: 00792DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0078E6D1,?,00828A48,00000010,00764F4A,?,?,00000000,007A3CD6), ref: 00792DEC
_abort.LIBCMT ref: 00792DF2

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 6898fddee0f2a64ec25e10077574d4ae6d761c88b46abac1e1b9d3e91736adf4
Instruction ID: 2424ae9b8ea5e1d77117384e08fe183d96961dfe2c19539ba4f5e95e843ef0e8
Opcode Fuzzy Hash: 6898fddee0f2a64ec25e10077574d4ae6d761c88b46abac1e1b9d3e91736adf4
Instruction Fuzzy Hash: C5F04435645A00B7CE227734BC0EE6E2659BFC27A1F254519F824E62A3EE6C980355A1

Function 007F8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00779639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00779693
Part of subcall function 00779639: SelectObject.GDI32(?,00000000), ref: 007796A2
Part of subcall function 00779639: BeginPath.GDI32(?), ref: 007796B9
Part of subcall function 00779639: SelectObject.GDI32(?,00000000), ref: 007796E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 007F8A4E
LineTo.GDI32(?,00000003,00000000), ref: 007F8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 007F8A70
LineTo.GDI32(?,00000000,00000003), ref: 007F8A80
EndPath.GDI32(?), ref: 007F8A90
StrokePath.GDI32(?), ref: 007F8AA0

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b5521ac7876ad03ec3b7b6f5fec0d5c12aca65aca1ce68ace130cf0da479a2f2
Instruction ID: 15fcc156f3119cd796d9fe13be218521f86513cf725a3e88a8c6c1f6ba9042b7
Opcode Fuzzy Hash: b5521ac7876ad03ec3b7b6f5fec0d5c12aca65aca1ce68ace130cf0da479a2f2
Instruction Fuzzy Hash: 6711097600010DFFDF129F90DC88EAA7F6CEB08354F00C012FA199A1A1DB759D55DBA0

Function 007C51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007C5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 007C5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007C5230
ReleaseDC.USER32(00000000,00000000), ref: 007C5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 007C524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 007C5261

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 5bd9a6aaacac9c4dfff9f7b5764311363d0625e3a040c271acde2a3999f26c2a
Instruction ID: 4cbab3ea8dc0d391f3f06b0c9775c70bc912ebe31dfb53271acdd26a0c2c1671
Opcode Fuzzy Hash: 5bd9a6aaacac9c4dfff9f7b5764311363d0625e3a040c271acde2a3999f26c2a
Instruction Fuzzy Hash: CA018FB5A00708BBEB119BA59D49F5EBFB8FB48751F048069FA04E7380DA749800CBA4

Function 00761BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00761BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00761BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00761C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00761C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00761C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00761C22

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2b75124999396293fb2f5eab6ba834d1bd0fe033c0a0c7810a32bdf920144b43
Instruction ID: 0d40194ccf4f793bd6f344f122031b4d12e7733e9f1077eb8ba021936278c85b
Opcode Fuzzy Hash: 2b75124999396293fb2f5eab6ba834d1bd0fe033c0a0c7810a32bdf920144b43
Instruction Fuzzy Hash: 61016CB09027597DE3008F5A8C85B52FFA8FF19354F00415B915C47941C7F5A864CBE5

Function 007CEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007CEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007CEB46
GetWindowThreadProcessId.USER32(?,?), ref: 007CEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007CEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007CEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007CEB75

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6767a7187ecece7c912dcac311844f72e1d3600c679aa611bedad0fd02edced2
Instruction ID: a06114339e9d0fa837849a53bef4c63a1cd8a36f73145904e4d71bd15a3a4406
Opcode Fuzzy Hash: 6767a7187ecece7c912dcac311844f72e1d3600c679aa611bedad0fd02edced2
Instruction Fuzzy Hash: 36F03AB224015CBBE7225B629D0EEFF3B7CEFCAB11F008158F601D1091DBA85A01D6B9

Function 007B7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 007B7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 007B7469
GetWindowDC.USER32(?), ref: 007B7475
GetPixel.GDI32(00000000,?,?), ref: 007B7484
ReleaseDC.USER32(?,00000000), ref: 007B7496
GetSysColor.USER32(00000005), ref: 007B74B0

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 23fee1a0de3480ef2342fb438e0d304946deb13bab4a7e5399b535dc2b1e8af2
Instruction ID: d174b95a9a8e28ab234d1ad76c7f6cbf1e4195c47d0bceb89091c2e4ebcbcec0
Opcode Fuzzy Hash: 23fee1a0de3480ef2342fb438e0d304946deb13bab4a7e5399b535dc2b1e8af2
Instruction Fuzzy Hash: B901AD31408209EFDB125FA4DD08BFA7BB5FF04322F208060F915A71A0CB391E51EB10

Function 007C1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 007C187F
UnloadUserProfile.USERENV(?,?), ref: 007C188B
CloseHandle.KERNEL32(?), ref: 007C1894
CloseHandle.KERNEL32(?), ref: 007C189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007C18A5
HeapFree.KERNEL32(00000000), ref: 007C18AC

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 06f83aae6165e5ff8013469f9ba4567df96e03ec18218110f2bd1c925791679e
Instruction ID: a20f120d14c91336fafbf88e0e422af3dddddb3bc9bd887c73caa2877e932558
Opcode Fuzzy Hash: 06f83aae6165e5ff8013469f9ba4567df96e03ec18218110f2bd1c925791679e
Instruction Fuzzy Hash: B5E0C276004109FBDA026BA1EE0CD1ABF29FF49B22B11C220F22581070CB369830EB68

Function 007E7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00780242: EnterCriticalSection.KERNEL32(0083070C,00831884,?,?,0077198B,00832518,?,?,?,007612F9,00000000), ref: 0078024D
Part of subcall function 00780242: LeaveCriticalSection.KERNEL32(0083070C,?,0077198B,00832518,?,?,?,007612F9,00000000), ref: 0078028A

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007800A3: __onexit.LIBCMT ref: 007800A9

__Init_thread_footer.LIBCMT ref: 007E7BFB

Part of subcall function 007801F8: EnterCriticalSection.KERNEL32(0083070C,?,?,00778747,00832514), ref: 00780202
Part of subcall function 007801F8: LeaveCriticalSection.KERNEL32(0083070C,?,00778747,00832514), ref: 00780235

Strings

Variable must be of type 'Object'., xrefs: 007E7C3A
+T{, xrefs: 007E7E2E
G, xrefs: 007E7C7F
5, xrefs: 007E7C78

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T{$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1022402583
Opcode ID: e34ab4b5f0d534c3311e7ac5a30a8bc1785f1842ff9b7a44c81302d80aae6428
Instruction ID: d7d5a719b3174b11d7fa1ded694697ef24c4c2a8b9f7db9467fce93c600ac3b4
Opcode Fuzzy Hash: e34ab4b5f0d534c3311e7ac5a30a8bc1785f1842ff9b7a44c81302d80aae6428
Instruction Fuzzy Hash: B291BE70A05249EFCB08EF55D994DBDB7B5FF48304F108049F806AB292DB79AE45CB61

Function 007CC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00767620: _wcslen.LIBCMT ref: 00767625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007CC6EE
_wcslen.LIBCMT ref: 007CC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007CC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007CC7CA

Strings

0, xrefs: 007CC6AF

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 4dacef41099409075a2dc1392c907fdac4ee06826609bb15c0543cf4463bc9de
Instruction ID: 903e9ca54e8f2e4992742e87a5b8bd9b84559710497c8b0f5eefc8c4c93888b7
Opcode Fuzzy Hash: 4dacef41099409075a2dc1392c907fdac4ee06826609bb15c0543cf4463bc9de
Instruction Fuzzy Hash: E451C0716143019BD7169F28C989F6BB7E8EF89710F040A2DF999E31A0DB78D904DB92

Function 007EAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 007EAEA3

Part of subcall function 00767620: _wcslen.LIBCMT ref: 00767625

GetProcessId.KERNEL32(00000000), ref: 007EAF38
CloseHandle.KERNEL32(00000000), ref: 007EAF67

Strings

@, xrefs: 007EAE72
<, xrefs: 007EAE6B

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: a6e8ca00ad2ea4444ab1bb704df483890de0a8d904a85a4a917af8b45f9ef9be
Instruction ID: 3acbbf23c3d0e5e63c4cccc931d0fac7cb35d9707ccfcdc3d9f736f06d904f92
Opcode Fuzzy Hash: a6e8ca00ad2ea4444ab1bb704df483890de0a8d904a85a4a917af8b45f9ef9be
Instruction Fuzzy Hash: 1B719B71A00259EFCB15DF55C489A9EBBF0FF08314F048499E816AB3A2C778ED45CB91

Function 007C719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007C7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007C723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007C724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007C72CF

Strings

DllGetClassObject, xrefs: 007C7242

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 0498060b94a150e0665aafa3d3bffa29bed7422f1ec904e9e58ae66120e52730
Instruction ID: 9afbbfdca6c5d7b47048624644349176b5b46d8568193c49a7e9e6d678b379d4
Opcode Fuzzy Hash: 0498060b94a150e0665aafa3d3bffa29bed7422f1ec904e9e58ae66120e52730
Instruction Fuzzy Hash: 0C41FAB1604204ABDB19CF54C984FAA7BB9FF44310B2580ADBD059F20ADBB9D945DFA0

Function 007F3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007F3E35
IsMenu.USER32(?), ref: 007F3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007F3E92
DrawMenuBar.USER32 ref: 007F3EA5

Strings

0, xrefs: 007F3D89

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: f9b7d744766b8859571018426b6213c5745d48c1598760e4935a7739b48f42f9
Instruction ID: ef4e8d389dea589564f063921f27b0d813d87075d620b7789fcc62d0f4c62665
Opcode Fuzzy Hash: f9b7d744766b8859571018426b6213c5745d48c1598760e4935a7739b48f42f9
Instruction Fuzzy Hash: 81412475A0020DEFDF10DF64D884AEABBB9FF48354F048129EA15A7350D738AE55CB60

Function 007C1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007C3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007C1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007C1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 007C1EA9

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

Strings

ComboBox, xrefs: 007C1DF0
ListBox, xrefs: 007C1E25

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: d43347f506b6c1facff7b92e7211420117f94e0c930194fd2a19f5c5d5e1d8fd
Instruction ID: fcdf244ea1cdd1a7a5db1e655f796fb74af8ad4fdf5c7b4ba6515cdc8d61039a
Opcode Fuzzy Hash: d43347f506b6c1facff7b92e7211420117f94e0c930194fd2a19f5c5d5e1d8fd
Instruction Fuzzy Hash: 64213771A00108FADB14AB64DD49DFFB7B8EF42350B54812DF826E31E1DB7C490AC620

Function 007F2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007F2F8D
LoadLibraryW.KERNEL32(?), ref: 007F2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007F2FA9
DestroyWindow.USER32(?), ref: 007F2FB1

Strings

SysAnimate32, xrefs: 007F2F68

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 68550734aeb608dac55c42e13cce2a6d196446e57f8a2ce447f7f1b85cfd8bda
Instruction ID: 73605c152abbe044540b2751734170d624a003352c4e41d88dce2ee71307de75
Opcode Fuzzy Hash: 68550734aeb608dac55c42e13cce2a6d196446e57f8a2ce447f7f1b85cfd8bda
Instruction Fuzzy Hash: 1E21FD7122420DABEF114FA8DC84EBB37FDEB58324F104628FA10D22A1C339DC829760

Function 00784D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00784D1E,007928E9,?,00784CBE,007928E9,008288B8,0000000C,00784E15,007928E9,00000002), ref: 00784D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00784DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00784D1E,007928E9,?,00784CBE,007928E9,008288B8,0000000C,00784E15,007928E9,00000002,00000000), ref: 00784DC3

Strings

CorExitProcess, xrefs: 00784D98
mscoree.dll, xrefs: 00784D86

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c1933c8c60b7cf7e1238e9501bbfe3d0568bce1c404031bb80046bc8eccc080c
Instruction ID: 45d8cb080c6be250e72b771de8312afb50e5d97992838e5d95e8e1f9b315eb3b
Opcode Fuzzy Hash: c1933c8c60b7cf7e1238e9501bbfe3d0568bce1c404031bb80046bc8eccc080c
Instruction Fuzzy Hash: 94F0AF30A4020DFBDB11AF90DC09BADBBB5EF04751F0040A4F905A22A0CB795940CB95

Function 00764E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00764EDD,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00764EAE
FreeLibrary.KERNEL32(00000000,?,?,00764EDD,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00764EA8
kernel32.dll, xrefs: 00764E94

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 81f28cc106d7c56405bfe096c5d37d0894459be7300a9411c7052117caae4831
Instruction ID: 0259b7e0451f08f3590b52b7c768dfdb83254fefdfce4fe34dc49f9eeac2d45e
Opcode Fuzzy Hash: 81f28cc106d7c56405bfe096c5d37d0894459be7300a9411c7052117caae4831
Instruction Fuzzy Hash: 1DE0C2B6E0263A6BD2331B25BD18B7F6769BF81F62B094115FD06E2200DB6CCD01C4A5

Function 00764E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,007A3CDE,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00764E74
FreeLibrary.KERNEL32(00000000,?,?,007A3CDE,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00764E6E
kernel32.dll, xrefs: 00764E5B

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 2b92c22e44762883281154a33317a64be01017698cc518ed52a33430418a7c5b
Instruction ID: 8a02ba3daef6368c0de14d22f79a1af3b570b401d918ba55b923df76cc5bf34a
Opcode Fuzzy Hash: 2b92c22e44762883281154a33317a64be01017698cc518ed52a33430418a7c5b
Instruction Fuzzy Hash: F0D0C27950263A5B86231B247D18DAB2B18AF81B113054111BD06E2210CF2DCD11C1D4

Function 007D2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007D2C05
DeleteFileW.KERNEL32(?), ref: 007D2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007D2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007D2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007D2CC0

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 746f3747a7db72620b549ec31955d1f650f3e4375533e948366178252febeb77
Instruction ID: cdcee5ecc113f37c42755a24a37eb979a735d20373bf64edf08c7dc2ff1ce049
Opcode Fuzzy Hash: 746f3747a7db72620b549ec31955d1f650f3e4375533e948366178252febeb77
Instruction Fuzzy Hash: 64B15171900119EBDF21EBA4CC89EDE777DEF58350F1040A6F909E7242EA389E468F61

Function 007EA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 007EA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007EA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 007EA468
CloseHandle.KERNEL32(?), ref: 007EA63D

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 23abbc04ebca819b4e095b4511a2c9979b788002fe2033780e5f1bcf6fe093f4
Instruction ID: 7c3872ce03ca02a53be426cd03c823782d1b7b77bc273c2ebd3e70c516c1c883
Opcode Fuzzy Hash: 23abbc04ebca819b4e095b4511a2c9979b788002fe2033780e5f1bcf6fe093f4
Instruction Fuzzy Hash: 85A19271604340EFD720DF15C88AF2AB7E5AF88714F14885DF99A9B292D7B4EC41CB92

Function 0079BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00803700), ref: 0079BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0083121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0079BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00831270,000000FF,?,0000003F,00000000,?), ref: 0079BC36
_free.LIBCMT ref: 0079BB7F

Part of subcall function 007929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000), ref: 007929DE
Part of subcall function 007929C8: GetLastError.KERNEL32(00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000,00000000), ref: 007929F0

_free.LIBCMT ref: 0079BD4B

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 8a4bc453f36ee5f43bd142b93136e8e6ddeaa72aa6c1ad37297b5e09ac1436e7
Instruction ID: 63b2aba93fa494b76ef75ab309d051fe6558b6c3ab620ab5773ddfc7d0b2f543
Opcode Fuzzy Hash: 8a4bc453f36ee5f43bd142b93136e8e6ddeaa72aa6c1ad37297b5e09ac1436e7
Instruction Fuzzy Hash: F151FB71900209EFCF10EF65BD8997EB7BCFF81720B10466AE514D7291DB789D418BA0

Function 007CE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007CCF22,?), ref: 007CDDFD

Part of subcall function 007CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007CCF22,?), ref: 007CDE16

Part of subcall function 007CE199: GetFileAttributesW.KERNEL32(?,007CCF95), ref: 007CE19A

lstrcmpiW.KERNEL32(?,?), ref: 007CE473
MoveFileW.KERNEL32(?,?), ref: 007CE4AC
_wcslen.LIBCMT ref: 007CE5EB
_wcslen.LIBCMT ref: 007CE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 007CE650

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f0b969257d5e4ac099e31d219b3a4559cd6547ba8ad4a1ad6eb28f36ec32d040
Instruction ID: 39ea969b3ced0524631a0f6d035305e11ce11ff587fb213b229b763a861ded3f
Opcode Fuzzy Hash: f0b969257d5e4ac099e31d219b3a4559cd6547ba8ad4a1ad6eb28f36ec32d040
Instruction Fuzzy Hash: 155155B25087859BD724EB90DC85EDFB3DCAF85340F00491EF689D3191EF78A6888766

Function 007EB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EB6AE,?,?), ref: 007EC9B5
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007EC9F1
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007ECA68
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007EBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007EBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007EBB63
RegCloseKey.ADVAPI32(?,?), ref: 007EBBA6
RegCloseKey.ADVAPI32(00000000), ref: 007EBBB3

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 66f341c61e6520ba4d368f0a028d956bdba4e77486e2052078ba2603e2f4f874
Instruction ID: a8b7e3d3f8ab57d9c513f1a2f257495208e90cb6f9d9ef1b24de19f0eba406a1
Opcode Fuzzy Hash: 66f341c61e6520ba4d368f0a028d956bdba4e77486e2052078ba2603e2f4f874
Instruction Fuzzy Hash: 66617E71109241EFD714DF24C894E2ABBE5BF88308F14856CF4968B292DB35ED45CB92

Function 007C8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007C8BCD
VariantClear.OLEAUT32 ref: 007C8C3E
VariantClear.OLEAUT32 ref: 007C8C9D
VariantClear.OLEAUT32(?), ref: 007C8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007C8D3B

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 1d579d9238b51fc51d63923627bcb4a9ec4e61f8e26223e36ff8f0f2024ca592
Instruction ID: 2f07d2d64205eb3c16cc46d469c53c7330d1da748b22b55ffe5b5b3ffe77784b
Opcode Fuzzy Hash: 1d579d9238b51fc51d63923627bcb4a9ec4e61f8e26223e36ff8f0f2024ca592
Instruction Fuzzy Hash: 555148B5A00219EFCB10CF68D884EAABBF4FF89310B15855DE916DB350E734E911CB90

Function 007D8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007D8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 007D8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007D8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007D8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007D8C5F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 61c5728733e7fd9a4e022ceade468268e3d7ca0bbd2ff59b2860ecdfcd8bbb76
Instruction ID: 4759ecdf4f274f42162138eb0cca91e12ea19bd78489272ef5dda10b57b04712
Opcode Fuzzy Hash: 61c5728733e7fd9a4e022ceade468268e3d7ca0bbd2ff59b2860ecdfcd8bbb76
Instruction Fuzzy Hash: A0515D35A00215DFCB05DF64C884A69BBF5FF48314F08C499E84AAB362DB39ED51DBA1

Function 007E8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 007E8F40
GetProcAddress.KERNEL32(00000000,?), ref: 007E8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 007E8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 007E9032
FreeLibrary.KERNEL32(00000000), ref: 007E9052

Part of subcall function 0077F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,007D1043,?,7644E610), ref: 0077F6E6
Part of subcall function 0077F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,007BFA64,00000000,00000000,?,?,007D1043,?,7644E610,?,007BFA64), ref: 0077F70D

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f4a05b781a87d6e36b661b8d8fb100bdc6e7748197ca3006cb293c661d0bc01d
Instruction ID: 9c1b4a1afbb05910fa50d164577a74cba987d0ce1358311bd80e47bba8439ffb
Opcode Fuzzy Hash: f4a05b781a87d6e36b661b8d8fb100bdc6e7748197ca3006cb293c661d0bc01d
Instruction Fuzzy Hash: 16514835601245DFCB11DF59C4848ADBBF1FF49314F0880A9E90AAB362DB39ED85CB91

Function 007F6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 007F6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 007F6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 007F6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,007DAB79,00000000,00000000), ref: 007F6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 007F6CC7

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 85c5c059982f28adde638cd59868f3a993ae1c1d63d072682e69e3f2197f829f
Instruction ID: 79ab97a5c78621c7fafe24b461743bb70fc2d7f626d1f2e32f58850aac7b40d6
Opcode Fuzzy Hash: 85c5c059982f28adde638cd59868f3a993ae1c1d63d072682e69e3f2197f829f
Instruction Fuzzy Hash: 6841C135604108AFDB25DF28CD58FB97BA5EB09360F150268EA95E73A1C379BD41CA60

Function 00792051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007920C3
_free.LIBCMT ref: 007920E3

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 894b3c731dc17b02cde08ff19c3340241f898aa1426a5a09a9a476ed70bf4602
Instruction ID: 6a6a565b4ba38f663bab2e19376d801cb45e34d60e439dce7101526c7f198fb1
Opcode Fuzzy Hash: 894b3c731dc17b02cde08ff19c3340241f898aa1426a5a09a9a476ed70bf4602
Instruction Fuzzy Hash: 4941E232A00204EFCF20EF78D885A6DB7A5EF88310F1585A8E515EB352DA35AD02CB81

Function 0077912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00779141
ScreenToClient.USER32(00000000,?), ref: 0077915E
GetAsyncKeyState.USER32(00000001), ref: 00779183
GetAsyncKeyState.USER32(00000002), ref: 0077919D

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: e7436a4388398170cd9bcf32952ea8c15b4877154bc6bd5625a1bfb73892b8fc
Instruction ID: 6b6da8b6235d655ff841665bb4c3adfa48cbd0e81726d43f84a3082876fa4506
Opcode Fuzzy Hash: e7436a4388398170cd9bcf32952ea8c15b4877154bc6bd5625a1bfb73892b8fc
Instruction Fuzzy Hash: 6741707190860EFBDF099F68C848BFEB775FB45360F208215E529A7290D7385D64CB61

Function 007D3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007D38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 007D3922
TranslateMessage.USER32(?), ref: 007D394B
DispatchMessageW.USER32(?), ref: 007D3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007D3966

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 9bec757e5d36707daf17f4f9bd65170f97650711b790d0423d1242632d353489
Instruction ID: 24199e22cf93012198a13fb11f4ce83fb2cd298bac195794d9565038685a69cb
Opcode Fuzzy Hash: 9bec757e5d36707daf17f4f9bd65170f97650711b790d0423d1242632d353489
Instruction Fuzzy Hash: 2831B7705043459EEF35CB34995CBB67BB8BB45308F14496BE466823A0E3FCB684DB22

Function 007DCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,007DC21E,00000000), ref: 007DCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 007DCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,007DC21E,00000000), ref: 007DCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,007DC21E,00000000), ref: 007DCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,007DC21E,00000000), ref: 007DCFF2

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: a60423644f92daa55007beafb28c0b518e4275559109ad9628e4882b0c758978
Instruction ID: 7127112346c2119cd96935b5328c3ecc8310fcd19a22694f9d61fbda53b9333f
Opcode Fuzzy Hash: a60423644f92daa55007beafb28c0b518e4275559109ad9628e4882b0c758978
Instruction Fuzzy Hash: CA313072604306EFDB22DFA5C9849ABBBF9EF14351B10842FF516D2251DB38AE41DB60

Function 007C1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007C1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007C19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007C19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007C19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007C19E2

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ad91fbdf50d3ee6f72f48828f07b5b0fd93918018ccc4a026194711b0e1a68e0
Instruction ID: c8c3fa0d30b88b86086b5332716afdecd20d6fff3b2cee1c4af98d9e8201bebe
Opcode Fuzzy Hash: ad91fbdf50d3ee6f72f48828f07b5b0fd93918018ccc4a026194711b0e1a68e0
Instruction Fuzzy Hash: 3D31CF71900259EFCB00CFA8C999BEE3BB5EB05314F00826DF921A72D1C374A954CB90

Function 007F5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 007F5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 007F579D
_wcslen.LIBCMT ref: 007F57AF
_wcslen.LIBCMT ref: 007F57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 007F5816

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 5000a2bf24dee0702805f2c4ac353d55a435c010800e6777b7ace05ff5dab7af
Instruction ID: 3d234f6c72bddfd8a752f4e4876126841fddecb005365844a1e072483cbc1fec
Opcode Fuzzy Hash: 5000a2bf24dee0702805f2c4ac353d55a435c010800e6777b7ace05ff5dab7af
Instruction Fuzzy Hash: EE21857190461CDADB209F60CC85EFD77B8FF44724F108256EB29EA280D7789985CF50

Function 007E0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007E0951
GetForegroundWindow.USER32 ref: 007E0968
GetDC.USER32(00000000), ref: 007E09A4
GetPixel.GDI32(00000000,?,00000003), ref: 007E09B0
ReleaseDC.USER32(00000000,00000003), ref: 007E09E8

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c910476befb35fb98138497e93def4de8c3924c64a3aa5b234cdabbeab040ed1
Instruction ID: 7c25accc5b1bd002333bffbc4faf2a368d1cfeaafc217d5adb274eac6f3df764
Opcode Fuzzy Hash: c910476befb35fb98138497e93def4de8c3924c64a3aa5b234cdabbeab040ed1
Instruction Fuzzy Hash: 40219335600204EFD704EF65D988AAEBBF5EF49700F048469F84AE7762DB78AC44DB90

Function 0079CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0079CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0079CDE9

Part of subcall function 00793820: RtlAllocateHeap.NTDLL(00000000,?,00831444,?,0077FDF5,?,?,0076A976,00000010,00831440,007613FC,?,007613C6,?,00761129), ref: 00793852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0079CE0F
_free.LIBCMT ref: 0079CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0079CE31

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: cbd1534da3c3fbef9771a31defd1e936672ef2d7e4e6971605977e41afe4ab5e
Instruction ID: 8eda1053d8243cc548707c6b5c40115b7c9faa49b5665111216d8b4ccdc33f8e
Opcode Fuzzy Hash: cbd1534da3c3fbef9771a31defd1e936672ef2d7e4e6971605977e41afe4ab5e
Instruction Fuzzy Hash: 7001F7726012197F2F2356B67C8CC7B7A6DDEC6BA1315412DFD06C7201EA688D01C2F4

Function 00779639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00779693
SelectObject.GDI32(?,00000000), ref: 007796A2
BeginPath.GDI32(?), ref: 007796B9
SelectObject.GDI32(?,00000000), ref: 007796E2

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 0a7404e856c592e5d7ad5ced13076588cb497f41b32d0f741ccc9a768bcc50e7
Instruction ID: e2e8c85fb6b19e604674c94ea611b53f68f767e8fd281c5fef16cb3c23bd0098
Opcode Fuzzy Hash: 0a7404e856c592e5d7ad5ced13076588cb497f41b32d0f741ccc9a768bcc50e7
Instruction Fuzzy Hash: 50218070802309EBDF119F24DD0CBA93FB8BB80BA5F508716F914E61B0D3799892CB94

Function 007C5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 007C5726
_memcmp.LIBVCRUNTIME ref: 007C5744
_memcmp.LIBVCRUNTIME ref: 007C5757
_memcmp.LIBVCRUNTIME ref: 007C576F
_memcmp.LIBVCRUNTIME ref: 007C5787

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5e91dc08381e668dd710e1160cb1202072efbc8efecad824fed6d9c735918d9e
Instruction ID: edd2dff25d9dab055b361c9175db209de6aade8d7a229c80375a182aa862b74e
Opcode Fuzzy Hash: 5e91dc08381e668dd710e1160cb1202072efbc8efecad824fed6d9c735918d9e
Instruction Fuzzy Hash: 0F01B9A1681619FBD21866209D46FBB735D9F21394F40402CFE049A641FB6EFDD1C3B4

Function 00792DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0078F2DE,00793863,00831444,?,0077FDF5,?,?,0076A976,00000010,00831440,007613FC,?,007613C6), ref: 00792DFD
_free.LIBCMT ref: 00792E32
_free.LIBCMT ref: 00792E59
SetLastError.KERNEL32(00000000,00761129), ref: 00792E66
SetLastError.KERNEL32(00000000,00761129), ref: 00792E6F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: bf9e42a23b3e96c91de9b220df44935e29d041a4ce5d44ac75b57d9c4e458fb5
Instruction ID: bc37b1b87b8b4819201f1c0b0d3087f080a9439d36350ff8d4da4cd5f608f4b7
Opcode Fuzzy Hash: bf9e42a23b3e96c91de9b220df44935e29d041a4ce5d44ac75b57d9c4e458fb5
Instruction Fuzzy Hash: 9F01A932645A00B7CE1377747CCED3B265DBFD17B5B254125F425E2293EA6C8C034565

Function 007C000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?,?,?,007C035E), ref: 007C002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?,?), ref: 007C0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?,?), ref: 007C0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?), ref: 007C0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?,?), ref: 007C0070

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: cbc4ae49620b4d6423de36e2e31e83dab7b5761b6ee4f9fc1c98101c7dc92d30
Instruction ID: 21c9e21213ef3979f7b1c249bd28b41f4d1936e400a63dfa70755ba2a1450c6c
Opcode Fuzzy Hash: cbc4ae49620b4d6423de36e2e31e83dab7b5761b6ee4f9fc1c98101c7dc92d30
Instruction Fuzzy Hash: 53017876600208EFDB124F68DD08FBA7BADEB447A2F15812CF905D6210E779DD809BE0

Function 007CE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 007CE997
QueryPerformanceFrequency.KERNEL32(?), ref: 007CE9A5
Sleep.KERNEL32(00000000), ref: 007CE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 007CE9B7
Sleep.KERNEL32 ref: 007CE9F3

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 5fea4e9a4f3c028fe0ddefd69e25833a48198c7884f59cc7e080ebd526127c83
Instruction ID: ff139f9d399fb6361d7cf3be9021ef47eabb7435631bb191693344a5054f8e15
Opcode Fuzzy Hash: 5fea4e9a4f3c028fe0ddefd69e25833a48198c7884f59cc7e080ebd526127c83
Instruction Fuzzy Hash: 99015771C0162DDBCF00ABE4D949AEDBB78FF09300F00454AE502B2241DB38A651CBA6

Function 007C10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C114D

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 9d9329a0ff811124cc002bebf8d6040cde77241c38f13c54c2999b548415fd8a
Instruction ID: c142b13f6f651a3212ce075e496cdc21afabb6a244111418709a3adabf6e6617
Opcode Fuzzy Hash: 9d9329a0ff811124cc002bebf8d6040cde77241c38f13c54c2999b548415fd8a
Instruction Fuzzy Hash: 2D018175100609BFDB125FA8DD49E6A3F6EEF863A0B144428FA41C3350DB39DC10DA60

Function 007C0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007C0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007C0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007C0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007C0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007C1002

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8190e5771915135f09d342033fb5f8a4013ed91d978dd78d610aa35c7527ae3c
Instruction ID: 4496d82d8b60a80330e29ffca9b66bf20c66b44393af3672de1225d940afaf48
Opcode Fuzzy Hash: 8190e5771915135f09d342033fb5f8a4013ed91d978dd78d610aa35c7527ae3c
Instruction Fuzzy Hash: A9F06275200309EBD7224FA4DD4EF663B6DEF8A761F518429F945C7251CA78DC90CA60

Function 007C1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007C102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007C1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007C104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C1062

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a7481af3487f1f938d40ba383c09d52a28138669e79b8147bcfa53976e0da3bd
Instruction ID: 259518f1447189d32b0a58aa5ea8185b509b13cd5e196c80b6db3fb2b637a281
Opcode Fuzzy Hash: a7481af3487f1f938d40ba383c09d52a28138669e79b8147bcfa53976e0da3bd
Instruction Fuzzy Hash: 02F0CD75200309EBDB221FA4ED4AF663BADEF8A761F104428FE05C7251CA38DC90CA60

Function 007D030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,007D017D,?,007D32FC,?,00000001,007A2592,?), ref: 007D0324
CloseHandle.KERNEL32(?,?,?,?,007D017D,?,007D32FC,?,00000001,007A2592,?), ref: 007D0331
CloseHandle.KERNEL32(?,?,?,?,007D017D,?,007D32FC,?,00000001,007A2592,?), ref: 007D033E
CloseHandle.KERNEL32(?,?,?,?,007D017D,?,007D32FC,?,00000001,007A2592,?), ref: 007D034B
CloseHandle.KERNEL32(?,?,?,?,007D017D,?,007D32FC,?,00000001,007A2592,?), ref: 007D0358
CloseHandle.KERNEL32(?,?,?,?,007D017D,?,007D32FC,?,00000001,007A2592,?), ref: 007D0365

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0c898bf3eecce2a35a6215ea55e43eee12e67abf87ad4aa7256ec69f5f27ea5d
Instruction ID: d5cffe5edbb17e157c578d8add14ed9cd93e12b7e7ee471cb977aca2b7f1ec17
Opcode Fuzzy Hash: 0c898bf3eecce2a35a6215ea55e43eee12e67abf87ad4aa7256ec69f5f27ea5d
Instruction Fuzzy Hash: 2801AA72800B55DFCB30AF66D880916FBF9BF603153159A3FD19652A31C3B5A998DF80

Function 0079D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0079D752

Part of subcall function 007929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000), ref: 007929DE
Part of subcall function 007929C8: GetLastError.KERNEL32(00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000,00000000), ref: 007929F0

_free.LIBCMT ref: 0079D764
_free.LIBCMT ref: 0079D776
_free.LIBCMT ref: 0079D788
_free.LIBCMT ref: 0079D79A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ccab28681c84a50da956dee6956cd6d6ec56604de3d0655aad1d3e04b97eab28
Instruction ID: cd8ed432036f8ae628c8a64eb8c16660efd7a01f427daabdaa22ab9900261bb6
Opcode Fuzzy Hash: ccab28681c84a50da956dee6956cd6d6ec56604de3d0655aad1d3e04b97eab28
Instruction Fuzzy Hash: DFF01232544204BB8E31FBA4F9C5C2A7BDDBB447207E44805F04CE7552C738FC818AA4

Function 007C5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 007C5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 007C5C6F
MessageBeep.USER32(00000000), ref: 007C5C87
KillTimer.USER32(?,0000040A), ref: 007C5CA3
EndDialog.USER32(?,00000001), ref: 007C5CBD

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: acdc19dc9b0bec20b14eb7143c548af93558cd8f9c18c9a8d144e229b66f036d
Instruction ID: 5c32af55039fb816cd31750b8e0f99eb8b708aacfe9757ad54ed5256d34b1ac2
Opcode Fuzzy Hash: acdc19dc9b0bec20b14eb7143c548af93558cd8f9c18c9a8d144e229b66f036d
Instruction Fuzzy Hash: 8B018130500B09ABEB315B10DE4EFA67BB8BF00B05F00555DA593A10E1DBF9B988CBA4

Function 007922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007922BE

Part of subcall function 007929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000), ref: 007929DE
Part of subcall function 007929C8: GetLastError.KERNEL32(00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000,00000000), ref: 007929F0

_free.LIBCMT ref: 007922D0
_free.LIBCMT ref: 007922E3
_free.LIBCMT ref: 007922F4
_free.LIBCMT ref: 00792305

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 32342c2a705324e4edd287fb992d42ba60e3920ee4dcc42af0217d6990909654
Instruction ID: f4501d96d3571a03e620847c0c5bb285722018dc726c265cace27f51d18c76f6
Opcode Fuzzy Hash: 32342c2a705324e4edd287fb992d42ba60e3920ee4dcc42af0217d6990909654
Instruction Fuzzy Hash: 54F05E70800520EB8E22FF54BC0981D3B64F758B60741491AF818E22B6CB381953EFE4

Function 007795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007795D4
StrokeAndFillPath.GDI32(?,?,007B71F7,00000000,?,?,?), ref: 007795F0
SelectObject.GDI32(?,00000000), ref: 00779603
DeleteObject.GDI32 ref: 00779616
StrokePath.GDI32(?), ref: 00779631

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c00b8cf51e3ba92f3ac38d9cb8eff5e931721f19b137609be7b2798af9880878
Instruction ID: ad0f549ec0ca4dea27010495bd85dd6f5f41911bde6ee3383aace8a3a1024e39
Opcode Fuzzy Hash: c00b8cf51e3ba92f3ac38d9cb8eff5e931721f19b137609be7b2798af9880878
Instruction Fuzzy Hash: FBF0F634006608EBDF129F65EE1CBA43F61BB81772F44C214E969950F0DB3889A6DF24

Function 00790F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007910F9
__freea.LIBCMT ref: 00791117

Part of subcall function 00791537: _free.LIBCMT ref: 0079154F

Strings

a/p, xrefs: 007911DE
am/pm, xrefs: 0079117A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 38b9d40950922e3416ab416fb4231f9cc854d7ac2ca5ede8334a432fdd03baf6
Instruction ID: d10045fcd6834649c997ff6e1f6378f5a77a287420818925af9726d0e89eded6
Opcode Fuzzy Hash: 38b9d40950922e3416ab416fb4231f9cc854d7ac2ca5ede8334a432fdd03baf6
Instruction Fuzzy Hash: EED13631A00207DADF299F68E895BFEB7B1FF06300FA44159E911AB650D37D9DA0CB91

Function 00795AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOv, xrefs: 00795BA8, 00795C6C

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: JOv
API String ID: 0-1288394439
Opcode ID: c625d944dcbac7f6d09581f01c1942204d377d2f17206f9b566afec59f9976ed
Instruction ID: ffa7e5117121fa65afa8806b053b3204564d996f8264a6e990f50ee463a43b2b
Opcode Fuzzy Hash: c625d944dcbac7f6d09581f01c1942204d377d2f17206f9b566afec59f9976ed
Instruction Fuzzy Hash: 0C51B2B1D00A2AEFCF12AFA4E849FEE7BB4BF46310F14015AF405A7291D7399901CB61

Function 00798A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00798B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00798B7A
__dosmaperr.LIBCMT ref: 00798B81

Strings

.x, xrefs: 00798A63

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .x
API String ID: 2434981716-4151879616
Opcode ID: 25dfead573ef97e5e71ef9c7457836497c4635587c498da11c8373c8ad3c08a3
Instruction ID: 99b027fe80d60cf987137d0e195b37c6f1e72397af8f92f2ec4e0a01b2df9e62
Opcode Fuzzy Hash: 25dfead573ef97e5e71ef9c7457836497c4635587c498da11c8373c8ad3c08a3
Instruction Fuzzy Hash: A8418CF0604145AFDF659F24E894A7D7FE5EB87300F2C85AAF49587242DE398C02D792

Function 007C2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007CB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C21D0,?,?,00000034,00000800,?,00000034), ref: 007CB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 007C2760

Part of subcall function 007CB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 007CB3F8

Part of subcall function 007CB32A: GetWindowThreadProcessId.USER32(?,?), ref: 007CB355
Part of subcall function 007CB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,007C2194,00000034,?,?,00001004,00000000,00000000), ref: 007CB365
Part of subcall function 007CB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,007C2194,00000034,?,?,00001004,00000000,00000000), ref: 007CB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007C27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007C281A

Strings

@, xrefs: 007C2832

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 4ee16cc98e25915d892886c5604763b8dd9e9e9f950d8d901efb0746f53f8e58
Instruction ID: 5a33e580a43cc08f3f8630bf6f718752466079092ad6ef701668279e689cd6d1
Opcode Fuzzy Hash: 4ee16cc98e25915d892886c5604763b8dd9e9e9f950d8d901efb0746f53f8e58
Instruction Fuzzy Hash: BF41FB76900218AFDB11DBA4CD86FEEBBB8EF09700F104099FA55B7181DB746E45CBA1

Function 0079172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00791769
_free.LIBCMT ref: 00791834
_free.LIBCMT ref: 0079183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00791760, 00791767, 00791796, 007917CE

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: 8b0ce889d1ac1168952bc02a526dbc3c463274888db6291285514af9ddf0599a
Instruction ID: f5b8429627ac3b2cd029f8147eec2c8687d2d3114b70d524bb752963a5d9ae62
Opcode Fuzzy Hash: 8b0ce889d1ac1168952bc02a526dbc3c463274888db6291285514af9ddf0599a
Instruction Fuzzy Hash: 3931B371A0020AEFDF21DF99E889D9EBBFCFB85720B504166F804D7211D6744E50DB90

Function 007CC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007CC306
DeleteMenu.USER32(?,00000007,00000000), ref: 007CC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00831990,010E5840), ref: 007CC395

Strings

0, xrefs: 007CC2DF

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 6f8d14a1ea886233c574440b58124f7e2c92681fcffd2e6244ea01dae182b8f1
Instruction ID: 98a356588c2c785a0c02c96e7b946f857e74be85fc80e6bc7be6099fc5a83601
Opcode Fuzzy Hash: 6f8d14a1ea886233c574440b58124f7e2c92681fcffd2e6244ea01dae182b8f1
Instruction Fuzzy Hash: FE419F71204341DFD721DF25E845F2ABBE8AB85310F10861DF9A997291D738E904CB62

Function 007F4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007FCC08,00000000,?,?,?,?), ref: 007F44AA
GetWindowLongW.USER32 ref: 007F44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007F44D7

Strings

SysTreeView32, xrefs: 007F447C

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ab2e816cf583d67d428caacafa4cbca2579f33607419cc3aaeaf2b1da2312e11
Instruction ID: 8928c9a8ba2a940f16961e3bea2e04937214c80bceb5c47115d6715b88be000c
Opcode Fuzzy Hash: ab2e816cf583d67d428caacafa4cbca2579f33607419cc3aaeaf2b1da2312e11
Instruction Fuzzy Hash: F7316C71214249ABDB219E38DC45BFB77A9EB08324F208715FA79A22D0D778E8609B50

Function 007C6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 007C6EED
VariantCopyInd.OLEAUT32(?,?), ref: 007C6F08
VariantClear.OLEAUT32(?), ref: 007C6F12

Strings

*j|, xrefs: 007C6E8B, 007C6E90, 007C6EF8

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j|
API String ID: 2173805711-205169694
Opcode ID: 06118852a48782440dbf7ef2452e1fe458e7be01b4a424cc0acaedae052922ae
Instruction ID: 567948f0c8024a35d8f6c9034400f78b9b218a8cf7bd9461787c92ddb5e97770
Opcode Fuzzy Hash: 06118852a48782440dbf7ef2452e1fe458e7be01b4a424cc0acaedae052922ae
Instruction Fuzzy Hash: 1331B171604245DFCB05AFA4E895EBD37B5FF8A700B10049CFA039B2A1C77C9912DB94

Function 007E304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007E335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,007E3077,?,?), ref: 007E3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007E307A
_wcslen.LIBCMT ref: 007E309B
htons.WSOCK32(00000000,?,?,00000000), ref: 007E3106

Strings

255.255.255.255, xrefs: 007E3095, 007E309A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: c096929859a81508903daf0c232e9a99572165e15593b007bdea63619bae6006
Instruction ID: 0ed40e848a34739460767754bd9a8d6e19a0168adb1c5f25bd47b7155b5372bf
Opcode Fuzzy Hash: c096929859a81508903daf0c232e9a99572165e15593b007bdea63619bae6006
Instruction Fuzzy Hash: 76310735201285DFCB20CF6AC589E6977E1EF58314F248059E9158B392DB3AEF45C760

Function 007F3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007F3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007F3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 007F3F78

Strings

SysMonthCal32, xrefs: 007F3F0B

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 85fdce6d8d075d73c03a1fc60e4e9cd683c741d1605fed09e30d4a124a3d86e0
Instruction ID: 28f4fb6f66373a8c509e605379030e7bbd72ed58e1721b30064459f095e7fa6b
Opcode Fuzzy Hash: 85fdce6d8d075d73c03a1fc60e4e9cd683c741d1605fed09e30d4a124a3d86e0
Instruction Fuzzy Hash: 13219F3260021DBBDF119F54DC46FEA3BB5EF48724F110214FA15AB2D0D6B9A950CB90

Function 007F4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007F4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007F4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007F471A

Strings

msctls_updown32, xrefs: 007F4684

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: a3cfa9d5aac70fb2142f406d49b601dd305f2f79616fe54871bc5f582eb71237
Instruction ID: 6d6ce3064120a6df82b880448a3f9d5d0a5bf72ce3e55f4acb839f3e299f40ef
Opcode Fuzzy Hash: a3cfa9d5aac70fb2142f406d49b601dd305f2f79616fe54871bc5f582eb71237
Instruction Fuzzy Hash: 11215EB5604208AFDB11EF64DC85DB737ADEB8A7A8B040459FA00DB351CB34EC11CA60

Function 007C95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007C961D

Strings

#notrayicon, xrefs: 007C95B7
#OnAutoItStartRegister, xrefs: 007C95F3
#requireadmin, xrefs: 007C95D9

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 88259685bf91b736e5c53384175ff0dd14e0bd941269650d1e47093ee74dffe1
Instruction ID: 315dd5cb8c11f78323674bae37982c808f25fd38a319ba784e4433b4bb4a7c66
Opcode Fuzzy Hash: 88259685bf91b736e5c53384175ff0dd14e0bd941269650d1e47093ee74dffe1
Instruction Fuzzy Hash: EC216872204510A6C371BB24DC0EFB77398AF51300F50402EFB5AA71C1EBACAD51C395

Function 007F37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007F3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007F3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007F3876

Strings

Listbox, xrefs: 007F380F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: d952587455e58736a060201fbb469b2e7cc8512dfcc0600720b1a5987e6f6aa6
Instruction ID: ca75cfcb7d5c0a3eff0500b77d07583e2e1493bfd6b4400a6ff5efdca53f5d00
Opcode Fuzzy Hash: d952587455e58736a060201fbb469b2e7cc8512dfcc0600720b1a5987e6f6aa6
Instruction Fuzzy Hash: FB21807261011CBBEF119F54DC85EBB376AEF897A0F118124FA159B290C679DC51C7A0

Function 007D49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007D4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007D4A5C
SetErrorMode.KERNEL32(00000000,?,?,007FCC08), ref: 007D4AD0

Strings

%lu, xrefs: 007D4A6F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: b1771918ee93c326246b6f961868026aaf5d6f7b5650b61316d5413276967991
Instruction ID: 8bbb5c305461b61bccfd74d934ee9b569963cd94f2581e66c8886a9cfc9b7a95
Opcode Fuzzy Hash: b1771918ee93c326246b6f961868026aaf5d6f7b5650b61316d5413276967991
Instruction Fuzzy Hash: 2C318E75A00108EFDB10DF64C985EAA7BF8EF48308F1480A9E909DB352D779EE45CB61

Function 007F41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007F424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007F4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007F4271

Strings

msctls_trackbar32, xrefs: 007F4226

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: ef76a0a9f14f093d24410bb07b897133019a1eeeef3de30fea0e287058f8ae4c
Instruction ID: 53bb7b60235eb22bf869b56e07552934c998c1884ff0736877cf26040c05c8a3
Opcode Fuzzy Hash: ef76a0a9f14f093d24410bb07b897133019a1eeeef3de30fea0e287058f8ae4c
Instruction Fuzzy Hash: C211CE3124024CBFEF205E29CC06FBB3BA8FB85B64F010528FA55E22A0D275D8519B20

Function 007C2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

Part of subcall function 007C2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 007C2DC5
Part of subcall function 007C2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 007C2DD6
Part of subcall function 007C2DA7: GetCurrentThreadId.KERNEL32 ref: 007C2DDD
Part of subcall function 007C2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 007C2DE4

GetFocus.USER32 ref: 007C2F78

Part of subcall function 007C2DEE: GetParent.USER32(00000000), ref: 007C2DF9

GetClassNameW.USER32(?,?,00000100), ref: 007C2FC3
EnumChildWindows.USER32(?,007C303B), ref: 007C2FEB

Strings

%s%d, xrefs: 007C2FFF

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 00c7488c4a02cec29e0315834e491b33329c502252b876e75f49e1bd0df8576b
Instruction ID: a890871f8b12808464f2fca668a499569ac080810d957341a1e7ea6b1491780c
Opcode Fuzzy Hash: 00c7488c4a02cec29e0315834e491b33329c502252b876e75f49e1bd0df8576b
Instruction Fuzzy Hash: 581193B1700209EBCF556F609D8AFED376AAF94304F04807DB90ADB292DE785949CB60

Function 007F5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007F58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007F58EE
DrawMenuBar.USER32(?), ref: 007F58FD

Strings

0, xrefs: 007F588F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 5a63f07dd8775e004bae750477989e4f034d8917d5aa4eea98afc998c8ebb230
Instruction ID: 16714c7b84ee069ebbf2fd8e31e93d13b87d242f467171fa58061659a1b6fff6
Opcode Fuzzy Hash: 5a63f07dd8775e004bae750477989e4f034d8917d5aa4eea98afc998c8ebb230
Instruction Fuzzy Hash: AA011B3150421CEEDB219F21DC48BBEBBB4FF45361F10C099EA49D6251DB789A94EF21

Function 007C007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24e73031e9764f5525cbe34dc4c69b6e5b14a589757a2d2d33e952120f1b2ca
Instruction ID: 86df9e3eba784715b073d89e87edf6d82ee72bbce5c68e0892ad8f8f612e21f9
Opcode Fuzzy Hash: d24e73031e9764f5525cbe34dc4c69b6e5b14a589757a2d2d33e952120f1b2ca
Instruction Fuzzy Hash: 19C13475A0020AEFCB04CFA8C898FAEB7B5FF48314F24859CE505AB251D735AE41CB90

Function 007E342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007E3459
CoUninitialize.OLE32 ref: 007E3463
VariantInit.OLEAUT32(?), ref: 007E346E
VariantClear.OLEAUT32(?), ref: 007E371B

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 4ba9d3bccc44ed4b437c67005b95f30e20b224d06207154964747f479fec88a5
Instruction ID: 8d2df8ab9e3d906fc8e597fba402bc2aecdda927517ece9cd82a3c5c0c259eb5
Opcode Fuzzy Hash: 4ba9d3bccc44ed4b437c67005b95f30e20b224d06207154964747f479fec88a5
Instruction Fuzzy Hash: 8AA15875204240DFCB05DF29C589A2AB7E5FF8C754F048859F98A9B362DB38EE11CB91

Function 007C0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007FFC08,?), ref: 007C05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007FFC08,?), ref: 007C0608
CLSIDFromProgID.OLE32(?,?,00000000,007FCC40,000000FF,?,00000000,00000800,00000000,?,007FFC08,?), ref: 007C062D
_memcmp.LIBVCRUNTIME ref: 007C064E

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 401b5f6757547afc6bb747e7d4153328f53c788e5450f6fb3bbf34c7d9125c0e
Instruction ID: 3f7c3eb592e6e8e58d23b722f20a70def46ae2f17c173c6bbd236d408a0685d7
Opcode Fuzzy Hash: 401b5f6757547afc6bb747e7d4153328f53c788e5450f6fb3bbf34c7d9125c0e
Instruction Fuzzy Hash: 6E81E975A00109EFCB04DF94C988EEEB7B9FF89315F20455CE516AB250DB75AE06CBA0

Function 007EA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007EA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 007EA6BA

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Process32NextW.KERNEL32(00000000,?), ref: 007EA79C
CloseHandle.KERNEL32(00000000), ref: 007EA7AB

Part of subcall function 0077CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,007A3303,?), ref: 0077CE8A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 132c2b9ae7a92965eebfd80b7ef62c989d3b7ba8f3066d50b8609cdec7927a96
Instruction ID: 3a1a2183085686cb8634fc9eafda699743ae60ac1d8a27f30ae160628ad72abb
Opcode Fuzzy Hash: 132c2b9ae7a92965eebfd80b7ef62c989d3b7ba8f3066d50b8609cdec7927a96
Instruction Fuzzy Hash: 92514E71508340EFD710DF25C889A6BBBE8FF89754F40891DF98697291EB74E904CB92

Function 007A1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007A14C0

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dab921e87ee1f1a2c1d2ab327b70eb68b781b34f8b41b25e8167c5970572a567
Instruction ID: f99936c13d1a86274c9957233c40c539adcf4d93ea3caea7eebe4d72edd3b679
Opcode Fuzzy Hash: dab921e87ee1f1a2c1d2ab327b70eb68b781b34f8b41b25e8167c5970572a567
Instruction Fuzzy Hash: DA410A31940154EBFF217BBD9C49AAE3AA4FF8B370F544325F419D6192E63C484197A1

Function 007F6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007F62E2
ScreenToClient.USER32(?,?), ref: 007F6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 007F6382

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c4c9308cf2be9fb3899d486088167e90c53aa23943aebc968f4442d14d2cb9e3
Instruction ID: 0c78575f3d41d3a3901fab3d7e1bc58c84426499e622c212f9d9e3c2943a6849
Opcode Fuzzy Hash: c4c9308cf2be9fb3899d486088167e90c53aa23943aebc968f4442d14d2cb9e3
Instruction Fuzzy Hash: 6B510674A00209EFCF14DF68D984ABE7BB5FF95360F108569EA259B390D734AD41CB50

Function 007E1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 007E1AFD
WSAGetLastError.WSOCK32 ref: 007E1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007E1B8A
WSAGetLastError.WSOCK32 ref: 007E1B94

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 6da5708e7d5f224c1ac8a1498064221d57c010bedc5221132eab2bf9dd3d6e82
Instruction ID: 60791a13c574a48b33f13ac1e3e4c6042b54c4272898ba2515f07d6e89dc0b46
Opcode Fuzzy Hash: 6da5708e7d5f224c1ac8a1498064221d57c010bedc5221132eab2bf9dd3d6e82
Instruction Fuzzy Hash: A541C474600200AFD720AF24C88AF6577E5AB48718F94C448F91A9F7D3D77AED41CB90

Function 0079B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c386cae71e5da75af8a1b80c125f3f5d090a6931ddfd7dddd383c43243d6597a
Instruction ID: b43db658ee967e26b08b37d491b12421df3c4f739aef9f29d14a248ffffc43d7
Opcode Fuzzy Hash: c386cae71e5da75af8a1b80c125f3f5d090a6931ddfd7dddd383c43243d6597a
Instruction Fuzzy Hash: 24413C75A00744FFDB24AF78ED45B6E7BE9EB88710F10452EF141DB292D37999018780

Function 007D56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007D5783
GetLastError.KERNEL32(?,00000000), ref: 007D57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007D57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007D57FA

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 954d2acd2f3904bdd0301f589835c4646812476a185fcf450542bd83bc4d4e66
Instruction ID: f634a72cb7c00462f074f83aaa9d0261b90bccdf8f2d41d170b5421263646c10
Opcode Fuzzy Hash: 954d2acd2f3904bdd0301f589835c4646812476a185fcf450542bd83bc4d4e66
Instruction Fuzzy Hash: AD410A35600610DFCB15DF55C548A5ABBF2EF89324B198489EC4AAB362CB38FD50DB91

Function 0079D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00786D71,00000000,00000000,007882D9,?,007882D9,?,00000001,00786D71,?,00000001,007882D9,007882D9), ref: 0079D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0079D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0079D9AB
__freea.LIBCMT ref: 0079D9B4

Part of subcall function 00793820: RtlAllocateHeap.NTDLL(00000000,?,00831444,?,0077FDF5,?,?,0076A976,00000010,00831440,007613FC,?,007613C6,?,00761129), ref: 00793852

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 6ee0136a6cf0a313332893ba47c2af27b152783057fef77be139ec04be4368e5
Instruction ID: 81b2b30a84f99983353cfcf73f96399711caf0a83d75ec1cb30058e4de8e8654
Opcode Fuzzy Hash: 6ee0136a6cf0a313332893ba47c2af27b152783057fef77be139ec04be4368e5
Instruction Fuzzy Hash: 3731B072A0020AABDF25EF65EC45EAE7BA5EB40320B054169FC04D7251EB39DD55CB90

Function 007F52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 007F5352
GetWindowLongW.USER32(?,000000F0), ref: 007F5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007F5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007F53A8

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 0e46ec94f72f8956fe5d7c603187186207126055391eb8bedf32e2fa79ec44f5
Instruction ID: 4fe84293229c70b041000b98911798ecba7bcdcd084de74cb9987246adb055fc
Opcode Fuzzy Hash: 0e46ec94f72f8956fe5d7c603187186207126055391eb8bedf32e2fa79ec44f5
Instruction Fuzzy Hash: F7318F34A55A0CEFEB259A1CCC49BF877A6AF05398F584101FB11963E1C7B89940EB42

Function 007CAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 007CABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 007CAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 007CAC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 007CACC6

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 201d5deb15265fc63a18df77c831c37f2fa8ca7a0689ae02dbbce20dd6b43ddb
Instruction ID: e514a4fb763fa7bc3219d7a809590a90d9fc6c24b9e04a92eceb4928894c1084
Opcode Fuzzy Hash: 201d5deb15265fc63a18df77c831c37f2fa8ca7a0689ae02dbbce20dd6b43ddb
Instruction Fuzzy Hash: 52312830A4421CBFFF35CB648C08FFA7BA5AB45319F04421EE481921D1C37C89958776

Function 007F7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007F769A
GetWindowRect.USER32(?,?), ref: 007F7710
PtInRect.USER32(?,?,007F8B89), ref: 007F7720
MessageBeep.USER32(00000000), ref: 007F778C

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f432df253282e2661cafe8ddbcef912da0a642e2d525cdc74b263bd7ad5afedc
Instruction ID: 9e56005a7c3a543828d8e97a35b3d3ab7695a37de58ea102241dee7914a1b63c
Opcode Fuzzy Hash: f432df253282e2661cafe8ddbcef912da0a642e2d525cdc74b263bd7ad5afedc
Instruction Fuzzy Hash: 23419E34605218DFCB05EF58C898EB9BBF5BB48714F5584A8EA149B361C334E941CBA0

Function 007F16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007F16EB

Part of subcall function 007C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007C3A57
Part of subcall function 007C3A3D: GetCurrentThreadId.KERNEL32 ref: 007C3A5E
Part of subcall function 007C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007C25B3), ref: 007C3A65

GetCaretPos.USER32(?), ref: 007F16FF
ClientToScreen.USER32(00000000,?), ref: 007F174C
GetForegroundWindow.USER32 ref: 007F1752

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 29884e8be914364b586c336c09e545ed969febc60e51fc91971db925b63d137e
Instruction ID: 91303a986f4ec1fe4a61d1e35d42ddd717746ea131c11060fee5dd708894580a
Opcode Fuzzy Hash: 29884e8be914364b586c336c09e545ed969febc60e51fc91971db925b63d137e
Instruction Fuzzy Hash: 6B315075D00149EFC704EFA9C985DBEBBF9EF48304B5480AAE416E7211D6399E45CBA0

Function 007F8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

GetCursorPos.USER32(?), ref: 007F9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,007B7711,?,?,?,?,?), ref: 007F9016
GetCursorPos.USER32(?), ref: 007F905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,007B7711,?,?,?), ref: 007F9094

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 68b406dbdeaf3848b668992651b6a5f1711b7eed5ac06df9deb083e056df3be8
Instruction ID: aa41d5bc0321b4c1a65982e2230430c4f33b21c08ce82c632d43b43b89a40edc
Opcode Fuzzy Hash: 68b406dbdeaf3848b668992651b6a5f1711b7eed5ac06df9deb083e056df3be8
Instruction Fuzzy Hash: 8D215C3560001CEFDB168F94C858FFABBB9FB89750F144065FA058B2A1C7399990DB64

Function 007CD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,007FCB68), ref: 007CD2FB
GetLastError.KERNEL32 ref: 007CD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 007CD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007FCB68), ref: 007CD376

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 67b260124dfacc17f73c98743e676e8b3fe9ddfd35a853e6df781d053a4b5d08
Instruction ID: 2dced08c8d790c2c45ebd8a8a8b1cd4f02fe304db41cd6163c6061c782934e55
Opcode Fuzzy Hash: 67b260124dfacc17f73c98743e676e8b3fe9ddfd35a853e6df781d053a4b5d08
Instruction Fuzzy Hash: 1B21A370504205DF8320DF24C98596AB7E8FE55364F104A2EF899C72A1D738DD45CB93

Function 007C1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007C102A
Part of subcall function 007C1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007C1036
Part of subcall function 007C1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C1045
Part of subcall function 007C1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007C104C
Part of subcall function 007C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007C15BE
_memcmp.LIBVCRUNTIME ref: 007C15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C1617
HeapFree.KERNEL32(00000000), ref: 007C161E

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 5cb6043b74eb94be93fc0bf541094e53d4998ba854c3c1f767d9cf07e98475fb
Instruction ID: a99738b1b174a788b8d1d360487873daf946ad21e8eb3ce536b148bae70a8960
Opcode Fuzzy Hash: 5cb6043b74eb94be93fc0bf541094e53d4998ba854c3c1f767d9cf07e98475fb
Instruction Fuzzy Hash: 89217C71E00108EFDB00DFA4C945FEEB7B8EF45344F59846DE441A7242EB38AA05DB50

Function 007F2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 007F280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007F2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007F2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007F2840

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 87f566146a2f63db6830333249c107115f6b5fb6b4944c3d8b8df76a0c488bea
Instruction ID: 478b31b0ce7e208b9deb914c2f4da4aef9c711592055252bc8126a3777128bdd
Opcode Fuzzy Hash: 87f566146a2f63db6830333249c107115f6b5fb6b4944c3d8b8df76a0c488bea
Instruction Fuzzy Hash: 0321C131209519AFD7159B24C844FBA7B95AF45324F248158FA26CB7E3CB79FC82C790

Function 007C78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007C8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,007C790A,?,000000FF,?,007C8754,00000000,?,0000001C,?,?), ref: 007C8D8C
Part of subcall function 007C8D7D: lstrcpyW.KERNEL32(00000000,?,?,007C790A,?,000000FF,?,007C8754,00000000,?,0000001C,?,?,00000000), ref: 007C8DB2
Part of subcall function 007C8D7D: lstrcmpiW.KERNEL32(00000000,?,007C790A,?,000000FF,?,007C8754,00000000,?,0000001C,?,?), ref: 007C8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,007C8754,00000000,?,0000001C,?,?,00000000), ref: 007C7923
lstrcpyW.KERNEL32(00000000,?,?,007C8754,00000000,?,0000001C,?,?,00000000), ref: 007C7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,007C8754,00000000,?,0000001C,?,?,00000000), ref: 007C7984

Strings

cdecl, xrefs: 007C797B

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: a1ca259e176a83cc2f3eb9b5c810b403ad5c4b71026dba2e97fa245fb78f4336
Instruction ID: 98f71fde6b11bc33a20bd3dc0fd9084911dd07e39935e6587620f6d7ebb54956
Opcode Fuzzy Hash: a1ca259e176a83cc2f3eb9b5c810b403ad5c4b71026dba2e97fa245fb78f4336
Instruction Fuzzy Hash: 0311E93A200305ABCB155F38D845E7A77E9FF45390B50802EF946C7264EF799811CB61

Function 007F7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 007F7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 007F7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007F7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007DB7AD,00000000), ref: 007F7D6B

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 404f7b278f189d2be86b687bcb411fa25ca0f78219d34d781e1d93237d28cda7
Instruction ID: 33bc3297f307135c2d36a9d0ba3004fc5e79d0cd7c3b78666ab7a37ef3a18557
Opcode Fuzzy Hash: 404f7b278f189d2be86b687bcb411fa25ca0f78219d34d781e1d93237d28cda7
Instruction Fuzzy Hash: 4411C031219619AFCF158F28CC08A763BA5BF85360B518724FA39CB3F0E7348911DB50

Function 007F5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007F56BB
_wcslen.LIBCMT ref: 007F56CD
_wcslen.LIBCMT ref: 007F56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 007F5816

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: a79703f937dbd78dc5ec88c72d83b2fea27d94ebc43e16d1fa0fdcac184a1add
Instruction ID: 925b13e3719e4eb7db2e89c3513048ce02af8ff361c44be4e02c669a11656f15
Opcode Fuzzy Hash: a79703f937dbd78dc5ec88c72d83b2fea27d94ebc43e16d1fa0fdcac184a1add
Instruction Fuzzy Hash: 8D11B47160460CA6DF20DF61CC89AFE77ACEF11760B108066FB15D6281E7B89980CB64

Function 00791D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ede3c0e394d1eb9ad69005f82d1ab45b5b2dae18b03494189a7c279ebf31dc9
Instruction ID: 0e1e8728939984fc5247dccea0ef37d22b8a0bff3b8ffe35c0ff710a4daf92c0
Opcode Fuzzy Hash: 4ede3c0e394d1eb9ad69005f82d1ab45b5b2dae18b03494189a7c279ebf31dc9
Instruction Fuzzy Hash: 87018FF230561B7EFE2126787CC4F27661CEF413B8B750325F521612D2DB689C209660

Function 007C1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 007C1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C1A8A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 174d135b927b9b9202b2711bc5329dd3270a995e1eba9bac5a141baef26d6e2e
Instruction ID: a2ab50e6986bcc076b5be4dc1f195bf7a01a5a9592ccc202627d9d6f44db6669
Opcode Fuzzy Hash: 174d135b927b9b9202b2711bc5329dd3270a995e1eba9bac5a141baef26d6e2e
Instruction Fuzzy Hash: 3011393AD01219FFEB11DBA4CD85FADBB78EB08750F2040A9EA00B7290D6716E50DB94

Function 007CE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007CE1FD
MessageBoxW.USER32(?,?,?,?), ref: 007CE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007CE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007CE24D

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: d19068ff007d6898b0ce97ec66b4c17179012c0f97ce4c4f5aa32079783dc476
Instruction ID: b1f5793a45216748dbc3ab0689a4bda3f79df473a4caa0d4046e8975256c3ada
Opcode Fuzzy Hash: d19068ff007d6898b0ce97ec66b4c17179012c0f97ce4c4f5aa32079783dc476
Instruction Fuzzy Hash: 75110872904218BBCB019BA89C09FAE7FACBB85720F00821DF824E3390D3788D0087A0

Function 0078D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0078CFF9,00000000,00000004,00000000), ref: 0078D218
GetLastError.KERNEL32 ref: 0078D224
__dosmaperr.LIBCMT ref: 0078D22B
ResumeThread.KERNEL32(00000000), ref: 0078D249

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: f82b56f8203a853673d1c40491f2f3cb8ae7a5b65f0b920f5825890ea712abef
Instruction ID: 47fda3a3f1ec71341c7201eccdfe2f788a273e34b8186dd2048d32be9ff303fa
Opcode Fuzzy Hash: f82b56f8203a853673d1c40491f2f3cb8ae7a5b65f0b920f5825890ea712abef
Instruction Fuzzy Hash: 2901D276885208BBDB217BA5DC0DBAE7B69FF81330F104219F925921E0DB788D01C7A1

Function 007F9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

GetClientRect.USER32(?,?), ref: 007F9F31
GetCursorPos.USER32(?), ref: 007F9F3B
ScreenToClient.USER32(?,?), ref: 007F9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 007F9F7A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 56c7026a7810a9bd2ed0c6118d1513e4d90f81ca117c9fe816a551318bbb56bc
Instruction ID: d1ff39fa9cb7f171620cc6448d7608189007d53868891fb59e4539a9768ce0cf
Opcode Fuzzy Hash: 56c7026a7810a9bd2ed0c6118d1513e4d90f81ca117c9fe816a551318bbb56bc
Instruction Fuzzy Hash: 6911363290011EEBDB01DFA8C849AFEB7B8FB45311F104451FA01E7250D738BA95CBA5

Function 0076600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0076604C
GetStockObject.GDI32(00000011), ref: 00766060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0076606A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 9179feff1590b05cc38d496d850ce2ceae478b9793413d87d1eb6f3a91d84de2
Instruction ID: 274c2512348ae3cba51f4b08a198c05796c0dfd09efbf1579b456f9a7e45751b
Opcode Fuzzy Hash: 9179feff1590b05cc38d496d850ce2ceae478b9793413d87d1eb6f3a91d84de2
Instruction Fuzzy Hash: D5115B72501508BFEF125FA49C44EFABF69EF497A4F444225FE1652110D73A9C60EBA0

Function 00783B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00783B56

Part of subcall function 00783AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00783AD2
Part of subcall function 00783AA3: ___AdjustPointer.LIBCMT ref: 00783AED

_UnwindNestedFrames.LIBCMT ref: 00783B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00783B7C
CallCatchBlock.LIBVCRUNTIME ref: 00783BA4

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 644bee7f2d388982e613ce40f2df80b6bd40b46d7309906ad4c8e6d285c85568
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D4012972140149BBDF126E99CC46EEB3F6AEF48B54F044014FE4896121D73AE961DBA0

Function 00793073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007613C6,00000000,00000000,?,0079301A,007613C6,00000000,00000000,00000000,?,0079328B,00000006,FlsSetValue), ref: 007930A5
GetLastError.KERNEL32(?,0079301A,007613C6,00000000,00000000,00000000,?,0079328B,00000006,FlsSetValue,00802290,FlsSetValue,00000000,00000364,?,00792E46), ref: 007930B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0079301A,007613C6,00000000,00000000,00000000,?,0079328B,00000006,FlsSetValue,00802290,FlsSetValue,00000000), ref: 007930BF

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 49fb7f7f32505ce7c0879344fcc27f73ce92a42b575f34ad100375392e9eac9c
Instruction ID: 55e47be73ddd3391e6cc259384052d926ebd46d2a34281e318f4ba7c7426f909
Opcode Fuzzy Hash: 49fb7f7f32505ce7c0879344fcc27f73ce92a42b575f34ad100375392e9eac9c
Instruction Fuzzy Hash: F601F73231122AABCF314B7CBC459677B9AAF45BA1B214720F915E3140C729DD05C6E0

Function 007C7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 007C747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 007C7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007C74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007C74CA

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: b3c39f3d5eee96b5636f94b1a7389e32811c99f0eb656d5acfa512949ea73caf
Instruction ID: 820d9fc60b20200945cc72c38c5661967842722cb0e687cafc02c738d7f6dd2b
Opcode Fuzzy Hash: b3c39f3d5eee96b5636f94b1a7389e32811c99f0eb656d5acfa512949ea73caf
Instruction Fuzzy Hash: DB11A1B12053549BE7288F14DD09FA2BFFCEB00B10F10856DA626D6151DB78EA04EF50

Function 007CB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,007CACD3,?,00008000), ref: 007CB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,007CACD3,?,00008000), ref: 007CB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,007CACD3,?,00008000), ref: 007CB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,007CACD3,?,00008000), ref: 007CB126

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: eca28f53e63a2b1b4e877ab1548a3863c7ebbdbf1778c54218acf328e1a323c6
Instruction ID: 5cf32cacb04316a487f3cea1f4985da6e56f30fd6b986aef15f18d33c0d81646
Opcode Fuzzy Hash: eca28f53e63a2b1b4e877ab1548a3863c7ebbdbf1778c54218acf328e1a323c6
Instruction Fuzzy Hash: D8111571C0152CE7CF00AFA4E95ABEEBB78BF09711F10808DE941B2181CB389A608B56

Function 007F7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007F7E33
ScreenToClient.USER32(?,?), ref: 007F7E4B
ScreenToClient.USER32(?,?), ref: 007F7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007F7E8A

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 75c7b6fa0df40513578052f3913429122a1d1ab5962b7180e9d6220a67608d40
Instruction ID: 8a20c74fc3b44ee14dcd51dc37b5767fc504add6dbfb8274833c8685163783a6
Opcode Fuzzy Hash: 75c7b6fa0df40513578052f3913429122a1d1ab5962b7180e9d6220a67608d40
Instruction Fuzzy Hash: AC1140B9D0420EAFDB41DF98C984AEEBBF9FB08310F509066E915E2210D735AA54CF94

Function 007C2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 007C2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 007C2DD6
GetCurrentThreadId.KERNEL32 ref: 007C2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 007C2DE4

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: bcfd7a836992e3969a51deb99160b88d53b8b7b227e05c3fb597e913794c9bb5
Instruction ID: de2785e44af7a3a7ea6b92ac52cc0d8a7edc42afde85b844d481a50b22345879
Opcode Fuzzy Hash: bcfd7a836992e3969a51deb99160b88d53b8b7b227e05c3fb597e913794c9bb5
Instruction Fuzzy Hash: 2AE06D71205228BAD7211B629D0EFFB3F6CEF52BA1F00401DB106D10819AA88841C6B0

Function 007F8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00779639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00779693
Part of subcall function 00779639: SelectObject.GDI32(?,00000000), ref: 007796A2
Part of subcall function 00779639: BeginPath.GDI32(?), ref: 007796B9
Part of subcall function 00779639: SelectObject.GDI32(?,00000000), ref: 007796E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 007F8887
LineTo.GDI32(?,?,?), ref: 007F8894
EndPath.GDI32(?), ref: 007F88A4
StrokePath.GDI32(?), ref: 007F88B2

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e3178e891678e3415cc9d0a9f8a1ca6dc02916fc2956f8f63561861038ba6ed7
Instruction ID: 09ec4ba183c39f7be59affc09c0bc62d8b76abd59ca3d6c1b17d96de886344b5
Opcode Fuzzy Hash: e3178e891678e3415cc9d0a9f8a1ca6dc02916fc2956f8f63561861038ba6ed7
Instruction Fuzzy Hash: 4AF03A3604525DFADB135F94AD0DFEA3F59AF06710F448100FB11651E1CB7D5521CBAA

Function 007798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007798CC
SetTextColor.GDI32(?,?), ref: 007798D6
SetBkMode.GDI32(?,00000001), ref: 007798E9
GetStockObject.GDI32(00000005), ref: 007798F1

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 2a9658606fe2452560509d80704cb402439394139d14735de4db14f4a1e1fd8c
Instruction ID: eb313c5e58e48844e9652b6a7d5479e60f75fc02950ba988315560b372380689
Opcode Fuzzy Hash: 2a9658606fe2452560509d80704cb402439394139d14735de4db14f4a1e1fd8c
Instruction Fuzzy Hash: F8E06571244288AADB225B74AD09BF83F10EB51376F14C219F7F9580E1C3794660DB10

Function 007C162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 007C1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007C11D9), ref: 007C163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007C11D9), ref: 007C1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007C11D9), ref: 007C164F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 97d951837dc93b783ffcabe014a5cd42cf3dda3c4bebf10086900094fff50360
Instruction ID: fc2d9388c20d7e252b6b192a52fa29544f3a53bd3a9d99eccb89547f26485258
Opcode Fuzzy Hash: 97d951837dc93b783ffcabe014a5cd42cf3dda3c4bebf10086900094fff50360
Instruction Fuzzy Hash: A4E04632602215EBD7201BB0AF0DFA63B68AF45792F14881CF245D9080EA2C8445DB68

Function 007BD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007BD858
GetDC.USER32(00000000), ref: 007BD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007BD882
ReleaseDC.USER32(?), ref: 007BD8A3

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3901b2e83f9de39611d6bd697d14550c02f2b69205084ee3771e0742f5a41a6a
Instruction ID: 9e3691101a8484137a8761d6b817da60d7283f76ea996f1e6aef48fb6cb39bb3
Opcode Fuzzy Hash: 3901b2e83f9de39611d6bd697d14550c02f2b69205084ee3771e0742f5a41a6a
Instruction Fuzzy Hash: A6E0E5B1804208DFCB529FA09A08A7DBBB1AB08311B14D409E846E7350DB3C8941EF44

Function 007BD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007BD86C
GetDC.USER32(00000000), ref: 007BD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007BD882
ReleaseDC.USER32(?), ref: 007BD8A3

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8d5af61198c4fa87b77ded7c8304b629a50b8f6bc64dd244ff2833010a19d033
Instruction ID: be7ea71039485551a3403108de57b5c478dbd119b74d67e42289302111a1a1a7
Opcode Fuzzy Hash: 8d5af61198c4fa87b77ded7c8304b629a50b8f6bc64dd244ff2833010a19d033
Instruction Fuzzy Hash: 6FE012B1804208EFCF52AFA0DA0CA7DBBB1BB08310B14D408E94AE7350CB3C9902EF44

Function 007D4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00767620: _wcslen.LIBCMT ref: 00767625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 007D4ED4

Strings

*, xrefs: 007D4E10
LPT, xrefs: 007D4DFB

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 6807fa3e2702a6c2e186a4c43a11c65c461b6505948ad2df642d1feaff71bada
Instruction ID: 081d312b8c0685f7dcb405f91a1376cf603788892ecfe6e0c711331c6103e642
Opcode Fuzzy Hash: 6807fa3e2702a6c2e186a4c43a11c65c461b6505948ad2df642d1feaff71bada
Instruction Fuzzy Hash: 9E917375A00244EFCB15DF54C484EA9BBF1BF44304F18809AE80A9F362D779ED85CB91

Function 0077E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0077E1B1

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 5da84203e957c3d500e069de766585ae5df998b5754b62197089ddf39f13ee1d
Instruction ID: ac9a250112fa8047426374d05fe6b4389bf496c6bcee8d19d31b7aa1ce51785e
Opcode Fuzzy Hash: 5da84203e957c3d500e069de766585ae5df998b5754b62197089ddf39f13ee1d
Instruction Fuzzy Hash: AD511135504246EFDF15DF68C085AFA7BA8FF19310F248099EC929B391DA3C9D42CBA0

Function 0077F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0077F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0077F2BB

Strings

@, xrefs: 0077F2AF

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2f6725958cb6d2270e107db9f23a1f38e84dffa979f353c3eae1d2d512291a75
Instruction ID: c98c15387d370e96011a83bd5f9940ce12a330b1a23f070c696d70cf7a6180b5
Opcode Fuzzy Hash: 2f6725958cb6d2270e107db9f23a1f38e84dffa979f353c3eae1d2d512291a75
Instruction Fuzzy Hash: D8517772418744DBD320AF50D88ABABBBF8FF84344F81885CF5DA41095EB758529CB66

Function 007E5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007E57E0
_wcslen.LIBCMT ref: 007E57EC

Strings

CALLARGARRAY, xrefs: 007E57E6, 007E57EB

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 5a26d085847284e732649873079f4a3e8b3f096c64fff1d8dc76fcace75c3b18
Instruction ID: 461534232f3477e6eebbcba40db14562e07f05f4769fc72e7dc6506f15c4dc79
Opcode Fuzzy Hash: 5a26d085847284e732649873079f4a3e8b3f096c64fff1d8dc76fcace75c3b18
Instruction Fuzzy Hash: A741B031A00149DFCB14DFA9C8859BEBBB5FF59358F104169E506A7251E7389D81CBA0

Function 007DD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007DD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007DD13A

Strings

|, xrefs: 007DD10B

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 4943ed7efaa17c33a28a2d800fda1de5c233cf5bf6b4ebacf7acddd055a871b1
Instruction ID: f2d74a71392012634148536da8f5015b69cc20d1454a833b59f4f84f34a6db33
Opcode Fuzzy Hash: 4943ed7efaa17c33a28a2d800fda1de5c233cf5bf6b4ebacf7acddd055a871b1
Instruction Fuzzy Hash: B6311271D00119EBCF15EFA4CC49AEE7FB9FF04300F104119F915A6265E736A956DB50

Function 007F356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007F3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007F365C

Strings

static, xrefs: 007F35BC

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8cefbe44358895fcd5b66e8e21671430f1015ef7aadf530af0129080338e0f5f
Instruction ID: e2858757dc732089ac4ce8cb850d535ce0f8550440a977feab102d4231955cf7
Opcode Fuzzy Hash: 8cefbe44358895fcd5b66e8e21671430f1015ef7aadf530af0129080338e0f5f
Instruction Fuzzy Hash: A2319C71110208AEDB109F78DC80EFB73A9FF88724F009619FAA5D7290DA38ED91D760

Function 007F4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 007F461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007F4634

Strings

', xrefs: 007F458E

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 6a4e3cff61be1246bb0f91aaf93b0db81caa47d3729ccdce8089efb4c7a7479c
Instruction ID: 108fc747230075143195f62ae3b43443704fefca499596911b2f5962b3168d9a
Opcode Fuzzy Hash: 6a4e3cff61be1246bb0f91aaf93b0db81caa47d3729ccdce8089efb4c7a7479c
Instruction Fuzzy Hash: 32311675A002099FDF14DFA9C980BEABBB5FF49310F10406AEA05EB351D774A951CF90

Function 007F31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007F327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F3287

Strings

Combobox, xrefs: 007F3249

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: cdc19d0c9427cb37dae8603324a8291d00d558d36bbe7280d0c91e2348fe4158
Instruction ID: 42f21b25d3ea8dc7f184dd64e13b906b2edfa30423494db94e92fc2c67677435
Opcode Fuzzy Hash: cdc19d0c9427cb37dae8603324a8291d00d558d36bbe7280d0c91e2348fe4158
Instruction Fuzzy Hash: 8311907130020CAFEF219E54DC84EBB376AFB94364F104529FA1897390D6399D519760

Function 007F3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0076600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0076604C
Part of subcall function 0076600E: GetStockObject.GDI32(00000011), ref: 00766060
Part of subcall function 0076600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0076606A

GetWindowRect.USER32(00000000,?), ref: 007F377A
GetSysColor.USER32(00000012), ref: 007F3794

Strings

static, xrefs: 007F3757

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a5a70ea47c494747d7bff9a2a98fd54a89ab667b95aa7d5ff89dfd04e8a6c663
Instruction ID: 928e4ffa8faa536b23422f8bb5dc537902a93a2ca3ea7ac3c016535f1bcde7ac
Opcode Fuzzy Hash: a5a70ea47c494747d7bff9a2a98fd54a89ab667b95aa7d5ff89dfd04e8a6c663
Instruction Fuzzy Hash: 2F1117B261020DAFDB01EFA8CC45AFA7BB8EB08314F004924FA55E2250D739E851DB60

Function 007DCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007DCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007DCDA6

Strings

<local>, xrefs: 007DCD66

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 3d0078146d2b01f1b60146f1025fc64269bad14f631ded9ace4b5e49e89b8e55
Instruction ID: f0c9ba89ad0f5116605e87beb240e60605d5b6a771c17e3630a37957d96dccce
Opcode Fuzzy Hash: 3d0078146d2b01f1b60146f1025fc64269bad14f631ded9ace4b5e49e89b8e55
Instruction Fuzzy Hash: FC11A371305636BAD72A4A668C45EF7BE7AEF127A4F004227B15983280D6689840D6F0

Function 007F3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007F34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007F34BA

Strings

edit, xrefs: 007F348F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: af438e55a117d5986abd40238c32ff7bbd240b28b4d5974ad517ad8bdffcdc54
Instruction ID: 6f9980a7113016662621f766e85209d6afb13fc39420735c28322488fc195211
Opcode Fuzzy Hash: af438e55a117d5986abd40238c32ff7bbd240b28b4d5974ad517ad8bdffcdc54
Instruction Fuzzy Hash: 6E118C7110024CEBEF128E64DC44ABB376AEB05774F508724FA61932E0C779EC51AB64

Function 007C6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

CharUpperBuffW.USER32(?,?,?), ref: 007C6CB6
_wcslen.LIBCMT ref: 007C6CC2

Strings

STOP, xrefs: 007C6CBC, 007C6CC1

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 5e4ff8edaf577d9f288d6c738b2894b1a84db87c4c708254b3bdbb5fa71ab082
Instruction ID: 570763825cbd291d67c3eb2ec2803d9e704396d56e0a5463d54dd998e71d12c5
Opcode Fuzzy Hash: 5e4ff8edaf577d9f288d6c738b2894b1a84db87c4c708254b3bdbb5fa71ab082
Instruction Fuzzy Hash: 830104326005278BCB20AFBDDCC4EBF73A4FB60710700052CE96393190EA39E800C660

Function 007C1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007C3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007C1D4C

Strings

ComboBox, xrefs: 007C1CEB
ListBox, xrefs: 007C1D16

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 12d5b2c56830f3250afea26c31e9b6b32615f64c66d4350129242a21559d209c
Instruction ID: 23b94519d575cfb8ecfb09ce8b64ffdd18cd8c18fce677a0e886183e64a0f3f1
Opcode Fuzzy Hash: 12d5b2c56830f3250afea26c31e9b6b32615f64c66d4350129242a21559d209c
Instruction Fuzzy Hash: 2401B971741114ABCB14EBA4CD55DFE7368FB57350B54091DB833573C2DA3859088660

Function 007C1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007C3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 007C1C46

Strings

ComboBox, xrefs: 007C1BE5
ListBox, xrefs: 007C1C10

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6ecfc944720193d5f16f33dc9a79ed2c09fa537d683aa54371004df9d2726fe0
Instruction ID: 66e7b6617da1633042f569c23ab57b730c0fa03ecae04bdee816a6cd66e8ab18
Opcode Fuzzy Hash: 6ecfc944720193d5f16f33dc9a79ed2c09fa537d683aa54371004df9d2726fe0
Instruction Fuzzy Hash: A401AC75681104A7CB14E7A0CA55FFF77AC9B12340F54002DB916772C2EA3C9E18D671

Function 007C1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007C3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 007C1CC8

Strings

ComboBox, xrefs: 007C1C69
ListBox, xrefs: 007C1C94

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 57273d4e40771d62a5dda474f925e51c27ffc61c563a1744446766e8cd771111
Instruction ID: a317125c258d37fa0fb82626ca60e543e4289c00b77d1545e87291f02924d2e4
Opcode Fuzzy Hash: 57273d4e40771d62a5dda474f925e51c27ffc61c563a1744446766e8cd771111
Instruction Fuzzy Hash: 9901A271680118A7CB24EBA0CB15FFE73ACAB12340F54002DB912B3282EA3C9F18D671

Function 007C1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007C3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 007C1DD3

Strings

ComboBox, xrefs: 007C1D75
ListBox, xrefs: 007C1DA0

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 76d2b093cde4c4c0ec2525d295157ad84c15f466753bd34d960e5bac470bcbc5
Instruction ID: cccaf12ca9c3fc0b218ab59e28bd098458ef41dc6680ae77ec7065d26e35eecc
Opcode Fuzzy Hash: 76d2b093cde4c4c0ec2525d295157ad84c15f466753bd34d960e5bac470bcbc5
Instruction Fuzzy Hash: 81F0A471B41219A7DB14F7A4DD56FFE77ACAB12350F44092DB933A32C2DA7859088270

Function 007E747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007E7493
_wcslen.LIBCMT ref: 007E74B9

Strings

3, 3, 16, 1, xrefs: 007E7483

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 2f2bd25ab9f536d736952b48bfce5bc9b293646ba9a6bdb40f0a641cfe0d4667
Instruction ID: 536a672be114c4ebed2f672e87042ce1f4caad7c2af14159881a73e9a8a72c54
Opcode Fuzzy Hash: 2f2bd25ab9f536d736952b48bfce5bc9b293646ba9a6bdb40f0a641cfe0d4667
Instruction Fuzzy Hash: 7DE02B022462E160D235227BACC997F5689DFCE750710182BF985C22A6EADCDD91D3A0

Function 007C0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007C0B23

Strings

Error allocating memory., xrefs: 007C0B1C
AutoIt, xrefs: 007C0B17

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: d14b999a4dbe0f17ec3fdae7287d34f2b87c491e322b7c6f59592eb84341f65c
Instruction ID: 8a8d90dc7cecdc39c2487d0f4b3ca8ab0cf87735bd9e7343e5698ddfbd5cfee3
Opcode Fuzzy Hash: d14b999a4dbe0f17ec3fdae7287d34f2b87c491e322b7c6f59592eb84341f65c
Instruction Fuzzy Hash: 08E0D83128431CAAD21136547D07F997B848F05B50F10442AFB58955C38AE9289086E9

Function 00780D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0077F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00780D71,?,?,?,0076100A), ref: 0077F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0076100A), ref: 00780D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0076100A), ref: 00780D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00780D7F

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: f1521149687863b9392a8a070f22c2252f12a77686bcbc5db24f43778801c5f0
Instruction ID: c6952373f44f05db86536a884c5495848b3cb7a1a0c65d8901eb91d504d6784c
Opcode Fuzzy Hash: f1521149687863b9392a8a070f22c2252f12a77686bcbc5db24f43778801c5f0
Instruction Fuzzy Hash: 3AE06D702403018BD760AFB8D9083527BE4BF00B50F00892DE886C6751DBBCE448CBE1

Function 007D3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 007D302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 007D3044

Strings

aut, xrefs: 007D3038

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 74de3e69264a4dee8968b07a5088e1bfca31baf0141438e67e04ed46aa1ff37c
Instruction ID: f2c9ad8ae523aa08b532ddbc0efab945e24e71740a481cb895eb61d4ed6b049d
Opcode Fuzzy Hash: 74de3e69264a4dee8968b07a5088e1bfca31baf0141438e67e04ed46aa1ff37c
Instruction Fuzzy Hash: 9DD05B7150032867DA209794AD0DFD73B6CE704750F0001517655D6091DAB49584CAD4

Function 007F2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007F236C
PostMessageW.USER32(00000000), ref: 007F2373

Part of subcall function 007CE97B: Sleep.KERNEL32 ref: 007CE9F3

Strings

Shell_TrayWnd, xrefs: 007F2365

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2102a68f89380ffc065a9af2db59c7ebc0df460153b5a5d2a973ad9256177ac5
Instruction ID: 7495b27de38ebbfbe0f46d1097cc62a533b342579e0992b008754bbeb34cd86a
Opcode Fuzzy Hash: 2102a68f89380ffc065a9af2db59c7ebc0df460153b5a5d2a973ad9256177ac5
Instruction Fuzzy Hash: 99D022323C0310BBE264B330EC0FFC67714AB00B00F008A2A7301EA1D0C9F8B810CA08

Function 007F2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007F232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007F233F

Part of subcall function 007CE97B: Sleep.KERNEL32 ref: 007CE9F3

Strings

Shell_TrayWnd, xrefs: 007F2325

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a42036d8b258193b8d1aaaa6e67a4162d9256c94f94f0de4453a49db2e5b2b67
Instruction ID: ddca5ef74f6867025cf94f7a4df74dd7ea5d9b89ad82431cc2d09aaa87055980
Opcode Fuzzy Hash: a42036d8b258193b8d1aaaa6e67a4162d9256c94f94f0de4453a49db2e5b2b67
Instruction Fuzzy Hash: 95D02232384310BBE264B330EC0FFD67B14AB00B00F008A2A7305EA1D0C9F8B810CA08

Function 0079BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0079BE93
GetLastError.KERNEL32 ref: 0079BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0079BEFC

Memory Dump Source

Source File: 00000000.00000002.2204662057.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2204547056.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204798907.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204909800.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2204961050.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 93f47690e1838b4515357b76d93a403cc65d1eb204a028d2e51d9e9fb7cc811f
Instruction ID: 2a2bc78cfc764f16faa3037604e2a6e93dcace010f380db2634a4a7c05a299a9
Opcode Fuzzy Hash: 93f47690e1838b4515357b76d93a403cc65d1eb204a028d2e51d9e9fb7cc811f
Instruction Fuzzy Hash: E341293560020AEFCF219FA4FE88ABA7BBAEF41310F144169F959971A1DB388D00CB51

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2302363506.000001CB5B746000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301938960.000001CB5B744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2360389933.000001CB6718E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324771135.000001CB6718E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2326521818.000001CB64E42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2360389933.000001CB6718E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388939974.000001CB5BEF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388939974.000001CB5BE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2349578016.000001CB636B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363815483.000001CB636B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2349578016.000001CB636B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363815483.000001CB636B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2326521818.000001CB64E42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2373096109.000001CB5E58A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331069013.000001CB5E58A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3384528532.000001E4A870A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2373096109.000001CB5E58A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331069013.000001CB5E58A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3384528532.000001E4A870A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2373096109.000001CB5E58A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331069013.000001CB5E58A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3384528532.000001E4A870A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2378585542.000001CB648ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2348529581.000001CB648ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2327108829.000001CB648ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://6edd4cbe-8a9f-4158-beca-90f5feba9c8c/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2363247177.000001CB63C97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2360389933.000001CB6718E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388939974.000001CB5BEF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2363247177.000001CB63C97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2204310986.000001CB63E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2209466123.000001CB63E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2388939974.000001CB5BE18000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388939974.000001CB5BE9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388939974.000001CB5BEE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.6:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49890 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49891 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49888 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49895 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c6f9921d-9f1e-4b00-8216-db10b5eacdb0.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c6f9921d-9f1e-4b00-8216-db10b5eacdb0.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre